The ro-mode-init automatically enables live-mode if it detects that the disk is set to read-only.

This is an alternative to the default grub-live based method documented on VM Live Mode.

Introduction[edit]

ro-mode-init is currently less tested than grub-live (Live Mode).

Warning: This is for testers-only!

Does not work on newer builds of Kicksecure because these come with dracut by default.
This is for systems with initramfs-tools only.

ro-mode-init has not been ported to dracut yet. Theoretically this probably possible but this has not happened yet.

Preliminary Steps[edit]

1. Backup.

Option 1: Create a snapshot of your VM; or
Option 2: Alternatively backup the /boot folder.

sudo cp -a /boot /boot.back

2. Install ro-mode-init.

Install package(s) ro-mode-init following these instructions

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: In Template.

Update the package lists and upgrade the system .

sudo apt update && sudo apt full-upgrade

Install the ro-mode-init package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends ro-mode-init

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification .

Done.

The procedure of installing package(s) ro-mode-init is complete.

3. Update initial ramdisk. ^[1]

sudo update-initramfs -u

4. Set the VM disk to read-only.

The read-only VM setting is necessary (see below), otherwise the VM disk will always boot into persistent mode.

Read-only VM Setting[edit]

VirtualBox[edit]

Read-only disk on VirtualBox[edit]

To boot into live mode, apply the following steps.

Set the VirtualBox virtual harddrive to read-only.

1. Power off the machine.

2. Open setting window of the machine and set the type of storage device controller from AHCI to LsiLogic SAS.

VirtualBox → Settings → Storage → Type: LsiLogic SAS → OK

3. Learn the syntax.

Do not run the following command. Only look at it.

TODO research: lsilogicsas might no longer work because nowadays using IntelAhci. So commands below need adjustment. How? This is difficult because undocumented by VirtualBox.

VBoxManage setextradata vmname "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

Replace vmname with the name of the actual VM name.

4. On the command line run.

Kicksecure Xfce example:

VBoxManage setextradata Kicksecure-Xfce "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

Kicksecure CLI example:

VBoxManage setextradata Kicksecure-CLI "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

Read-write disk on VirtualBox[edit]

To boot into read-write mode again, simply revert this change.

Power off the machine.
From the command line run.

Use the syntax below.

VBoxManage setextradata vmname "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly"

Replace vmname with the name of the actual VM name.

KVM[edit]

Read-only disk on KVM[edit]

To boot into live mode, apply the following steps:

Power off the machine.
Set the hard disk to read-only in the virt-manager GUI.
Power on the machine and select to boot into live mode.

Read-write disk on KVM[edit]

To boot into normal mode again, simply revert this change:

Power off the machine.
Set the hard disk to read-write in the virt-manager GUI.
Power on the machine and boot into read-write mode.

Live Mode Indicator Systray[edit]

https://github.com/Kicksecure/desktop-config-dist/blob/master/usr/share/livecheck/livecheck.sh

Debugging[edit]

An inconsistent filesystem will likely result in errors during booting in live mode. For instance, inconsistencies can arise when the VM is killed instead of performing a normal shutdown in persistent mode. Therefore to ensure it is consistent, run fsck in persistent mode. Debian automatically does this during boot. VMs running in live mode can be killed without problems.

In the case of non-fsck related errors using ro-mode-init (like dropping to an initramfs shell), add the following to the kernel command line/GRUB menu for easier debugging:

debug=1 break=init-premount

Footnotes[edit]

↑
Required for now but not forever.
- https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/206
- https://github.com/Kicksecure/derivative-maker/commit/69d0de6222afad9ace440054a0dad7c567d57e50

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

[1] Required for now but not forever.
https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/206

https://github.com/Kicksecure/derivative-maker/commit/69d0de6222afad9ace440054a0dad7c567d57e50

[2] ttps://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/206

[3] ttps://github.com/Kicksecure/derivative-maker/commit/69d0de6222afad9ace440054a0dad7c567d57e50

[1]

VM Live Mode: Alternative ro-mode-init Configuration

Contents

Introduction[edit]

Preliminary Steps[edit]

Read-only VM Setting[edit]