I will create a bootable Ubuntu USB flash disk and I want to know if it's possible to encrypt this usb flash disk with LUKS, so when I boot it to run linux, before entering my user password it asks for the password to decrypt the whole flash disk
- boot usb
- decrypt password
- user password
- logged in.
Please note it has to be live loaded to the ram each time I start the OS, I don't want to install on an external usb drive. Thanks in advance!
p.s If it's impossible can I leave ./boot unencrypted and encrypt the filesystem with all the system directories
This is impossible since if the boot volume is encrypted the BIOS / UEFI will be unable to execute the boot sector / boot application.
What you can do though is use the Ubuntu Live Installer to install Ubuntu onto another USB stick as the system disk, with LUKS encryption. The drawback will be that you lose the ability to hibernate because Ubiquity currently creates much too small swap partitions, and also randomizes the encryption key at every start, which obliterates the state of the swap partition.
In the second scenario you will have the boot partition unencrypted, so it can still be tampered with, ie a keylogger could be written into it. You can get around that by signing the boot volume and using Secure Boot, but then you have to talk Microsoft into signing your boot volume or giving you a signing key. Good luck with that.
If you really are worried about keyloggers, then carry your own PC, do not use wireless keyboard/mouse, enable secure boot, boot a LiveCD image which doesn't preserve any state whatsoever, use a VPN to connect a VNC/RDP client over SSL to the machine you actually keep your state with, use a strong, memorable password that you never record anywhere (see https://xkcd.com/936/ for an understanding of what this means.)
That will protect you from physical access, it will protect you from remote access, and it will save you from brute-force. It will be inconvenient since you won't always have network access, you will always have to carry the hardware with you, and you will not be able to get good value from the hardware you are carrying since you're only using it as a thin client, disregarding its additional memory / processing / storage capabilities.
Even all of this won't protect you from a CCTV camera locked on your keyboard while you type, so you will also need to be aware of your surroundings.
It may also run you up a significant mobile data bill.
So unless you really are a very exceptionally fat, juicy target that's likely to be targeted by people who are prepared to invest the resources to hack you, I think you're better off just avoiding using public internet terminals, carrying your own inexpensive device, securing it with LUKS, using a VPN or at least TORBrowser to guarantee your browsing isn't being spied on. Then your biggest worry should be whether you leave your device somewhere and it gets stolen, but no worry over whether they have access to your data.