Hey, just installed. I'm trying to keep the system as secure as possible (to use for online banking transactions) so I decided to only run it in live (read only) mode. Is it possible to install security updates and set restore points while only running in livemode? I get this error :

The repository 'cdrom://Linux Mint 19 _Tara_ - Release amd64 20180626 bionic Release' does not have a Release file.

When I search for updates using update manager. Thanks for the help!

With "persistence", yes it is possible to keep changes to the file system. Otherwise everything is loaded into RAM (memory) and then is lost when you shutdown or restart the machine.

The error you refer to seems to suggest that it's looking for the "release file" on a CD/DVD and not on the USB.

https://en.wikipedia.org/wiki/Live_USB
https://en.wikipedia.org/wiki/Persis...puter_science)

I'd use a different distro myself.

I'd install it as a regular install and not a live usb with persistence.

You can't properly install many of the security updates to a squash file and that is where the kernel resides.

I'd also be sure to encrypt at least home.

I don't get the restore points exactly. Running BtRFS one could set points in file time.

What distro would you use? why?

Are you saying that I won't be able to complete certain updates because they rely on kernel access which isn't(?) allowed in persistence mode?
Not sure if you can explain or point me to a source, but how/why does this work?

Pretty sure home is the only thing I can encrypt if I'm dual-booting with another OS right?

Definitely gonna keep googling this, because although I know what it is, still not quite sure how to use it...

EDIT: Formatting
Thanks for the help guys

The /etc/apt/sources.list file only contains the install CD, or iso, as an apt source. If you try to use apt, and it can't find the CD, nothing will work. If you want the ultimate security in online banking, you would not want persistence or an actual install. You would want the system to forget everything each reboot.

One other way to do this is with a VM. You make a snapshot first thing, and every time you start the VM you revert to the snapshot. That way any keyloggers, remote-control trojans, rootkits, and whatever else might get on the system magically vanish each time the VM is booted.

Wouldn't doing this prevent me from being able to install any security updates?

Yes, but the chances that a security update will help you more than reverting back to a virgin system is small. Security updates are to counter exploits allowing ne'er-do-wells to plant the very files I suggested you would have no fear of if you revert back to the snapshot each boot.

For instance, if you missed a security update that prevents installation of a keylogger, and it was mischievously installed, it might log some keystrokes, but then it would be gone on the next boot. So, there would be nothing to retrieve. You could still do security updates once a month or so, but not do anything else during the session, make a new snapshot, and revert to 'that' snapshot from then on.

Would running mint of the usb in live mode (never installing) do the same thing without a VM? and then use the VM to update, then repeat?

I would think it would be better to do an actual install to the usb with a complex user password and as suggested above, an encrypted /home partition.

Generally as you know, a Live system even with persistence has no password so anyone with passing familiarity with Linux (knowledge of root/sudo) can do anything s/he wants if they have access to the persistent usb including removing software and deleting data.

Apparently, it is possible to create another user with password on a Live/persistent usb. The link below, particularly the post by 'sudodus' explains doing it with the mkusb software. It's available in the Ubuntu repositories, not sure if it will work with Mint but it might.

https://askubuntu.com/questions/8698...is-it-possible

If you plan to use the same Live/persistent usb for any length of time, you will definitely need to create a persistent partition with a Linux filesystem. If you use some of the basic tools for creating a Live usb, they use FAT32 filesystems so you re limited to 4GB.

I would think it would be better to do an actual install to the usb with a complex user password and as suggested above, an encrypted /home partition.

Generally as you know, a Live system even with persistence has no password so anyone with passing familiarity with Linux (knowledge of root/sudo) can do anything s/he wants if they have access to the persistent usb including removing software and deleting data.

Apparently, it is possible to create another user with password on a Live/persistent usb. The link below, particularly the post by 'sudodus' explains doing it with the mkusb software. It's available in the Ubuntu repositories, not sure if it will work with Mint but it might.

https://askubuntu.com/questions/8698...is-it-possible

I'd use a more secure distro and one that has only the minimal programs needed to do your task. At least consider CentOS.

Updates can't re-write the squashfs live. You'd have to unsquash and then re-squash from some build update.
I don't mind the idea of a full unwriteable distro but it leaves you unprotected at first security update. You could build one secure distro and update it and apply it to a live image.

You can encrypt most of a usb drive.

Might be quicker and easier to run a VM too.

The question becomes do you want to keep it up to date?

Although I know what squashfs is, I'm not sure how to unsquash and re-squash, could you point me to a guide?

yes, I want to keep it constantly up-to-date with security patches. Didn't want to run off a VM because if someone has breached my PC, they have access to the VM, correct? What should I do?

Looked into CentOS, I'm not opposed to another OS, especially if it is secure. However, I read that more popular OSes have the fastest security updates. Other OSes seem more anonymity based than security-based (Tails, Whonix).

You can't get much more popular than Centos! It's the noncommercial clone of Red Hat! And, like RH, it uses SELinux, which is good.