summaryrefslogtreecommitdiff
path: root/docs/howtos/encrypted_trisquel.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/howtos/encrypted_trisquel.html')
-rw-r--r--docs/howtos/encrypted_trisquel.html321
1 files changed, 321 insertions, 0 deletions
diff --git a/docs/howtos/encrypted_trisquel.html b/docs/howtos/encrypted_trisquel.html
new file mode 100644
index 0000000..2529da4
--- /dev/null
+++ b/docs/howtos/encrypted_trisquel.html
@@ -0,0 +1,321 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ body {
+ background:#fff;
+ color:#000;
+ font-family:sans-serif;
+ font-size:1em;
+ }
+ div.important {
+ background-color:#ccc;
+ }
+ </style>
+
+ <title>Installing Trisquel GNU/Linux with full disk encryption (including /boot)</title>
+</head>
+
+<body>
+ <header>
+ <h1>Installing Trisquel GNU/Linux with full disk encryption (including /boot)</h1>
+ <aside>Or <a href="../index.html">back to main index</a></aside>
+ </header>
+
+ <p>
+ Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition
+ when setting up an encrypted system. This means that your machine can really secure data while powered off.
+ </p>
+
+ <p>
+ This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>.
+ </p>
+
+ <p>
+ Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols) and when the installer asks you to setup
+ encryption (ecryptfs) for your home directory, select 'Yes'.
+ </p>
+
+ <p>
+ <b>
+ Your user password should be different than the LUKS password which you will set later on.
+ Your LUKS password should, like the user password, be secure.
+ </b>
+ </p>
+
+ <h1>Partitioning</h1>
+
+ <p>Choose 'Manual' partitioning:</p>
+ <ul>
+ <li>Select drive and create new partition table</li>
+ <li>
+ Single large partition. The following are mostly defaults:
+ <ul>
+ <li>Use as: physical volume for encryption</li>
+ <li>Encryption: aes</li>
+ <li>key size: 256</li>
+ <li>IV algorithm: xts-plain64</li>
+ <li>Encryption key: passphrase</li>
+ <li>erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)</li>
+ </ul>
+ </li>
+ <li>
+ Select 'configure encrypted volumes'
+ <ul>
+ <li>Create encrypted volumes</li>
+ <li>Select your partition</li>
+ <li>Finish</li>
+ <li>Really erase: Yes</li>
+ <li>(erase will take a long time. be patient)</li>
+ </ul>
+ </li>
+ <li>
+ Select encrypted space:
+ <ul>
+ <li>use as: physical volume for LVM</li>
+ <li>Choose 'done setting up the partition'</li>
+ </ul>
+ </li>
+ <li>
+ Configure the logical volume manager:
+ <ul>
+ <li>Keep settings: Yes</li>
+ </ul>
+ </li>
+ <li>
+ Create volume group:
+ <ul>
+ <li>Name: <b>buzz</b> (you can use whatever you want here, this is just an example)</li>
+ <li>Select crypto partition</li>
+ </ul>
+ </li>
+ <li>
+ Create logical volume
+ <ul>
+ <li>select <b>buzz</b> (or whatever you named it before)</li>
+ <li>name: <b>distro</b> (you can use whatever you want here, this is just an example)</li>
+ <li>size: default, minus 2048 MB</li>
+ </ul>
+ </li>
+ <li>
+ Create logical volume
+ <ul>
+ <li>select <b>buzz</b> (or whatever you named it before)</li>
+ <li>name: <b>swap</b> (you can use whatever you want here, this is just an example)</li>
+ <li>size: press enter</li>
+ </ul>
+ </li>
+ </ul>
+
+ <h1>Further partitioning</h1>
+
+ <p>
+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
+ </p>
+ <ul>
+ <li>
+ LVM LV distro
+ <ul>
+ <li>use as: ext4</li>
+ <li>mount point: /</li>
+ <li>done setting up partition</li>
+ </ul>
+ </li>
+ <li>
+ LVM LV swap
+ <ul>
+ <li>use as: swap area</li>
+ <li>done setting up partition</li>
+ </ul>
+ </li>
+ <li>Now you select 'Finished partitioning and write changes to disk'.</li>
+ </ul>
+
+ <h1>Kernel</h1>
+
+ <p>
+ Installation will ask what kernel you want to use. linux-generic is fine.
+ </p>
+
+ <h1>Tasksel</h1>
+
+ <p>
+ Just continue here, without selecting anything. You can install everything later (it's really easy).
+ </p>
+
+ <h1>Install the GRUB boot loader to the master boot record</h1>
+
+ <p>
+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
+ </p>
+
+ <p>
+ <i>You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.</i>
+ </p>
+
+ <h1>Clock UTC</h1>
+
+ <p>
+ Just say 'Yes'.
+ </p>
+
+ <h1>
+ Booting your system
+ </h1>
+
+ <p>
+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
+ </p>
+
+ <p>
+ Do that:<br/>
+ grub&gt; <b>cryptomount -a (ahci0,msdos1)</b><br/>
+ grub&gt; <b>set root='lvm/buzz-distro'</b><br/>
+ grub&gt; <b>linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro</b><br/>
+ grub&gt; <b>initrd /initrd.img</b><br/>
+ grub&gt; <b>boot</b>
+ </p>
+
+ <h1>
+ ecryptfs
+ </h1>
+
+ <p>
+ Immediately after logging in, do that:<br/>
+ $ <b>sudo ecryptfs-unwrap-passphrase</b>
+ </p>
+
+ <p>
+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
+ somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
+ </p>
+
+ <h1>
+ Modify grub.cfg (CBFS)
+ </h1>
+
+ <p>
+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
+ </p>
+
+ <p>
+ Modify your grub.cfg (in the firmware) <a href="grub_cbfs.html">using this tutorial</a>;
+ just change the default menu entry 'Load Operating System' to say this inside:
+ </p>
+
+ <p>
+ <b>cryptomount -a (ahci0,msdos1)</b><br/>
+ <b>set root='lvm/buzz-distro'</b><br/>
+ <b>linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro</b><br/>
+ <b>initrd /initrd.img</b>
+ </p>
+
+ <p>
+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see
+ GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. <b>This should be different than your LUKS passphrase and user password.</b>
+ </p>
+
+ <p>
+ The GRUB utility can be used like so:<br/>
+ $ <b>grub-mkpasswd-pbkdf2</b>
+ </p>
+
+ <p>
+ Give it a password (remember, it has to be secure) and it'll output something like:<br/>
+ <b>grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b>
+ </p>
+
+ <p>
+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):<br/>
+ </p>
+ <pre>
+<b>set superusers=&quot;root&quot;</b>
+<b>password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b>
+ </pre>
+
+ <p>
+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
+ </p>
+
+ <p>
+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM
+ using <a href="../index.html#flashrom">this tutorial</a>.
+ </p>
+
+ <h1>
+ Update Trisquel
+ </h1>
+
+ <p>
+ $ <b>sudo apt-get update</b><br/>
+ $ <b>sudo apt-get upgrade</b>
+ </p>
+
+ <p>
+ At the time of writing, Trisquel 7 had <a href="https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1274680">this</a>
+ bug from upstream. The workaround identified in <a href="https://trisquel.info/en/forum/trisquel-7-memory-leak-issues">this page</a>
+ was as follows:<br/>
+ $ <b>sudo apt-get remove libpam-smbpass</b>
+ </p>
+
+ <h1>
+ Install a desktop (optional)
+ </h1>
+
+ <p>
+ Installs the default desktop:<br/>
+ $ <b>sudo apt-get install trisquel</b>
+ </p>
+
+ <p>
+ It might ask for postfix configuration. I just choose 'No configuration'.
+ </p>
+
+ <p>
+ Next time you boot, it'll start lightdm and you can login. To start lightdm now, do:<br/>
+ $ <b>sudo service lightdm start</b>
+ </p>
+
+ <p>
+ Go back to the terminal (ctrl-alt-f1) and exit:<br/>
+ $ <b>exit</b>
+ </p>
+
+ <p>
+ Go back to lightdm (ctrl-alt-f7) and login.
+ </p>
+
+ <p>
+ Since you installed using net install and you only installed the base system, network-manager isn't controlling
+ your eth0 but instead /etc/network/interfaces is. Comment out the eth0 lines in that file, and then do:<br/>
+ $ <b>sudo /etc/init.d/networking stop</b><br/>
+ $ <b>sudo service network-manager restart</b>
+ </p>
+
+ <h1>
+ Conclusion
+ </h1>
+
+ <p>
+ If you followed all that correctly, you should now have a fully encrypted system.
+ </p>
+
+<hr/>
+
+ <p>
+ Copyright &copy; 2014 Francis Rowe &lt;info@gluglug.org.uk&gt;<br/>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
+ A copy of the license can be found at <a href="../license.txt">../license.txt</a>.
+ </p>
+
+ <p>
+ This document is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information.
+ </p>
+
+</body>
+</html>