From 02f4e0fe03070da674a5d78b77edef3b6e833385 Mon Sep 17 00:00:00 2001 From: Jeroen Quint Date: Tue, 25 Aug 2015 20:26:15 -0400 Subject: docs/gnulinux/encrypted_parabola.html: bring it up to date --- (limited to 'docs/gnulinux/encrypted_parabola.html') diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html index 2f61cb6..07bd580 100644 --- a/docs/gnulinux/encrypted_parabola.html +++ b/docs/gnulinux/encrypted_parabola.html @@ -42,35 +42,42 @@

- For this guide I used the 2013 09 01 image to boot the live installer and install the system. + For this guide I used the 2015 08 01 image to boot the live installer and install the system. + This is available at this page.

This guide will go through the installation steps taken at the time of writing, which may or may not change due to the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to - the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15). + the Parabola wiki. This guide essentially cherry picks the useful information (valid at the + time of writing: 2015-08-25).

+

This section deals with wiping the storage device on which you plan to install Parabola + GNU/Linux. Follow these steps, but if you use an SSD, also: +

- Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. + - beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. See this page for more info.

-

- If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously - contained plaintext copies of your data. +

- make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously contained plaintext copies of your data. +

+ +

- make sure to read this article. Edit /etc/fstab later on when + chrooted into your install. Also, read the whole article and keep all points in mind, adapting them for this guide.

Wipe the MBR (if you use MBR):
# lsblk
- Your HDD is probably /dev/sda: + Your storage is probably /dev/sda, but be very sure to double check this or you WILL lose your data!
# dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. This guide is for libreboot with GRUB-as-payload only. @@ -88,17 +95,9 @@ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then it is already 'wiped'. You should just wipe the LUKS header. https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/ - showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
+ showed me how to do this. It recommends doing the first 3MiB. Now, that guide is recommending putting zero there. I'm going to use urandom. Do this:
# head -c 3145728 /dev/urandom > /dev/sda; sync
- (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). -

-

- - If you do plan to use an SSD, make sure to read - https://wiki.archlinux.org/index.php/Solid_State_Drives
- Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting - them for this guide. -
+ (Wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).

@@ -109,10 +108,21 @@ Change keyboard layout

- Parabola live shell assumes US Qwerty. If you have something different, use:
+ Parabola live shell assumes US Qwerty. If you have something different, list the available keymaps and use yours:
+ # localectl list-keymaps
# loadkeys LAYOUT
For me, LAYOUT would have been dvorak-uk.

+ + + +
+ +

Establish an internet connection

+

+ Refer to this guide. Wired is recommended, + but wireless is also explained there. +

@@ -147,7 +157,7 @@ I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption.

- Parabola forces you to RTFM. + Parabola forces you to RTFM. Do that.

It tells me to run:
@@ -165,8 +175,8 @@

I am initializing LUKS with the following:
# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1 - -- choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password - length should be as long as you are able to handle without writing it down or storing it anywhere. + Choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The + password length should be as long as you are able to handle without writing it down or storing it anywhere.

@@ -179,10 +189,8 @@

Open the LUKS partition:
- # cryptsetup open --type luks /dev/sda1 lvm
- (it will be available at /dev/mapper/lvm)
- I'm told that the above is old syntax, which is what I did anyway. You could also try:
- # cryptsetup luksOpen /dev/sda1 lvm + # cryptsetup luksOpen /dev/sda1 lvm
+ (it will be available at /dev/mapper/lvm)

Create LVM partition:
@@ -192,13 +200,17 @@

Now I create the volume group, inside of which the logical volumes will be created:
- # vgcreate matrix /dev/mapper/lvm (volume group name is 'matrix')
+ # vgcreate matrix /dev/mapper/lvm
+ (volume group name is 'matrix' - choose your own name, if you like) Show that you created it:
# vgdisplay

Now create the logical volumes:
# lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
+ Again, choose your own name if you like. Also, make sure to choose a swap size of your own needs. It basically depends on how much RAM + you have installed. I refer to http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space.
# lvcreate -l +100%FREE matrix -n rootvol (single large partition in the rest of the space, named rootvol)
You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, if you will be running a web/mail server then you want /var in its own partition (so that if it fills up with logs, it won't crash your system). @@ -213,15 +225,21 @@

-

Create / and swap partitions

+

Create / and swap partitions, and mount

For the swapvol LV I use:
- # mkswap /dev/mapper/matrix-swapvol + # mkswap /dev/mapper/matrix-swapvol
+ Activate swap:
+ # swapon /dev/matrix/swapvol

For the rootvol LV I use:
# mkfs.ext4 /dev/mapper/matrix-rootvol

+

+ Mount the root (/) partition:
+ # mount /dev/matrix/rootvol /mnt +

@@ -229,10 +247,6 @@

Continue with Parabola installation

- Mount the root (/) partition:
- # mount /dev/matrix/rootvol /mnt
-

-

This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola so that the guide can continue.

@@ -242,22 +256,16 @@

Create /home and /boot on rootvol mountpoint:
- # mkdir /mnt/home
- # mkdir /mnt/boot + # mkdir -p /mnt/home
+ # mkdir -p /mnt/boot

- The wiki says to enable the swap so that it can be detected by 'genfstab':
- # swapon /dev/matrix/swapvol -

-

- DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide. - I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet. - Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. - You can test to see if internet is already working by pinging a few domains. + Once all the remaining partitions, if any, have been mounted, the devices are ready to install Parabola.

- I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
+ In /etc/pacman.d/mirrorlist, comment out all lines except the Server line closest to where you are (I chose the UK Parabola + server (main server)) and then did:
# pacman -Syy
# pacman -Syu
# pacman -Sy pacman (and then I did the other 2 steps above, again)
@@ -274,6 +282,8 @@    # pacman-key --refresh-keys
   # pacman -Sy parabola-keyring
   To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
+    If you get an error mentioning dirmngr, do:
+    # dirmngr </dev/null
   Also, it says that if the clock is set incorrectly then you have to manually set the correct time
   (if keys are listed as expired because of it):
   # date MMDDhhmm[[CC]YY][.ss]
@@ -289,8 +299,8 @@ </troubleshooting>

- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
- # pacstrap /mnt base base-devel wpa_supplicant dialog + I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog/iw/wpa_actiond are needed for wireless after the install:
+ # pacstrap /mnt base base-devel wpa_supplicant dialog iw wpa_actiond

@@ -299,12 +309,16 @@

Configure the system

- From the Parabola installation guide (Arch's one was identical):
- # genfstab -p /mnt >> /mnt/etc/fstab + Generate an fstab - UUIDs are used because they have certain advantages (see https://wiki.parabola.nu/Fstab#Identifying_filesystems. + If you prefer labels instead, replace the -U option with -L):
+ # genfstab -U -p /mnt >> /mnt/etc/fstab
+ Check the created file:
+ # cat /mnt/etc/fstab
+ (If there are any errors, edit the file. Do NOT run the genfstab command again!)

Chroot into new system:
- # arch-chroot /mnt + # arch-chroot /mnt /bin/bash

It's a good idea to have this installed:
@@ -322,89 +336,76 @@ Parabola does not have wget. This is sinister. Install it:
# pacman -S wget

- - - - -
- -

Set a root password

-

- At the time of writing, Parabola used SHA512 by default for it's password hashing. -

-

- I referred to https://wiki.archlinux.org/index.php/SHA_password_hashes. -

-

- Open /etc/pam.d/passwd and add rounds=65536 at the end of the uncommented 'password' line. -

+ Locale:
+ # nano /etc/locale.gen
+ Uncomment your needed localisations. For example en_GB.UTF-8 (UTF-8 is highly recommended over other options).
+ # locale-gen
+ # echo LANG=en_GB.UTF-8 > /etc/locale.conf
+ # export LANG=en_GB.UTF-8 +

+

+ Console font and keymap:
+ # nano /etc/vconsole.conf
+ In my case: + KEYMAP=dvorak-uk + FONT=Lat9w-16 +

+

+ Time zone:
+ # ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
+ (Replace Zone and Subzone to your liking. See /usr/share/zoneinfo) +

+

+ Hardware clock:
+ # hwclock --systohc --utc +

+

+ Hostname: + Write your hostname to /etc/hostname. For example, if your hostname is parabola:
+ # echo parabola > /etc/hostname
+ Add the same hostname to /etc/hosts:
+ # nano /etc/hosts
+

+
+#<ip-address>	<hostname.domain.org>	<hostname>
+127.0.0.1	localhost.localdomain	localhost	parabola
+::1		localhost.localdomain	localhost	parabola
+
+

Configure the network: + Refer to https://wiki.parabola.nu/Beginners%27_guide#Configure_the_network. +

+

Mkinitcpio: + Configure /etc/mkinitcpio.conf as needed (see https://wiki.parabola.nu/Mkinitcpio). + Runtime modules can be found in /usr/lib/initcpio/hooks, and build hooks can be found in /usr/lib/initcpio/install. (# mkinitcpio -H hookname gives information about each hook.) + Specifically, for this use case:
+ # nano /etc/mkinitcpio.conf
+ Then modify the file like so: +

+ +

+ Now using mkinitcpio, you can create the kernel and ramdisk for booting with (this is different from Arch, specifying linux-libre instead of linux):
+ # mkinitcpio -p linux-libre
+ Also do it for linux-libre-lts:
+ # mkinitcpio -p linux-libre-lts
+ Also do it for linux-libre-grsec:
+ # mkinitcpio -p linux-libre-grsec +

+

+ Set the root password: + At the time of writing, Parabola used SHA512 by default for its password hashing. I referred to https://wiki.archlinux.org/index.php/SHA_password_hashes.
+ # nano /etc/pam.d/passwd
+ Add rounds=65536 at the end of the uncommented 'password' line.
# passwd root
Make sure to set a secure password! Also, it must never be the same as your LUKS password.

@@ -447,7 +448,7 @@

unmount:
- # umount /mnt
+ # umount -R /mnt
# swapoff -a

@@ -461,7 +462,7 @@

# shutdown -h now
- Then boot up again. + Remove the installation media, then boot up again.

@@ -651,6 +652,7 @@ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB97

Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; -- cgit v0.9.1