From 4c3d46238022f0c9955ae7e8b10c9f1716dd871a Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Wed, 04 Feb 2015 04:14:49 -0500 Subject: Documentation: implement theme, drastically improve readability --- (limited to 'docs/gnulinux/encrypted_trisquel.html') diff --git a/docs/gnulinux/encrypted_trisquel.html b/docs/gnulinux/encrypted_trisquel.html index 8e369a4..c24d5f1 100644 --- a/docs/gnulinux/encrypted_trisquel.html +++ b/docs/gnulinux/encrypted_trisquel.html @@ -12,280 +12,325 @@ -
+

Installing Trisquel GNU/Linux with full disk encryption (including /boot)

- -
- -

- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and its GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -

- -

- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. -

- -

- This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer. -

- -

- Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols). -

- -

- when the installer asks you to set up - encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it - will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. - Choose 'no'. -

- -

- - Your user password should be different from the LUKS password which you will set later on. - Your LUKS password should, like the user password, be secure. - -

- -

Partitioning

- -

Choose 'Manual' partitioning:

- - -

Further partitioning

- -

- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. -

- - -

Kernel

- -

- Installation will ask what kernel you want to use. linux-generic is fine. -

- -

Tasksel

- -

- Choose "Trisquel Desktop Environment" if you want GNOME, - "Trisquel-mini Desktop Environment" if you - want LXDE or "Triskel Desktop Environment" if you want KDE. - If you want to have no desktop (just a basic shell) - when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). - You might also want to choose some of the other package groups; it's up to you. -

- -

Postfix configuration

- -

- If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) -

- -

Install the GRUB boot loader to the master boot record

- -

- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. - You could also choose 'No'. Choice is irrelevant here. -

- -

- You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. -

- -

Clock UTC

- -

- Just say 'Yes'. -

- -

- Booting your system -

- -

- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. -

- +

+ Libreboot uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and its GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +

+ +

+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted. + This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware + can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a + payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical + access to the machine. +

+

+ This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). + How to boot a GNU/Linux installer. +

+

Back to previous index

+ + +
+

- Do that:
- grub> cryptomount -a (ahci0,msdos1)
- grub> set root='lvm/grubcrypt-trisquel'
- grub> linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
- grub> initrd /initrd.img
- grub> boot -

- -

- ecryptfs -

- -

- If you didn't encrypt your home directory, then you can safely ignore this section. -

- -

- Immediately after logging in, do that:
- $ sudo ecryptfs-unwrap-passphrase -

- -

- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note - somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> -

- -

- Modify grub.cfg (CBFS) -

- -

- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. -

- -

- Modify your grub.cfg (in the firmware) using this tutorial; - just change the default menu entry 'Load Operating System' to say this inside: + Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols).

- cryptomount -a (ahci0,msdos1)
- set root='lvm/grubcrypt-trisquel'
- linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
- initrd /initrd.img + when the installer asks you to set up + encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it + will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. + Choose 'no'.

- Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see - GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. + + Your user password should be different from the LUKS password which you will set later on. + Your LUKS password should, like the user password, be secure. +

+ +
+ +
+ +

Partitioning

+ +

Choose 'Manual' partitioning:

+ + +
+ +
+ +

Further partitioning

+ +

+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. +

+ + +
+ +
+ +

Kernel

+ +

+ Installation will ask what kernel you want to use. linux-generic is fine. +

+ +
+ +
+ +

Tasksel

+ +

+ Choose "Trisquel Desktop Environment" if you want GNOME, + "Trisquel-mini Desktop Environment" if you + want LXDE or "Triskel Desktop Environment" if you want KDE. + If you want to have no desktop (just a basic shell) + when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). + You might also want to choose some of the other package groups; it's up to you. +

+ +
+ +
+ +

Postfix configuration

+ +

+ If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) +

+ +
+ +
+ +

Install the GRUB boot loader to the master boot record

+ +

+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. + You could also choose 'No'. Choice is irrelevant here. +

+ +

+ You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. +

+ +
+ +
+ +

Clock UTC

+ +

+ Just say 'Yes'. +

+ +
+ +
+ +

+ Booting your system +

+ +

+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. +

+ +

+ Do that:
+ grub> cryptomount -a (ahci0,msdos1)
+ grub> set root='lvm/grubcrypt-trisquel'
+ grub> linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
+ grub> initrd /initrd.img
+ grub> boot +

+ +
+ +
+ +

+ ecryptfs +

+ +

+ If you didn't encrypt your home directory, then you can safely ignore this section. +

+ +

+ Immediately after logging in, do that:
+ $ sudo ecryptfs-unwrap-passphrase +

+ +

+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note + somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> +

+ +
+ +
+ +

+ Modify grub.cfg (CBFS) +

+ +

+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. +

+ +

+ Modify your grub.cfg (in the firmware) using this tutorial; + just change the default menu entry 'Load Operating System' to say this inside: +

+ +

+ cryptomount -a (ahci0,msdos1)
+ set root='lvm/grubcrypt-trisquel'
+ linux /vmlinuz root=/dev/mapper/grubcrypt-trisquel cryptdevice=/dev/mapper/grubcrypt-trisquel:root
+ initrd /initrd.img +

+ +

+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see + GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. +

+ +

+ The GRUB utility can be used like so:
+ $ grub-mkpasswd-pbkdf2 +

+ +

+ Give it a password (remember, it has to be secure) and it'll output something like:
+ grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 +

+ +

+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
+

+ 
+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+
-

- The GRUB utility can be used like so:
- $ grub-mkpasswd-pbkdf2 -

+

+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! +

-

- Give it a password (remember, it has to be secure) and it'll output something like:
- grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -

+

+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM + using this tutorial. +

+ +
-

- Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
-

- 
-set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
+

- Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! + Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt.

- After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM - using this tutorial. + This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

+ +
-- cgit v0.9.1