From 52caa0b75ffb62511e4f73317243258bfa24d701 Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Fri, 10 Oct 2014 18:49:14 -0400 Subject: Documentation: configuring_parabola.html Shows some basic post-install configuration steps for Parabola GNU/Linux-libre, as a follow up to encrypted_parabola.html which showed how to setup a fully encrypted Parabola system. --- (limited to 'docs/howtos/encrypted_parabola.html') diff --git a/docs/howtos/encrypted_parabola.html b/docs/howtos/encrypted_parabola.html index b7f2359..c7a9210 100644 --- a/docs/howtos/encrypted_parabola.html +++ b/docs/howtos/encrypted_parabola.html @@ -35,6 +35,10 @@

+ For this guide I used the 2013 09 01 image to boot the live installer and install the system. +

+ +

Parabola is much more flexible than Trisquel, but also more involved to setup. Use Parabola. It's 10 million times better than Trisquel.

@@ -45,17 +49,42 @@

+ If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously + contained plaintext copies of your data. +

+ +

Wipe the MBR (if you use MBR):
# lsblk
Your HDD is probably /dev/sda: - # dd if=/dev/zero of=/dev/sda bs=446 count=1
+ # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. This guide is for libreboot with GRUB-as-payload only.

Securely wipe the drive:
- # dd if=/dev/urandom of=/dev/sda + # dd if=/dev/urandom of=/dev/sda; sync
+ NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, + use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended + erase block size is. For example if it was 2MiB:
+ # dd if=/dev/urandom of=/dev/sda bs=2M; sync +

+

+ If your drive was already LUKS encrypted (maybe you are re-installing your distro) then + it is already 'wiped'. You should just wipe the LUKS header. + https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/ + showed me how to do this. It recommends to do the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
+ # head -c 3145728 /dev/urandom > /dev/sda; sync
+ (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). +

+

+ + If you do plan to use an SSD, make sure to read + https://wiki.archlinux.org/index.php/Solid_State_Drives
+ Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting + them for this guide. +

@@ -197,30 +226,43 @@ Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. You can test to see if internet is already working by pinging a few domains.

+

- The following is based on 'Verification of package signatures' in the Parabola install guide. Check there first to see if steps differ by now. - Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
- # pacman -Sy parabola-keyring
- It says that you you get GPG errors, it's probably an expired key so do:
- # pacman-key --populate parabola
- # pacman-key --refresh-keys
- # pacman -Sy parabola-keyring
- To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
- Also, it says that if the clock is set incorrectly then you have to manually set the correct time (if keys are listed as expired because of it):
- # date MMDDhhmm[[CC]YY][.ss] + I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
+ # pacman -Syy
+ # pacman -Syu
+ # pacman -Sy pacman (and then I did the other 2 steps above, again)
+ In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. +

+

+ <troubleshooting>
+    The following is based on 'Verification of package signatures' in the Parabola install guide.
+    Check there first to see if steps differ by now.
+    Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
+    # pacman -Sy parabola-keyring
+    It says that you you get GPG errors, it's probably an expired key so do:
+    # pacman-key --populate parabola
+    # pacman-key --refresh-keys
+    # pacman -Sy parabola-keyring
+    To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
+    Also, it says that if the clock is set incorrectly then you have to manually set the correct time
+    (if keys are listed as expired because of it):
+    # date MMDDhhmm[[CC]YY][.ss]
+    I also had to install:
+    # pacman -S archlinux-keyring
+    # pacman-key --populate archlinux
+    In my case I saw some conflicting files reported in pacman, stopping me from using it.
+    I deleted the files that it mentioned + and then it worked. Specifically, I had this error:
+    licenses: /usr/share/licenses/common/MPS exists in filesystem
+    I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
+    # pacman -Sf licenses
+ </troubleshooting>
+

+

+ I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
+ # pacstrap /mnt base base-devel wpa_supplicant dialog

- -

Install the base system

-

- I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
- # pacman -Syu
- I also had to upgrade pacman and then do the above again:
- # pacman -Sy pacman -

-

- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
- # pacstrap /mnt base base-devel wpa_supplicant dialog -

Configure the system

@@ -345,7 +387,7 @@ Or just delete it. Above it, put:
auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
To unlock a user manually (if a password attempt is failed 3 times), do:
- # pam_tally --user --reset + # pam_tally --user theusername --reset What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts.

@@ -418,6 +460,10 @@

+ Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. +

+ +

Above the 'Load Operating System' menu entry you should also add a GRUB password, like so:

set superusers="root"
@@ -469,6 +515,12 @@ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB97
 			# pacman -S dmidecode
 		

+

+ When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility; + GRUB is already part of libreboot, flashed alongside it as a payload):
+ # pacman -R grub +

+

@@ -487,6 +539,16 @@ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB97


+

Follow-up tutorial: configuring Parabola

+

+ configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic + system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. + Parabola is user-centric, which means that you are in control. For more information, read The Arch Way + (Parabola also follows it). +

+ +
+

Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. -- cgit v0.9.1