From 96ca7ee67a36605a33de8d57eb8e8d3998bc6427 Mon Sep 17 00:00:00 2001 From: Michał Masłowski Date: Wed, 03 Sep 2014 14:30:21 -0400 Subject: Merge libreboot-6b6. Conflicts: buildrom-withgrub --- (limited to 'docs/howtos/encrypted_trisquel.html') diff --git a/docs/howtos/encrypted_trisquel.html b/docs/howtos/encrypted_trisquel.html new file mode 100644 index 0000000..2529da4 --- /dev/null +++ b/docs/howtos/encrypted_trisquel.html @@ -0,0 +1,321 @@ + + + + + + + + + Installing Trisquel GNU/Linux with full disk encryption (including /boot) + + + +

Installing Trisquel GNU/Linux with full disk encryption (including /boot)

+ +

+ Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition + when setting up an encrypted system. This means that your machine can really secure data while powered off. +

+ +

+ This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer. +

+ +

+ Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols) and when the installer asks you to setup + encryption (ecryptfs) for your home directory, select 'Yes'. +

+ +

+ + Your user password should be different than the LUKS password which you will set later on. + Your LUKS password should, like the user password, be secure. + +

+ +

Partitioning

+ +

Choose 'Manual' partitioning:

Select drive and create new partition table
+ Single large partition. The following are mostly defaults: +
- Use as: physical volume for encryption
- Encryption: aes
- key size: 256
- IV algorithm: xts-plain64
- Encryption key: passphrase
- erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)
+
+ Select 'configure encrypted volumes' +
- Create encrypted volumes
- Select your partition
- Finish
- Really erase: Yes
- (erase will take a long time. be patient)
+
+ Select encrypted space: +
- use as: physical volume for LVM
- Choose 'done setting up the partition'
+
+ Configure the logical volume manager: +
- Keep settings: Yes
+
+ Create volume group: +
- Name: buzz (you can use whatever you want here, this is just an example)
- Select crypto partition
+
+ Create logical volume +
- select buzz (or whatever you named it before)
- name: distro (you can use whatever you want here, this is just an example)
- size: default, minus 2048 MB
+
+ Create logical volume +
- select buzz (or whatever you named it before)
- name: swap (you can use whatever you want here, this is just an example)
- size: press enter
+

+ +

Further partitioning

+ +

+ Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. +

+ LVM LV distro +
- use as: ext4
- mount point: /
- done setting up partition
+
+ LVM LV swap +
- use as: swap area
- done setting up partition
+
Now you select 'Finished partitioning and write changes to disk'.

+ +

Kernel

+ +

+ Installation will ask what kernel you want to use. linux-generic is fine. +

+ +

Tasksel

+ +

+ Just continue here, without selecting anything. You can install everything later (it's really easy). +

+ +

Install the GRUB boot loader to the master boot record

+ +

+ Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. +

+ +

+ You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. +

+ +

Clock UTC

+ +

+ Just say 'Yes'. +

+ +

+ Booting your system +

+ +

+ At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. +

+ +

+ Do that:
+ grub> cryptomount -a (ahci0,msdos1)
+ grub> set root='lvm/buzz-distro'
+ grub> linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro
+ grub> initrd /initrd.img
+ grub> boot +

+ +

+ ecryptfs +

+ +

+ Immediately after logging in, do that:
+ $ sudo ecryptfs-unwrap-passphrase +

+ +

+ This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note + somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> +

+ +

+ Modify grub.cfg (CBFS) +

+ +

+ Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. +

+ +

+ Modify your grub.cfg (in the firmware) using this tutorial; + just change the default menu entry 'Load Operating System' to say this inside: +

+ +

+ cryptomount -a (ahci0,msdos1)
+ set root='lvm/buzz-distro'
+ linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro
+ initrd /initrd.img +

+ +

+ Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see + GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. +

+ +

+ The GRUB utility can be used like so:
+ $ grub-mkpasswd-pbkdf2 +

+ +

+ Give it a password (remember, it has to be secure) and it'll output something like:
+ grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 +

+ +

+ Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
+

+set superusers="root"
+password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
+

+ +

+ Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! +

+ +

+ After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM + using this tutorial. +

+ +

+ Update Trisquel +

+ +

+ $ sudo apt-get update
+ $ sudo apt-get upgrade +

+ +

+ At the time of writing, Trisquel 7 had this + bug from upstream. The workaround identified in this page + was as follows:
+ $ sudo apt-get remove libpam-smbpass +

+ +

+ Install a desktop (optional) +

+ +

+ Installs the default desktop:
+ $ sudo apt-get install trisquel +

+ +

+ It might ask for postfix configuration. I just choose 'No configuration'. +

+ +

+ Next time you boot, it'll start lightdm and you can login. To start lightdm now, do:
+ $ sudo service lightdm start +

+ +

+ Go back to the terminal (ctrl-alt-f1) and exit:
+ $ exit +

+ +

+ Go back to lightdm (ctrl-alt-f7) and login. +

+ +

+ Since you installed using net install and you only installed the base system, network-manager isn't controlling + your eth0 but instead /etc/network/interfaces is. Comment out the eth0 lines in that file, and then do:
+ $ sudo /etc/init.d/networking stop
+ $ sudo service network-manager restart +

+ +

+ Conclusion +

+ +

+ If you followed all that correctly, you should now have a fully encrypted system. +

+ +

+ Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt. +

+ +

+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +

+ + + -- cgit v0.9.1