Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:guide:encrypted_installation [2017/11/14 12:04]
emulatorman
en:guide:encrypted_installation [2022/01/26 00:00] (current)
emulatorman
Line 1: Line 1:
 ====== Installing Hyperbola GNU/​Linux-libre with full-disk encryption (including /boot) ====== ====== Installing Hyperbola GNU/​Linux-libre with full-disk encryption (including /boot) ======
  
-This guide covers how to install **Hyperbola GNU/​Linux-Libre**,​ with **full disk encryption**,​ including <color #​0B71B9/#​DDF1FF>/​boot</​color>​ (the boot directory). On most systems, <color #​0B71B9/#​DDF1FF>/​boot</​color>​ has to be left unencrypted,​ while the other partition(s) are encrypted. This is so that <color #​0BB928/#​DDFFE3>​GRUB</​color> ​(and therefore the kernel) can be loaded and executed, because most firmware can’t open a LUKS volume; however, with <color #​0BB928/#​DDFFE3>​Libreboot</​color>, ​<color #​0BB928/#​DDFFE3>​GRUB</​color> ​is already included as a payload, so even <color #​0B71B9/#​DDF1FF>/​boot</​color>​ can be encrypted; this protects <color #​0B71B9/#​DDF1FF>/​boot</​color>​ from tampering by someone with physical access to the system.+This guide covers how to install **Hyperbola GNU/​Linux-Libre**,​ with **full disk encryption**,​ including <color #​0B71B9/#​DDF1FF>/​boot</​color>​ (the boot directory). On most systems, <color #​0B71B9/#​DDF1FF>/​boot</​color>​ has to be left unencrypted,​ while the other partition(s) are encrypted. This is so that GRUB (and therefore the kernel) can be loaded and executed, because most firmware can’t open a LUKS volume; however, with <color #​0BB928/#​DDFFE3>​Libreboot</​color>,​ GRUB is already included as a payload, so even <color #​0B71B9/#​DDF1FF>/​boot</​color>​ can be encrypted; this protects <color #​0B71B9/#​DDF1FF>/​boot</​color>​ from tampering by someone with physical access to the system.
  
 <note important>​ <note important>​
Line 8: Line 8:
  
 <​note>​ <​note>​
-This guide has been used for those new to our system, check [[en:​guide:​beginners|Beginner ​section]] for an overview.+This guide has been used for those new to our system, check [[en:​guide:​beginners|beginner'​s ​section]] for an overview.
 </​note>​ </​note>​
  
Line 31: Line 31:
 ==== Choose the installation device ==== ==== Choose the installation device ====
  
-Refer to the Beginner ​guide, for finding and choosing the proper installation device, whether you are using an [[en:​guide:​beginners#​burn_the_image_to_your_optical_disk|optical disk]], or a [[en:​guide:​beginners#​write_the_image_to_your_usb|USB drive]].+Refer to the beginner'​s ​guide, for finding and choosing the proper installation device, whether you are using an [[en:​guide:​beginners#​burn_the_image_to_your_optical_disk|optical disk]], or a [[en:​guide:​beginners#​write_the_image_to_your_usb|USB drive]].
  
 ==== Boot Hyperbola’s install environment ==== ==== Boot Hyperbola’s install environment ====
Line 37: Line 37:
 After downloading the ISO, and creating some kind of bootable media, you will need to boot into the live image. If you are unsure of how to do so, see [[en:​guide:​beginners#​download_and_verify_the_live_image|how to boot a GNU/Linux installer]],​ and move on to the next step; otherwise, just go to the next step. After downloading the ISO, and creating some kind of bootable media, you will need to boot into the live image. If you are unsure of how to do so, see [[en:​guide:​beginners#​download_and_verify_the_live_image|how to boot a GNU/Linux installer]],​ and move on to the next step; otherwise, just go to the next step.
  
-==== Setting up keyboard layout ====+===== Setting up keyboard layout ​=====
  
 To begin the installation,​ you must first select the proper [[en:​guide:​installation#​keyboard_layout|keyboard layout]]. To begin the installation,​ you must first select the proper [[en:​guide:​installation#​keyboard_layout|keyboard layout]].
  
-==== Establish an internet connection ====+===== Establish an internet connection ​=====
  
 You will also need to [[https://​wiki.hyperbola.info/​doku.php?​id=en:​guide:​installation#​connect_to_the_internet|set up a network connection]],​ to install packages. You will also need to [[https://​wiki.hyperbola.info/​doku.php?​id=en:​guide:​installation#​connect_to_the_internet|set up a network connection]],​ to install packages.
  
-==== Preparing the storage device for installation ====+===== Preparing the storage device for installation ​=====
  
 You need to prepare the storage device that we will use to install the operating system. You can use same [[en:​guide:​beginners#​write_the_image_to_your_usb|device name]] that you used earlier, to determine the installation device for the ISO. You need to prepare the storage device that we will use to install the operating system. You can use same [[en:​guide:​beginners#​write_the_image_to_your_usb|device name]] that you used earlier, to determine the installation device for the ISO.
  
-=== Wipe storage device ===+==== Wipe storage device ​====
  
 You want to make sure that the device you’re using doesn’t contain any plaintext copies of your personal data. If the drive is new, then you can skip the rest of this section; if it’s not new, then there are two ways to handle it: You want to make sure that the device you’re using doesn’t contain any plaintext copies of your personal data. If the drive is new, then you can skip the rest of this section; if it’s not new, then there are two ways to handle it:
Line 61: Line 61:
   * Make sure to read [[https://​wiki.archlinux.org/​index.php/​Solid_State_Drives|this article]], for information on managing SSD’s in **Arch GNU/Linux** (the information applies to **Hyperbola**,​ as well).   * Make sure to read [[https://​wiki.archlinux.org/​index.php/​Solid_State_Drives|this article]], for information on managing SSD’s in **Arch GNU/Linux** (the information applies to **Hyperbola**,​ as well).
  
-=== Formatting the storage device ===+==== Formatting the storage device ​====
  
 Now that all the personal data has been deleted from the disk, it’s time to format it. We’ll begin by creating a single, large partition on it, and then encrypting it using LUKS. Now that all the personal data has been deleted from the disk, it’s time to format it. We’ll begin by creating a single, large partition on it, and then encrypting it using LUKS.
Line 91: Line 91:
  
 <code bash> <code bash>
-# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool ​+# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdXY
->--iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdXY+
 </​code>​ </​code>​
  
Line 201: Line 200:
 The setup of the drive and partitions is now complete; it’s time to actually install Hyperbola. The setup of the drive and partitions is now complete; it’s time to actually install Hyperbola.
  
-==== Install the base system ====+===== Install the base system ​=====
  
 We need to install the essential applications needed for your Hyperbola installation to run; refer to [[en:​guide:​beginners#​install_the_base_system|Install the base system]], on the our wiki. We need to install the essential applications needed for your Hyperbola installation to run; refer to [[en:​guide:​beginners#​install_the_base_system|Install the base system]], on the our wiki.
  
-==== Generate an fstab ====+===== Generate an fstab =====
  
-The next step in the process is to generate a file known as an <color #​620BB9/#​EEDDFF>​fstab</​color>;​ the purpose of this file is for the operating system to identify the storage device used by your installation. On [[en:​guide:​beginners#​generate_an_fstab|our beginner’s guide]] is the instruction to generate that file.+The next step in the process is to generate a file known as an <color #​620BB9/#​EEDDFF>​fstab</​color>;​ the purpose of this file is for the operating system to identify the storage device used by your installation. On [[en:​guide:​beginners#​generate_an_fstab|the beginner’s guide]] is the instruction to generate that file.
  
-==== Chroot into and configure the system ====+===== Chroot into and configure the system ​=====
  
 Now, you need to <color #​620BB9/#​EEDDFF>​chroot</​color>​ into your new installation,​ to complete the setup and installation process. **Chrooting** refers to changing the root directory of an operating system to a different one; in this instance, it means changing your root directory to the one you created in the previous steps, so that you can modify files and install software onto it, as if it were the host operating system. Now, you need to <color #​620BB9/#​EEDDFF>​chroot</​color>​ into your new installation,​ to complete the setup and installation process. **Chrooting** refers to changing the root directory of an operating system to a different one; in this instance, it means changing your root directory to the one you created in the previous steps, so that you can modify files and install software onto it, as if it were the host operating system.
  
-To chroot into your installation,​ follow the instruction on [[en:​guide:​beginners#​chroot_and_configure_the_base_system|our beginner’s guide]].+To chroot into your installation,​ follow the instruction on [[en:​guide:​beginners#​chroot_and_configure_the_base_system|the beginner’s guide]].
  
-=== Setting up the locale ===+==== Setting up the locale ​====
  
-Locale refers to the language that your operating system will use, as well as some other considerations related to the region in which you live. To set this up, follow the instructions in the [[en:​guide:​beginners#​locale|our beginner’s guide]].+Locale refers to the language that your operating system will use, as well as some other considerations related to the region in which you live. To set this up, follow the instructions in [[en:​guide:​beginners#​locale|the beginner’s guide]].
  
-=== Setting up the consolefont and keymap ===+==== Setting up the consolefont and keymap ​====
  
-This will determine the keyboard layout of your new installation;​ follow the instructions in [[en:​guide:​beginners#​kepmap|our beginner’s guide]].+This will determine the keyboard layout of your new installation;​ follow the instructions in [[en:​guide:​beginners#​kepmap|the beginner’s guide]]. 
 + 
 +==== Setting up the time zone ==== 
 + 
 +You’ll need to set your current time zone in the operating system; this will enable applications that require accurate time to work properly (e.g., the web browser). To do this, follow the instructions [[en:​guide:​beginners#​time_zone|the beginner’s guide]]. 
 + 
 +==== Setting up the hardware clock ==== 
 + 
 +To make sure that your computer has the right time, you’ll have to set the time in your computer’s internal clock. Follow the instructions in [[en:​guide:​beginners#​hardware_clock|the beginner’s guide]] to do that. 
 + 
 +==== Setting up the kernel modules ==== 
 + 
 +Now we need to make sure that the kernel has all the modules that it needs to boot the operating system. To do this, we need to edit a file called <color #​620BB9/#​EEDDFF>​mkinitcpio.conf</​color>​. More information about this file can be found in the [[https://​wiki.archlinux.org/​index.php/​Mkinitcpio|Arch wiki]], but for the sake of this guide, you simply need to run the following command. 
 + 
 +<code bash> 
 +# nano /​etc/​mkinitcpio.conf 
 +</​code>​ 
 + 
 +There are several modifications that we need to make to the file: 
 + 
 +  - Change the value of the uncommented <color #​620BB9/#​EEDDFF>​MODULES</​color>​ line to <color #​620BB9/#​EEDDFF>​i915</​color>​. 
 +    * This forces the driver to load earlier, so that the console font you selected earlier isn’t wiped out after getting to login. 
 +    * Be aware, when you add i915 into the uncommented modules line, that you remove these **" ​  "​** **before you add i915**, otherwise, it will not boot and will drop to a shell. ​ When you install with **full disk encryption**,​ this is a **requirement**. 
 +    * If you are using a **Macbook 2,1** you will also need to add <color #​620BB9/#​EEDDFF>​hid-generic</​color>,​ <color #​620BB9/#​EEDDFF>​hid</​color>,​ and <color #​620BB9/#​EEDDFF>​hid-apple</​color>​ inside the quotation marks, in order to have a working keyboard when asked to enter the LUKS password. Make sure to separate each module by one space. 
 +  - Change the value of the uncommented <color #​620BB9/#​EEDDFF>​HOOKS</​color>​ line to the following: <code bash> 
 +# nano /​etc/​mkinitcpio.conf 
 + 
 +"base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"​ 
 +</​code>​ Here’s what each module does: 
 +    * <color #​620BB9/#​EEDDFF>​keymap</​color>​ adds to initramfs the keymap that you specified in <color #​0B71B9/#​DDF1FF>/​etc/​conf.d/​keymaps</​color>​ 
 +    * <color #​620BB9/#​EEDDFF>​consolefont</​color>​ adds to initramfs the font that you specified in <color #​0B71B9/#​DDF1FF>/​etc/​conf.d/​keymaps</​color>​ 
 +    * <color #​620BB9/#​EEDDFF>​lvm2</​color>​ adds LVM support to the initramfs - needed to mount the LVM partitions at boot time 
 +    * <color #​620BB9/#​EEDDFF>​shutdown</​color>​ is needed according to Arch wiki, for unmounting devices (such as LUKS/LVM) during shutdown 
 + 
 +After modifying the file and saving it, we need to update the kernel(s) with the new settings. 
 + 
 +We will also install the [[https://​www.hyperbola.info/​packages/?​q=grub|grub]] package, which we will need later, to make our modifications to the GRUB configuration file: 
 + 
 +<code bash> 
 +# pacman -S grub 
 +</​code>​ 
 + 
 +Then, we update both kernels like this, using the <color #​620BB9/#​EEDDFF>​mkinitcpio</​color>​ command: 
 + 
 +<code bash> 
 +# mkinitcpio -p linux-libre-lts 
 +</​code>​ 
 + 
 +==== Setting up the hostname ==== 
 + 
 +Now we need to set up the hostname for the system; this is so that our device can be identified by the network. Refer to the hostname section of the [[en:​guide:​beginners#​hostname|beginner’s guide]]. You can make the hostname anything you like; for example, if you wanted to choose the hostname <color #​620BB9/#​EEDDFF>​hyperbola</​color>,​ you would run the echo command, like this: 
 + 
 +<code bash> 
 +# echo hyperbola > /​etc/​hostname 
 +</​code>​ 
 + 
 +And then you would modify <color #​0B71B9/#​DDF1FF>/​etc/​hosts</​color>​ like this, adding the hostname to it: 
 + 
 +<code bash> 
 +# nano /​etc/​hosts 
 + 
 +#<​ip-address>​ <​hostname.domain.org> ​  <​hostname>​ 
 +127.0.0.1 ​              ​localhost.localdomain ​      ​localhost ​  ​hyperbola 
 +::1                            localhost.localdomain ​      ​localhost ​  ​hyperbola 
 +</​code>​ 
 + 
 +==== Configure the network ==== 
 + 
 +Now that we have a hostname, we need to configure the settings for the rest of the network, we suggest use [[https://​www.hyperbola.info/​packages/?​q=netifrc|netifrc]] to set up your wired/​wireless connection. ​ See the [[https://​wiki.gentoo.org/​wiki/​Handbook:​X86/​Full/​Networking|Gentoo Handbook]] which explains netifrc scripts in a high level of detail. 
 + 
 +==== Set the root password ==== 
 + 
 +The **root** account has control over all the files in the computer; for security, we want to protect it with a password. The password requirements given above, for the LUKS passphrase, apply here as well. You will set this password with the <color #​620BB9/#​EEDDFF>​passwd</​color>​ command: 
 + 
 +<code bash> 
 +# passwd 
 +</​code>​ 
 + 
 +==== Extra security tweaks ==== 
 + 
 +There are some final changes that we can make to the installation,​ to make it significantly more secure; these are based on the [[https://​wiki.archlinux.org/​index.php/​Security|security section]] of the Arch wiki. 
 + 
 +=== Key strengthening === 
 + 
 +We will want to open the configuration file for password settings, and increase the strength of our **root** password: 
 + 
 +<code bash> 
 +# nano /​etc/​pam.d/​passwd 
 +</​code>​ 
 + 
 +Add <color #​620BB9/#​EEDDFF>​rounds=65536</​color>​ at the end of the uncommented ‘password’ line; in simple terms, this will force an attacker to take more time with each password guess, mitigating the threat of brute force attacks. 
 + 
 +=== Restrict access to important directories === 
 + 
 +You can prevent any user, other than the root user, from accessing the most important directories in the system, using the <color #​620BB9/#​EEDDFF>​chmod</​color>​ command. 
 + 
 +<code bash> 
 +# chmod 700 /boot /​etc/​{iptables,​arptables} 
 +</​code>​ 
 + 
 +<​note>​ 
 +To learn more about <color #​620BB9/#​EEDDFF>​chmod</​color>,​ run: 
 + 
 +<code bash> 
 +~ man chmod 
 +</​code>​ 
 +</​note>​ 
 + 
 +=== Lockout user after three failed login attempts === 
 + 
 +We can also setup the system to lock a user’s account, after three failed login attempts. 
 + 
 +To do this, we will need to edit the file <color #​0B71B9/#​DDF1FF>/​etc/​pam.d/​system-login</​color>,​ and comment out this line: 
 + 
 +<​code>​ 
 +auth required pam\_tally.so onerr=succeed file=/​var/​log/​faillog*\ 
 +</​code>​ 
 + 
 +You could also just delete it. Above it, put the following line: 
 + 
 +<​code>​ 
 +auth required pam\_tally.so deny=2 unlock\_time=600 onerr=succeed file=/​var/​log/​faillog 
 +</​code>​ 
 + 
 +This configuration will lock the user out for ten minutes. You can unlock a user’s account manually, using the **root** account, with this command: 
 + 
 +<code bash> 
 +# pam_tally --user *theusername* --reset 
 +</​code>​ 
 + 
 +==== Generate grub.cfg ==== 
 + 
 +Edit configuration in <color #​0B71B9/#​DDF1FF>/​etc/​default/​grub</​color>,​ remembering to use UUID when pointing to mbr/gpt partition. Use <color #​620BB9/#​EEDDFF>​blkid</​color>​ to get list of devices with their respective UUIDs. Next generate grub.cfg with: 
 + 
 +<code bash> 
 +# grub-mkconfig -o /​boot/​grub/​grub.cfg 
 +</​code>​ 
 + 
 +If you have separate <color #​0B71B9/#​DDF1FF>/​boot</​color>​ partition, don’t forget to add boot symlink inside that points to current directory:​ 
 + 
 +<code bash> 
 +# cd /boot 
 +</​code>​ 
 + 
 +<code bash> 
 +# ln -s . boot 
 +</​code>​ 
 + 
 +===== Unmount all partitions and reboot ===== 
 + 
 +Congratulations! You have finished the installation of Hyperbola GNU/​Linux-libre. Now it is time to reboot the system, but first, there are several preliminary steps: 
 + 
 +Exit from <color #​620BB9/#​EEDDFF>​chroot</​color>,​ using the <color #​620BB9/#​EEDDFF>​exit</​color>​ command: 
 + 
 +<code bash> 
 +# exit 
 +</​code>​ 
 + 
 +Unmount all of the partitions from <color #​0B71B9/#​DDF1FF>/​mnt</​color>,​ and “turn off” the swap volume: 
 + 
 +<code bash> 
 +# umount -R /mnt 
 +</​code>​ 
 + 
 +<code bash> 
 +# swapoff -a 
 +</​code>​ 
 + 
 +Deactivate the **rootvol** and **swapvol** logical volumes: 
 + 
 +<code bash> 
 +# lvchange -an /​dev/​matrix/​rootvol 
 +</​code>​ 
 + 
 +<code bash> 
 +# lvchange -an /​dev/​matrix/​swapvol 
 +</​code>​ 
 + 
 +Lock the encrypted partition (i.e., close it): 
 + 
 +<code bash> 
 +# cryptsetup luksClose lvm 
 +</​code>​ 
 + 
 +Shutdown the machine: 
 + 
 +<code bash> 
 +# openrc-shutdown -p now 
 +</​code>​ 
 + 
 +After the machine is off, remove the installation media, and turn it on. 
 + 
 +===== Booting the installation manually from GRUB ===== 
 + 
 +When you forget to configure or misconfigure grub on your hdd, you have to manually boot the system by entering a series of commands into the GRUB command line. 
 + 
 +After the computer starts, Press **C** to bring up the GRUB command line. Here are the commands: 
 + 
 +<code bash> 
 +grub> cryptomount -a 
 +grub> set root='​lvm/​matrix-rootvol'​ 
 +grub> linux /​boot/​vmlinuz-linux-libre-lts root=/​dev/​matrix/​rootvol cryptdevice=/​dev/​sda1:​root 
 +grub> initrd /​boot/​initramfs-linux-libre-lts.img 
 +grub> boot 
 +</​code>​ 
 + 
 +<note important>​ 
 +On machines with native sata, during boot a (faulty) optical disc drive (like dvd) can cause the cryptomount -a command to fail/hang, as well as the error: <code bash>​AHCI transfer timed out</​code>​ The workaround was to remove the DVD drive. 
 +</​note>​ 
 + 
 +===== Configure pacman ===== 
 + 
 +Edit <color #​0B71B9/#​DDF1FF>/​etc/​pacman.conf</​color>​ and configure pacman'​s options, also enabling the repositories you need. 
 + 
 +See [[https://​wiki.archlinux.org/​index.php/​Pacman|Pacman]] and [[en:​main:​Repositories]] for details. 
 + 
 +===== Update the system ===== 
 + 
 +At this point you should update your system. 
 + 
 +See [[https://​wiki.archlinux.org/​index.php/​Pacman#​Upgrading packages|Upgrading packages]] for instructions. 
 + 
 +===== Add an user ===== 
 + 
 +Finally, add a normal user as described in [[https://​wiki.archlinux.org/​index.php/​Users and Groups#User management|User management]]. 
 + 
 +===== Service management ===== 
 + 
 +Since Hyperbola [[https://​www.hyperbola.info/​news/​end-of-systemd-support/​|removed entire systemd support]], we suggest you read about [[https://​wiki.gentoo.org/​wiki/​OpenRC|OpenRC]] which is our main default init system. 
 + 
 +===== Conclusion ===== 
 + 
 +Your new **Hyperbola GNU/​Linux-libre** base system is now a **functional GNU/Linux environment**. 
 + 
 +===== Licensing ===== 
 + 
 +This wiki article is released under the [[https://​www.gnu.org/​copyleft/​fdl.html|GNU Free Documentation License 1.3]] with no invariant sections, no front cover texts, and no back cover texts. 
 + 
 +===== Acknowledgement ===== 
 + 
 +This wiki article is based on **[[https://​libreboot.org/​docs/​|Libreboot documentation]]**.