Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:guide:encrypted_installation [2017/11/17 13:34]
emulatorman
en:guide:encrypted_installation [2022/01/26 00:00] (current)
emulatorman
Line 91: Line 91:
  
 <code bash> <code bash>
-# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool ​+# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdXY
->--iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdXY+
 </​code>​ </​code>​
  
Line 243: Line 242:
   - Change the value of the uncommented <color #​620BB9/#​EEDDFF>​MODULES</​color>​ line to <color #​620BB9/#​EEDDFF>​i915</​color>​.   - Change the value of the uncommented <color #​620BB9/#​EEDDFF>​MODULES</​color>​ line to <color #​620BB9/#​EEDDFF>​i915</​color>​.
     * This forces the driver to load earlier, so that the console font you selected earlier isn’t wiped out after getting to login.     * This forces the driver to load earlier, so that the console font you selected earlier isn’t wiped out after getting to login.
 +    * Be aware, when you add i915 into the uncommented modules line, that you remove these **" ​  "​** **before you add i915**, otherwise, it will not boot and will drop to a shell. ​ When you install with **full disk encryption**,​ this is a **requirement**.
     * If you are using a **Macbook 2,1** you will also need to add <color #​620BB9/#​EEDDFF>​hid-generic</​color>,​ <color #​620BB9/#​EEDDFF>​hid</​color>,​ and <color #​620BB9/#​EEDDFF>​hid-apple</​color>​ inside the quotation marks, in order to have a working keyboard when asked to enter the LUKS password. Make sure to separate each module by one space.     * If you are using a **Macbook 2,1** you will also need to add <color #​620BB9/#​EEDDFF>​hid-generic</​color>,​ <color #​620BB9/#​EEDDFF>​hid</​color>,​ and <color #​620BB9/#​EEDDFF>​hid-apple</​color>​ inside the quotation marks, in order to have a working keyboard when asked to enter the LUKS password. Make sure to separate each module by one space.
   - Change the value of the uncommented <color #​620BB9/#​EEDDFF>​HOOKS</​color>​ line to the following: <code bash>   - Change the value of the uncommented <color #​620BB9/#​EEDDFF>​HOOKS</​color>​ line to the following: <code bash>
 # nano /​etc/​mkinitcpio.conf # nano /​etc/​mkinitcpio.conf
  
-base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown+"base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"
 </​code>​ Here’s what each module does: </​code>​ Here’s what each module does:
     * <color #​620BB9/#​EEDDFF>​keymap</​color>​ adds to initramfs the keymap that you specified in <color #​0B71B9/#​DDF1FF>/​etc/​conf.d/​keymaps</​color>​     * <color #​620BB9/#​EEDDFF>​keymap</​color>​ adds to initramfs the keymap that you specified in <color #​0B71B9/#​DDF1FF>/​etc/​conf.d/​keymaps</​color>​
Line 270: Line 270:
 ==== Setting up the hostname ==== ==== Setting up the hostname ====
  
-Now we need to set up the hostname for the system; this is so that our device can be identified by the network. Refer to the hostname section of the [[en:​guide:​beginners#​hostname|beginner’s guide]]. You can make the hostname anything you like; for example, if you wanted to choose the <color #​620BB9/#​EEDDFF>​hostname ​hyperbola</​color>,​ you would run the echo command, like this:+Now we need to set up the hostname for the system; this is so that our device can be identified by the network. Refer to the hostname section of the [[en:​guide:​beginners#​hostname|beginner’s guide]]. You can make the hostname anything you like; for example, if you wanted to choose the hostname ​<color #​620BB9/#​EEDDFF>​hyperbola</​color>,​ you would run the echo command, like this:
  
 <code bash> <code bash>
Line 285: Line 285:
 ::1                            localhost.localdomain ​      ​localhost ​  ​hyperbola ::1                            localhost.localdomain ​      ​localhost ​  ​hyperbola
 </​code>​ </​code>​
 +
 +==== Configure the network ====
 +
 +Now that we have a hostname, we need to configure the settings for the rest of the network, we suggest use [[https://​www.hyperbola.info/​packages/?​q=netifrc|netifrc]] to set up your wired/​wireless connection. ​ See the [[https://​wiki.gentoo.org/​wiki/​Handbook:​X86/​Full/​Networking|Gentoo Handbook]] which explains netifrc scripts in a high level of detail.
 +
 +==== Set the root password ====
 +
 +The **root** account has control over all the files in the computer; for security, we want to protect it with a password. The password requirements given above, for the LUKS passphrase, apply here as well. You will set this password with the <color #​620BB9/#​EEDDFF>​passwd</​color>​ command:
 +
 +<code bash>
 +# passwd
 +</​code>​
 +
 +==== Extra security tweaks ====
 +
 +There are some final changes that we can make to the installation,​ to make it significantly more secure; these are based on the [[https://​wiki.archlinux.org/​index.php/​Security|security section]] of the Arch wiki.
 +
 +=== Key strengthening ===
 +
 +We will want to open the configuration file for password settings, and increase the strength of our **root** password:
 +
 +<code bash>
 +# nano /​etc/​pam.d/​passwd
 +</​code>​
 +
 +Add <color #​620BB9/#​EEDDFF>​rounds=65536</​color>​ at the end of the uncommented ‘password’ line; in simple terms, this will force an attacker to take more time with each password guess, mitigating the threat of brute force attacks.
 +
 +=== Restrict access to important directories ===
 +
 +You can prevent any user, other than the root user, from accessing the most important directories in the system, using the <color #​620BB9/#​EEDDFF>​chmod</​color>​ command.
 +
 +<code bash>
 +# chmod 700 /boot /​etc/​{iptables,​arptables}
 +</​code>​
 +
 +<​note>​
 +To learn more about <color #​620BB9/#​EEDDFF>​chmod</​color>,​ run:
 +
 +<code bash>
 +~ man chmod
 +</​code>​
 +</​note>​
 +
 +=== Lockout user after three failed login attempts ===
 +
 +We can also setup the system to lock a user’s account, after three failed login attempts.
 +
 +To do this, we will need to edit the file <color #​0B71B9/#​DDF1FF>/​etc/​pam.d/​system-login</​color>,​ and comment out this line:
 +
 +<​code>​
 +auth required pam\_tally.so onerr=succeed file=/​var/​log/​faillog*\
 +</​code>​
 +
 +You could also just delete it. Above it, put the following line:
 +
 +<​code>​
 +auth required pam\_tally.so deny=2 unlock\_time=600 onerr=succeed file=/​var/​log/​faillog
 +</​code>​
 +
 +This configuration will lock the user out for ten minutes. You can unlock a user’s account manually, using the **root** account, with this command:
 +
 +<code bash>
 +# pam_tally --user *theusername* --reset
 +</​code>​
 +
 +==== Generate grub.cfg ====
 +
 +Edit configuration in <color #​0B71B9/#​DDF1FF>/​etc/​default/​grub</​color>,​ remembering to use UUID when pointing to mbr/gpt partition. Use <color #​620BB9/#​EEDDFF>​blkid</​color>​ to get list of devices with their respective UUIDs. Next generate grub.cfg with:
 +
 +<code bash>
 +# grub-mkconfig -o /​boot/​grub/​grub.cfg
 +</​code>​
 +
 +If you have separate <color #​0B71B9/#​DDF1FF>/​boot</​color>​ partition, don’t forget to add boot symlink inside that points to current directory:
 +
 +<code bash>
 +# cd /boot
 +</​code>​
 +
 +<code bash>
 +# ln -s . boot
 +</​code>​
 +
 +===== Unmount all partitions and reboot =====
 +
 +Congratulations! You have finished the installation of Hyperbola GNU/​Linux-libre. Now it is time to reboot the system, but first, there are several preliminary steps:
 +
 +Exit from <color #​620BB9/#​EEDDFF>​chroot</​color>,​ using the <color #​620BB9/#​EEDDFF>​exit</​color>​ command:
 +
 +<code bash>
 +# exit
 +</​code>​
 +
 +Unmount all of the partitions from <color #​0B71B9/#​DDF1FF>/​mnt</​color>,​ and “turn off” the swap volume:
 +
 +<code bash>
 +# umount -R /mnt
 +</​code>​
 +
 +<code bash>
 +# swapoff -a
 +</​code>​
 +
 +Deactivate the **rootvol** and **swapvol** logical volumes:
 +
 +<code bash>
 +# lvchange -an /​dev/​matrix/​rootvol
 +</​code>​
 +
 +<code bash>
 +# lvchange -an /​dev/​matrix/​swapvol
 +</​code>​
 +
 +Lock the encrypted partition (i.e., close it):
 +
 +<code bash>
 +# cryptsetup luksClose lvm
 +</​code>​
 +
 +Shutdown the machine:
 +
 +<code bash>
 +# openrc-shutdown -p now
 +</​code>​
 +
 +After the machine is off, remove the installation media, and turn it on.
 +
 +===== Booting the installation manually from GRUB =====
 +
 +When you forget to configure or misconfigure grub on your hdd, you have to manually boot the system by entering a series of commands into the GRUB command line.
 +
 +After the computer starts, Press **C** to bring up the GRUB command line. Here are the commands:
 +
 +<code bash>
 +grub> cryptomount -a
 +grub> set root='​lvm/​matrix-rootvol'​
 +grub> linux /​boot/​vmlinuz-linux-libre-lts root=/​dev/​matrix/​rootvol cryptdevice=/​dev/​sda1:​root
 +grub> initrd /​boot/​initramfs-linux-libre-lts.img
 +grub> boot
 +</​code>​
 +
 +<note important>​
 +On machines with native sata, during boot a (faulty) optical disc drive (like dvd) can cause the cryptomount -a command to fail/hang, as well as the error: <code bash>​AHCI transfer timed out</​code>​ The workaround was to remove the DVD drive.
 +</​note>​
 +
 +===== Configure pacman =====
 +
 +Edit <color #​0B71B9/#​DDF1FF>/​etc/​pacman.conf</​color>​ and configure pacman'​s options, also enabling the repositories you need.
 +
 +See [[https://​wiki.archlinux.org/​index.php/​Pacman|Pacman]] and [[en:​main:​Repositories]] for details.
 +
 +===== Update the system =====
 +
 +At this point you should update your system.
 +
 +See [[https://​wiki.archlinux.org/​index.php/​Pacman#​Upgrading packages|Upgrading packages]] for instructions.
 +
 +===== Add an user =====
 +
 +Finally, add a normal user as described in [[https://​wiki.archlinux.org/​index.php/​Users and Groups#User management|User management]].
 +
 +===== Service management =====
 +
 +Since Hyperbola [[https://​www.hyperbola.info/​news/​end-of-systemd-support/​|removed entire systemd support]], we suggest you read about [[https://​wiki.gentoo.org/​wiki/​OpenRC|OpenRC]] which is our main default init system.
 +
 +===== Conclusion =====
 +
 +Your new **Hyperbola GNU/​Linux-libre** base system is now a **functional GNU/Linux environment**.
 +
 +===== Licensing =====
 +
 +This wiki article is released under the [[https://​www.gnu.org/​copyleft/​fdl.html|GNU Free Documentation License 1.3]] with no invariant sections, no front cover texts, and no back cover texts.
 +
 +===== Acknowledgement =====
 +
 +This wiki article is based on **[[https://​libreboot.org/​docs/​|Libreboot documentation]]**.