Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
pt:manual:encrypted_installation [2020/04/26 04:23] i3_relativism Criação deste novo documento. |
pt:manual:encrypted_installation [2023/11/30 14:58] (current) throgh ↷ Links adapted because of a move operation |
||
---|---|---|---|
Line 1: | Line 1: | ||
... (WIP) | ... (WIP) | ||
+ | |||
+ | ====== Installing Hyperbola GNU/ | ||
+ | |||
+ | This guide covers how to install **Hyperbola GNU/ | ||
+ | |||
+ | <note important> | ||
+ | This guide is only for the GRUB payload. If you use the depth-charge payload, ignore this section entirely. | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | This guide has been used for those new to our system, check [[archive: | ||
+ | </ | ||
+ | |||
+ | ===== Minimum requirements ===== | ||
+ | |||
+ | You can find the minimum requirements to run **Hyperbola GNU/ | ||
+ | |||
+ | ===== Preparation ===== | ||
+ | |||
+ | ==== Download the live image ==== | ||
+ | |||
+ | For this guide we are using **Milky Way** version, the live image is available on [[en: | ||
+ | |||
+ | <note important> | ||
+ | You should never blindly copy-and-paste any commands. In this guide, copying and pasting is to ensure that no errors are made when entering the commands, so that you don’t effectively brick your installation, | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | Only choose [[en: | ||
+ | </ | ||
+ | |||
+ | ==== Choose the installation device ==== | ||
+ | |||
+ | Refer to the beginner' | ||
+ | |||
+ | ==== Boot Hyperbola’s install environment ==== | ||
+ | |||
+ | After downloading the ISO, and creating some kind of bootable media, you will need to boot into the live image. If you are unsure of how to do so, see [[archive: | ||
+ | |||
+ | ===== Setting up keyboard layout ===== | ||
+ | |||
+ | To begin the installation, | ||
+ | |||
+ | ===== Establish an internet connection ===== | ||
+ | |||
+ | You will also need to [[https:// | ||
+ | |||
+ | ===== Preparing the storage device for installation ===== | ||
+ | |||
+ | You need to prepare the storage device that we will use to install the operating system. You can use same [[archive: | ||
+ | |||
+ | ==== Wipe storage device ==== | ||
+ | |||
+ | You want to make sure that the device you’re using doesn’t contain any plaintext copies of your personal data. If the drive is new, then you can skip the rest of this section; if it’s not new, then there are two ways to handle it: | ||
+ | |||
+ | - If the drive were not previously encrypted, securely wipe it with the dd command; you can either choose to fill it with zeroes or random data; I chose random data (e.g., <color # | ||
+ | - If the drive were previously encrypted, all you need to do is wipe the LUKS header. The size of the header depends upon the specific model of the hard drive; you can find this information by doing some research online. Refer to this [[https:// | ||
+ | |||
+ | Also, if you’re using an SSD, there are a two things you should keep in mind: | ||
+ | |||
+ | * There are issues with TRIM; it’s not enabled by default through LUKS, and there are security issues, if you do enable it. See [[https:// | ||
+ | * Make sure to read [[https:// | ||
+ | |||
+ | ==== Formatting the storage device ==== | ||
+ | |||
+ | Now that all the personal data has been deleted from the disk, it’s time to format it. We’ll begin by creating a single, large partition on it, and then encrypting it using LUKS. | ||
+ | |||
+ | === Create the LUKS partition === | ||
+ | |||
+ | You will need the <color # | ||
+ | |||
+ | <code bash> | ||
+ | # modprobe dm-mod | ||
+ | </ | ||
+ | |||
+ | We then need to select the **device name** of the drive we’re installing the operating system on; see the above method, if needed, for figuring out device names. | ||
+ | |||
+ | Now that we have the name of the correct device, we need to create the partition on it. For this, we will use the <color # | ||
+ | |||
+ | <code bash> | ||
+ | # cfdisk /dev/sdX | ||
+ | </ | ||
+ | |||
+ | - Use the arrow keys to select your partition, and if there is already a partition on the drive, select **Delete**, and then **New**. | ||
+ | - For the partition size, leave it as the default, which will be the entire drive. | ||
+ | - You will see an option for **Primary** or **Logical**; | ||
+ | - Select **Write**; it will ask you if you are sure that you want to overwrite the drive. | ||
+ | - Type **yes**, and press enter. A message at the bottom will appear, telling you that the partition table has been altered. | ||
+ | - Select **Quit**, to return you to the main terminal. | ||
+ | |||
+ | Now that you have created the partition, it’s time to create the encrypted volume on it, using the <color # | ||
+ | |||
+ | <code bash> | ||
+ | # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdXY | ||
+ | </ | ||
+ | |||
+ | |||
+ | These are just recommended defaults; if you want to use anything else, or to find out what options there are, run <color # | ||
+ | |||
+ | <note important> | ||
+ | The default iteration time is 2000ms (2 seconds), if not specified when running the cryptsetup command. You should set a lower time than this; otherwise, there will be an approximately 20-second delay when booting your system. We recommend 500ms (0.5 seconds), and this is included in the prepared cryptsetup command above. Keep in mind that the iteration time is for security purposes (it mitigates brute force attacks), so anything lower than 5 seconds is probably not very secure. | ||
+ | </ | ||
+ | |||
+ | You will now be prompted to enter a passphrase; be sure to make it secure. For passphrase security, length is more important than complexity (e.g., **correct-horse-battery-staple** is more secure than **bf20$3Jhy3**), | ||
+ | |||
+ | Use of the [[http:// | ||
+ | |||
+ | === Create the volume group and logical volumes === | ||
+ | |||
+ | The next step is to create two logical volumes within the LUKS-encrypted partition: one will contain your main installation, | ||
+ | |||
+ | We will create this using, the [[https:// | ||
+ | |||
+ | First, we need to open the LUKS partition, at <color # | ||
+ | |||
+ | <code bash> | ||
+ | # cryptsetup luksOpen /dev/sdXY lvm | ||
+ | </ | ||
+ | |||
+ | Then, we create LVM partition: | ||
+ | |||
+ | <code bash> | ||
+ | # pvcreate / | ||
+ | </ | ||
+ | |||
+ | Check to make sure that the partition was created: | ||
+ | |||
+ | <code bash> | ||
+ | # pvdisplay | ||
+ | </ | ||
+ | |||
+ | Next, we create the volume group, inside of which the logical volumes will be created. For this example, we will call this group **matrix**. You can call yours whatever you would like; just make sure that you remember its name: | ||
+ | |||
+ | <code bash> | ||
+ | # vgcreate matrix / | ||
+ | </ | ||
+ | |||
+ | Check to make sure that the group was created: | ||
+ | |||
+ | <code bash> | ||
+ | # vgdisplay | ||
+ | </ | ||
+ | |||
+ | Lastly, we need to create the logical volumes themselves, inside the volume group; one will be our swap, cleverly named **swapvol**, | ||
+ | |||
+ | - We will create the **swapvol** first (again, choose your own name, if you like). Also, make sure to [[http:// | ||
+ | - Now, we will create a single, large partition in the rest of the space, for **rootvol**:< | ||
+ | |||
+ | You can also be flexible here, for example you can specify a <color # | ||
+ | |||
+ | Verify that the logical volumes were created correctly: | ||
+ | |||
+ | <code bash> | ||
+ | # lvdisplay | ||
+ | </ | ||
+ | |||
+ | === Make the rootvol and swapvol partitions ready for installation === | ||
+ | |||
+ | The last steps of setting up the drive for installation are turning **swapvol** into an active swap partition, and formatting **rootvol**. | ||
+ | |||
+ | To make **swapvol** into a swap partition, we run the <color # | ||
+ | |||
+ | <code bash> | ||
+ | # mkswap / | ||
+ | </ | ||
+ | |||
+ | Activate the **swapvol**, | ||
+ | |||
+ | <code bash> | ||
+ | # swapon / | ||
+ | </ | ||
+ | |||
+ | Now we have to format **rootvol**, | ||
+ | |||
+ | <code bash> | ||
+ | # mkfs.ext4 / | ||
+ | </ | ||
+ | |||
+ | Lastly, We need to mount **rootvol**. Fortunately, | ||
+ | |||
+ | <code bash> | ||
+ | # mount / | ||
+ | </ | ||
+ | |||
+ | === Create the /boot and /home directories === | ||
+ | |||
+ | Now that you have mounted **rootvol**, | ||
+ | |||
+ | Since you mounted **rootvol** at <color # | ||
+ | |||
+ | <code bash> | ||
+ | # mkdir -p /mnt/home | ||
+ | </ | ||
+ | |||
+ | <code bash> | ||
+ | # mkdir -p /mnt/boot | ||
+ | </ | ||
+ | |||
+ | You could also create two separate partitions for <color # | ||
+ | |||
+ | The setup of the drive and partitions is now complete; it’s time to actually install Hyperbola. | ||
+ | |||
+ | ===== Install the base system ===== | ||
+ | |||
+ | We need to install the essential applications needed for your Hyperbola installation to run; refer to [[archive: | ||
+ | |||
+ | ===== Generate an fstab ===== | ||
+ | |||
+ | The next step in the process is to generate a file known as an <color # | ||
+ | |||
+ | ===== Chroot into and configure the system ===== | ||
+ | |||
+ | Now, you need to <color # | ||
+ | |||
+ | To chroot into your installation, | ||
+ | |||
+ | ==== Setting up the locale ==== | ||
+ | |||
+ | Locale refers to the language that your operating system will use, as well as some other considerations related to the region in which you live. To set this up, follow the instructions in [[archive: | ||
+ | |||
+ | ==== Setting up the consolefont and keymap ==== | ||
+ | |||
+ | This will determine the keyboard layout of your new installation; | ||
+ | |||
+ | ==== Setting up the time zone ==== | ||
+ | |||
+ | You’ll need to set your current time zone in the operating system; this will enable applications that require accurate time to work properly (e.g., the web browser). To do this, follow the instructions [[archive: | ||
+ | |||
+ | ==== Setting up the hardware clock ==== | ||
+ | |||
+ | To make sure that your computer has the right time, you’ll have to set the time in your computer’s internal clock. Follow the instructions in [[archive: | ||
+ | |||
+ | ==== Setting up the kernel modules ==== | ||
+ | |||
+ | Now we need to make sure that the kernel has all the modules that it needs to boot the operating system. To do this, we need to edit a file called <color # | ||
+ | |||
+ | <code bash> | ||
+ | # nano / | ||
+ | </ | ||
+ | |||
+ | There are several modifications that we need to make to the file: | ||
+ | |||
+ | - Change the value of the uncommented <color # | ||
+ | * This forces the driver to load earlier, so that the console font you selected earlier isn’t wiped out after getting to login. | ||
+ | * If you are using a **Macbook 2,1** you will also need to add <color # | ||
+ | - Change the value of the uncommented <color # | ||
+ | # nano / | ||
+ | |||
+ | "base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown" | ||
+ | </ | ||
+ | * <color # | ||
+ | * <color # | ||
+ | * <color # | ||
+ | * <color # | ||
+ | |||
+ | After modifying the file and saving it, we need to update the kernel(s) with the new settings. | ||
+ | |||
+ | We will also install the [[https:// | ||
+ | |||
+ | <code bash> | ||
+ | # pacman -S grub | ||
+ | </ | ||
+ | |||
+ | Then, we update both kernels like this, using the <color # | ||
+ | |||
+ | <code bash> | ||
+ | # mkinitcpio -p linux-libre-lts | ||
+ | </ | ||
+ | |||
+ | ==== Setting up the hostname ==== | ||
+ | |||
+ | Now we need to set up the hostname for the system; this is so that our device can be identified by the network. Refer to the hostname section of the [[archive: | ||
+ | |||
+ | <code bash> | ||
+ | # echo hyperbola > / | ||
+ | </ | ||
+ | |||
+ | And then you would modify <color # | ||
+ | |||
+ | <code bash> | ||
+ | # nano /etc/hosts | ||
+ | |||
+ | #< | ||
+ | 127.0.0.1 | ||
+ | ::1 localhost.localdomain | ||
+ | </ | ||
+ | |||
+ | ==== Configure the network ==== | ||
+ | |||
+ | Now that we have a hostname, we need to configure the settings for the rest of the network, we suggest use [[https:// | ||
+ | |||
+ | ==== Set the root password ==== | ||
+ | |||
+ | The **root** account has control over all the files in the computer; for security, we want to protect it with a password. The password requirements given above, for the LUKS passphrase, apply here as well. You will set this password with the <color # | ||
+ | |||
+ | <code bash> | ||
+ | # passwd | ||
+ | </ | ||
+ | |||
+ | ==== Extra security tweaks ==== | ||
+ | |||
+ | There are some final changes that we can make to the installation, | ||
+ | |||
+ | === Key strengthening === | ||
+ | |||
+ | We will want to open the configuration file for password settings, and increase the strength of our **root** password: | ||
+ | |||
+ | <code bash> | ||
+ | # nano / | ||
+ | </ | ||
+ | |||
+ | Add <color # | ||
+ | |||
+ | === Restrict access to important directories === | ||
+ | |||
+ | You can prevent any user, other than the root user, from accessing the most important directories in the system, using the <color # | ||
+ | |||
+ | <code bash> | ||
+ | # chmod 700 /boot / | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | To learn more about <color # | ||
+ | |||
+ | <code bash> | ||
+ | ~ man chmod | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === Lockout user after three failed login attempts === | ||
+ | |||
+ | We can also setup the system to lock a user’s account, after three failed login attempts. | ||
+ | |||
+ | To do this, we will need to edit the file <color # | ||
+ | |||
+ | < | ||
+ | auth required pam\_tally.so onerr=succeed file=/ | ||
+ | </ | ||
+ | |||
+ | You could also just delete it. Above it, put the following line: | ||
+ | |||
+ | < | ||
+ | auth required pam\_tally.so deny=2 unlock\_time=600 onerr=succeed file=/ | ||
+ | </ | ||
+ | |||
+ | This configuration will lock the user out for ten minutes. You can unlock a user’s account manually, using the **root** account, with this command: | ||
+ | |||
+ | <code bash> | ||
+ | # pam_tally --user *theusername* --reset | ||
+ | </ | ||
+ | |||
+ | ==== Generate grub.cfg ==== | ||
+ | |||
+ | Edit configuration in <color # | ||
+ | |||
+ | <code bash> | ||
+ | # grub-mkconfig -o / | ||
+ | </ | ||
+ | |||
+ | If you have separate <color # | ||
+ | |||
+ | <code bash> | ||
+ | # cd /boot | ||
+ | </ | ||
+ | |||
+ | <code bash> | ||
+ | # ln -s . boot | ||
+ | </ | ||
+ | |||
+ | ===== Unmount all partitions and reboot ===== | ||
+ | |||
+ | Congratulations! You have finished the installation of Hyperbola GNU/ | ||
+ | |||
+ | Exit from <color # | ||
+ | |||
+ | <code bash> | ||
+ | # exit | ||
+ | </ | ||
+ | |||
+ | Unmount all of the partitions from <color # | ||
+ | |||
+ | <code bash> | ||
+ | # umount -R /mnt | ||
+ | </ | ||
+ | |||
+ | <code bash> | ||
+ | # swapoff -a | ||
+ | </ | ||
+ | |||
+ | Deactivate the **rootvol** and **swapvol** logical volumes: | ||
+ | |||
+ | <code bash> | ||
+ | # lvchange -an / | ||
+ | </ | ||
+ | |||
+ | <code bash> | ||
+ | # lvchange -an / | ||
+ | </ | ||
+ | |||
+ | Lock the encrypted partition (i.e., close it): | ||
+ | |||
+ | <code bash> | ||
+ | # cryptsetup luksClose lvm | ||
+ | </ | ||
+ | |||
+ | Shutdown the machine: | ||
+ | |||
+ | <code bash> | ||
+ | # openrc-shutdown -p now | ||
+ | </ | ||
+ | |||
+ | After the machine is off, remove the installation media, and turn it on. | ||
+ | |||
+ | ===== Booting the installation manually from GRUB ===== | ||
+ | |||
+ | When you forget to configure or misconfigure grub on your hdd, you have to manually boot the system by entering a series of commands into the GRUB command line. | ||
+ | |||
+ | After the computer starts, Press **C** to bring up the GRUB command line. Here are the commands: | ||
+ | |||
+ | <code bash> | ||
+ | grub> cryptomount -a | ||
+ | grub> set root=' | ||
+ | grub> linux / | ||
+ | grub> initrd / | ||
+ | grub> boot | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | On machines with native sata, during boot a (faulty) optical disc drive (like dvd) can cause the cryptomount -a command to fail/hang, as well as the error: <code bash> | ||
+ | </ | ||
+ | |||
+ | ===== Configure pacman ===== | ||
+ | |||
+ | Edit <color # | ||
+ | |||
+ | See [[https:// | ||
+ | |||
+ | ===== Update the system ===== | ||
+ | |||
+ | At this point you should update your system. | ||
+ | |||
+ | See [[https:// | ||
+ | |||
+ | ===== Add an user ===== | ||
+ | |||
+ | Finally, add a normal user as described in [[https:// | ||
+ | |||
+ | ===== Service management ===== | ||
+ | |||
+ | Since Hyperbola [[https:// | ||
+ | |||
+ | ===== Conclusion ===== | ||
+ | |||
+ | Your new **Hyperbola GNU/ | ||
+ | |||
+ | ===== Licensing ===== | ||
+ | |||
+ | This wiki article is released under the [[https:// | ||
+ | |||
+ | ===== Acknowledgement ===== | ||
+ | |||
+ | This wiki article is based on **[[https:// |