aboutsummaryrefslogtreecommitdiff
path: root/docs/gnulinux/encrypted_debian.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/gnulinux/encrypted_debian.html')
-rw-r--r--docs/gnulinux/encrypted_debian.html495
1 files changed, 0 insertions, 495 deletions
diff --git a/docs/gnulinux/encrypted_debian.html b/docs/gnulinux/encrypted_debian.html
deleted file mode 100644
index 1201d4ce..00000000
--- a/docs/gnulinux/encrypted_debian.html
+++ /dev/null
@@ -1,495 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width, initial-scale=1">
-
- <style type="text/css">
- @import url('../css/main.css');
- </style>
-
- <title>Installing Debian or Devuan GNU+Linux with full disk encryption (including /boot)</title>
-</head>
-
-<body>
- <div class="section">
- <h1>Installing Debian or Devuan GNU+Linux with full disk encryption (including /boot)</h1>
- <p>
- This guide is written for the Debian distribution, but it should
- also work for Devuan with the net installer.
- </p>
- <p>
- Libreboot on x86 uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a>
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and its GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
- </p>
-
- <p>
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
- This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
- can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
- payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
- access to the system.
- </p>
- <p>
- This guide is written for Debian net installer. You can download the ISO from the homepage on
- <a href="https://www.debian.org/">debian.org</a>.
- Use this on the GRUB terminal to boot it from USB (for 64-bit Intel or AMD):<br/>
- <strong>
- set root='usb0'<br/>
- linux /install.amd/vmlinuz<br/>
- initrd /install.amd/initrd.gz<br/>
- boot<br/>
- </strong>
- If you are on a 32-bit system (e.g. X60):<br/>
- <strong>
- set root='usb0'<br/>
- linux /install.386/vmlinuz<br/>
- initrd /install.386/initrd.gz<br/>
- boot
- </strong>
- </p>
- <p>
- <a href="grub_boot_installer.html">This guide</a> shows how to
- create a boot USB drive with the Debian ISO image.
- </p>
- <p>
- <b>This guide is *only* for the GRUB payload. If you use the depthcharge payload, ignore this section entirely.</b>
- </p>
-
-
- <p>
- Note: on some thinkpads, a faulty DVD drive can cause the cryptomount -a step during boot to fail. If this happens to you, try removing the drive.
- </p>
- <p><a href="./">Back to previous index</a></p>
- </div>
-
- <div class="section">
-
- <p>
- Set a strong user password (lots of lowercase/uppercase, numbers and symbols).
- </p>
-
- <p>
- Use of the <i>diceware method</i> is recommended, for generating secure passphrases (instead of passwords).
- </p>
-
- <p>
- when the installer asks you to set up
- encryption (ecryptfs) for your home directory, select 'Yes' if you want to: <b>LUKS is already secure and performs well. Having ecryptfs on top of it
- will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended.
- Choose 'no'.</b>
- </p>
-
- <p>
- <b>
- Your user password should be different from the LUKS password which you will set later on.
- Your LUKS password should, like the user password, be secure.
- </b>
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>Partitioning</h1>
-
- <p>Choose 'Manual' partitioning:</p>
- <ul>
- <li>Select drive and create new partition table</li>
- <li>
- Single large partition. The following are mostly defaults:
- <ul>
- <li>Use as: physical volume for encryption</li>
- <li>Encryption: aes</li>
- <li>key size: whatever default is given to you</li>
- <li>IV algorithm: whatever default is given to you</li>
- <li>Encryption key: passphrase</li> (<i>diceware method</i> recommended for choosing password)
- <li>erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)</li>
- </ul>
- </li>
- <li>
- Select 'configure encrypted volumes'
- <ul>
- <li>Create encrypted volumes</li>
- <li>Select your partition</li>
- <li>Finish</li>
- <li>Really erase: Yes</li>
- <li>(erase will take a long time. be patient)</li>
- <li>(if your old system was encrypted, just let this run for about a minute to
- make sure that the LUKS header is wiped out)</li>
- </ul>
- </li>
- <li>
- Select encrypted space:
- <ul>
- <li>use as: physical volume for LVM</li>
- <li>Choose 'done setting up the partition'</li>
- </ul>
- </li>
- <li>
- Configure the logical volume manager:
- <ul>
- <li>Keep settings: Yes</li>
- </ul>
- </li>
- <li>
- Create volume group:
- <ul>
- <li>Name: <b>matrix</b> (use this exact name)</li>
- <li>Select crypto partition</li>
- </ul>
- </li>
- <li>
- Create logical volume
- <ul>
- <li>select <b>matrix</b> (use this exact name)</li>
- <li>name: <b>rootvol</b> (use this exact name)</li>
- <li>size: default, minus 2048 MB</li>
- </ul>
- </li>
- <li>
- Create logical volume
- <ul>
- <li>select <b>matrix</b> (use this exact name)</li>
- <li>name: <b>swap</b> (user this exact name)</li>
- <li>size: press enter</li>
- </ul>
- </li>
- </ul>
-
- </div>
-
- <div class="section">
-
- <h1>Further partitioning</h1>
-
- <p>
- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
- </p>
- <ul>
- <li>
- LVM LV rootvol
- <ul>
- <li>use as: btrfs</li>
- <li>mount point: /</li>
- <li>done setting up partition</li>
- </ul>
- </li>
- <li>
- LVM LV swap
- <ul>
- <li>use as: swap area</li>
- <li>done setting up partition</li>
- </ul>
- </li>
- <li>Now you select 'Finished partitioning and write changes to disk'.</li>
- </ul>
-
- </div>
-
- <div class="section">
-
- <h1>Kernel</h1>
-
- <p>
- Installation will ask what kernel you want to use. linux-generic is fine.
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>Tasksel</h1>
-
- <p>
- For Debian, use the <em>MATE</em> option, or one of the others if you want.
- The libreboot project recommends MATE, unless you're saavy enough to choose something
- else.
- </p>
- <p>
- If you want debian-testing, then you should only select barebones options here
- and change the entries in /etc/apt/sources.list after install to point to the new distro,
- and then run <strong>apt-get update</strong> and <strong>apt-get dist-upgrade</strong>
- as root, then reboot and run <b>tasksel</b> as root. This is to avoid downloading large
- packages twice.
- </p>
- <p>
- NOTE: If you want the latest up to date version of the Linux kernel,
- Debian's kernel is sometimes outdated, even in the testing distro.
- You might consider using <a href="https://jxself.org/linux-libre/">this repository</a>
- instead, which contains the most up to date versions of the Linux kernel.
- These kernels are also deblobbed, like Debian's kernels, so you can
- be sure that no binary blobs are present.
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>Postfix configuration</h1>
-
- <p>
- If asked, choose <i>&quot;No Configuration&quot;</i> here (or maybe you want to select something else. It's up to you.)
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>Install the GRUB boot loader to the master boot record</h1>
-
- <p>
- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
- You could also choose 'No'. Choice is irrelevant here.
- </p>
-
- <p>
- <i>You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.</i>
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>Clock UTC</h1>
-
- <p>
- Just say 'Yes'.
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>
- Booting your system
- </h1>
-
- <p>
- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
- </p>
-
- <p>
- Do that:<br/>
- grub&gt; <b>cryptomount -a</b><br/>
- grub&gt; <b>set root='lvm/matrix-rootvol'</b><br/>
- grub&gt; <b>linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root</b><br/>
- grub&gt; <b>initrd /initrd.img</b><br/>
- grub&gt; <b>boot</b>
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>
- ecryptfs
- </h1>
-
- <p>
- If you didn't encrypt your home directory, then you can safely ignore this section.
- </p>
-
- <p>
- Immediately after logging in, do that:<br/>
- $ <b>sudo ecryptfs-unwrap-passphrase</b>
- </p>
-
- <p>
- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
- somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
- </p>
-
- </div>
-
- <div class="section">
-
- <h1>
- Modify grub.cfg (CBFS)
- </h1>
-
- <p>
- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
- </p>
-
- <p>
- Modify your grub.cfg (in the firmware) <a href="grub_cbfs.html">using this tutorial</a>;
- just change the default menu entry 'Load Operating System' to say this inside:
- </p>
-
- <p>
- <b>cryptomount -a</b><br/>
- <b>set root='lvm/matrix-rootvol'</b><br/>
- <b>linux /vmlinuz root=/dev/mapper/matrix-rootvol cryptdevice=/dev/mapper/matrix-rootvol:root</b><br/>
- <b>initrd /initrd.img</b>
- </p>
-
- <p>
- Without specifying a device, the <i>-a</i> parameter tries to unlock all detected LUKS volumes.
- You can also specify -u UUID or -a (device).
- </p>
-
- <p>
- <a href="grub_hardening.html">Refer to this guide</a> for further guidance
- on hardening your GRUB configuration, for security purposes.
- </p>
-
- <p>
- Flash the modified ROM
- using <a href="../install/#flashrom">this tutorial</a>.
- </p>
-
- </div>
-
- <div class="section">
-
- <h1 id="troubleshooting">Troubleshooting</h1>
-
- <p>
- A user reported issues when booting with a docking station attached
- on an X200, when decrypting the disk in GRUB. The error
- <i>AHCI transfer timed out</i> was observed. The workaround
- was to remove the docking station.
- </p>
-
- <p>
- Further investigation revealed that it was the DVD drive causing problems.
- Removing that worked around the issue.
- </p>
-
-<pre>
-
-&quot;sudo wodim -prcap&quot; shows information about the drive:
-Device was not specified. Trying to find an appropriate drive...
-Detected CD-R drive: /dev/sr0
-Using /dev/cdrom of unknown capabilities
-Device type : Removable CD-ROM
-Version : 5
-Response Format: 2
-Capabilities :
-Vendor_info : 'HL-DT-ST'
-Identification : 'DVDRAM GU10N '
-Revision : 'MX05'
-Device seems to be: Generic mmc2 DVD-R/DVD-RW.
-
-Drive capabilities, per MMC-3 page 2A:
-
- Does read CD-R media
- Does write CD-R media
- Does read CD-RW media
- Does write CD-RW media
- Does read DVD-ROM media
- Does read DVD-R media
- Does write DVD-R media
- Does read DVD-RAM media
- Does write DVD-RAM media
- Does support test writing
-
- Does read Mode 2 Form 1 blocks
- Does read Mode 2 Form 2 blocks
- Does read digital audio blocks
- Does restart non-streamed digital audio reads accurately
- Does support Buffer-Underrun-Free recording
- Does read multi-session CDs
- Does read fixed-packet CD media using Method 2
- Does not read CD bar code
- Does not read R-W subcode information
- Does read raw P-W subcode data from lead in
- Does return CD media catalog number
- Does return CD ISRC information
- Does support C2 error pointers
- Does not deliver composite A/V data
-
- Does play audio CDs
- Number of volume control levels: 256
- Does support individual volume control setting for each channel
- Does support independent mute setting for each channel
- Does not support digital output on port 1
- Does not support digital output on port 2
-
- Loading mechanism type: tray
- Does support ejection of CD via START/STOP command
- Does not lock media on power up via prevent jumper
- Does allow media to be locked in the drive via PREVENT/ALLOW command
- Is not currently in a media-locked state
- Does not support changing side of disk
- Does not have load-empty-slot-in-changer feature
- Does not support Individual Disk Present feature
-
- Maximum read speed: 4234 kB/s (CD 24x, DVD 3x)
- Current read speed: 4234 kB/s (CD 24x, DVD 3x)
- Maximum write speed: 4234 kB/s (CD 24x, DVD 3x)
- Current write speed: 4234 kB/s (CD 24x, DVD 3x)
- Rotational control selected: CLV/PCAV
- Buffer size in KB: 1024
- Copy management revision supported: 1
- Number of supported write speeds: 4
- Write speed # 0: 4234 kB/s CLV/PCAV (CD 24x, DVD 3x)
- Write speed # 1: 2822 kB/s CLV/PCAV (CD 16x, DVD 2x)
- Write speed # 2: 1764 kB/s CLV/PCAV (CD 10x, DVD 1x)
- Write speed # 3: 706 kB/s CLV/PCAV (CD 4x, DVD 0x)
-
-Supported CD-RW media types according to MMC-4 feature 0x37:
- Does write multi speed CD-RW media
- Does write high speed CD-RW media
- Does write ultra high speed CD-RW media
- Does not write ultra high speed+ CD-RW media
-
-</pre>
-
- </div>
-
- <div class="section">
-
- <p>
- Copyright &copy; 2014, 2015, 2016 Leah Rowe &lt;info@minifree.org&gt;<br/>
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license
- or any later version published by Creative Commons;
-
- A copy of the license can be found at <a href="../cc-by-sa-4.0.txt">../cc-by-sa-4.0.txt</a>
- </p>
-
- <p>
- Updated versions of the license (when available) can be found at
- <a href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">https://creativecommons.org/licenses/by-sa/4.0/legalcode</a>
- </p>
-
- <p>
- UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
- EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
- AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
- ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
- IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
- WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
- ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
- KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
- ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
- </p>
- <p>
- TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
- TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
- NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
- COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
- USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
- ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
- DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
- IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
- </p>
- <p>
- The disclaimer of warranties and limitation of liability provided
- above shall be interpreted in a manner that, to the extent
- possible, most closely approximates an absolute disclaimer and
- waiver of all liability.
- </p>
-
- </div>
-
-</body>
-</html>
generated by cgit v1.2.3-70-g09d2 (git 2.49.0) at 2025-04-01 02:13:45 +0000