path: root/docs/gnulinux/encrypted_parabola.md

# Installing Parabola or Arch GNU+Linux-Libre, with Full-Disk Encryption (including /boot)

---

[**Edit this Page**](https://libreboot.org/git.html#editing-the-website-and-documentation-wiki-style) -- [Back to Previous Index](https://libreboot.org/docs/gnulinux/)

1. [Minimum system requirements](#minumum_requirements) 
2. [Preparation](#preparation)
   * [Download the Parabola ISO](#download_iso)
   * [Choose Installation Device](#installation_device)
   * [Boot Parabola's Installation Environment](#boot_install_environment)
3. [Setting Up Keyboard Layout](#setting_keyboard_layout)
4. [Establish an Internet Connection](#establish_internet_connection) 
5. [Prepare the Storage Device for Installation](#prepare_device) 
   * [Wipe Storage Device](#wipe_device)
   * [Formatting the Storage Device](#format_device)
     * [Create LUKS Partition](#create_luks_partition)
     * [Create the Volume Group and Logical Volumes](#create_logical_volumes)
     * [Make the root and swap Partitions Ready for Installation](#make_root_and_swap)
     * [Create the /boot and /home Directories](#create_boot_and_home)
6. [Select a Mirror](#select_mirror)
7. [Install the Base System](#install_base_system)
8. [Generate an fstab](#generate_fstab)
9. [Chroot into and Configure the System](#chroot_and_configure)
   * [Setting up the Locale](#locale)
   * [Setting up the Consolefont and Keymap](#consolefont_keymap)
   * [Setting up the Time Zone](#time_zone)
   * [Setting up the Hardware Clock](#hardware_clock)
   * [Setting up the Kernel Modules](#kernel_modules)
   * [Setting up the Hostname](#set_up_hostname)
   * [Configure the Network](#configure_network)
   * [Set the root Password](#root_password)
   * [Extra Security Tweaks](#security_tweaks)
     * [Key Strengthening](#key_strengthening)
     * [Restrict Access to Important Directories](#restrict_directory_access)
     * [Lockout User After Three Failed Login Attempts](#lockout_user)
10. [Unmount All Partitions and Reboot](#unmount_reboot)
11. [Booting the New Installation, from GRUB](#grub_boot)
12. [Follow-Up Tutorial: Configuring Parabola](#follow_up)

This guide covers how to install Parabola GNU+Linux-Libre, with full disk encryption
(including the boot directory): **/boot**. On most systems, **/boot** has
to be left unencrypted, while the other partition(s) are encrypted.
This is so that GRUB (and therefore the kernel) can be loaded and executed,
because most firmware can’t open a LUKS volume; however, with libreboot,
GRUB is already included as a [payload](http://www.coreboot.org/Payloads#GRUB_2),
so even **/boot** can be encrypted; this protects **/boot** from tampering
by someone with physical access to the system.

>**NOTE: This guide is *only* for the GRUB payload.
>If you use the depthcharge payload, ignore this section entirely.**

This guide borrows heavily from the Parabola wiki, and will constantly link to it.
For those new to Parabola GNU+Linux-Libre, check their [Beginner section](https://wiki.parabola.nu/Beginners%27_guide#Beginners) for an overview.

---



## Minumum Requirements <a name="minumum_requirements"></a>
You can find the minimum requirements to run Parabola GNU+Linux [here](https://wiki.parabola.nu/Beginners%27_guide#Minimum_system_requirements).

---


## Preparation <a name="preparation"></a>

###Download the latest ISO <a name="download_iso"></a>
For this guide, I used the *2016.11.03* ISO; the most current image is available [here](https://wiki.parabola.nu/Get_Parabola#Main_live_ISO).

If you are a complete beginner with GNU+Linux, choose the *Mate Desktop ISO*.
it is easier to install Parabola with this version, because it allows you
access to a web browser, so you can copy and paste commands right into the terminal,
without worrying about typos.

>**NOTE: You should never blindly copy-and-paste any commands. In this guide,
>copying and pasting is to ensure that no errors are made when entering the commands,
>so that you don't effectively "brick" your installation, and have to start over.
>It's important to understand what each command does before you use it,
>so be sure to read the Parabola/Archi Wiki documentation on the command,
>as well as its** `man` **page.**

If you are not a beginner, choose the *Main Live ISO*.

Only choose the *TalkingParabola ISO*, if you are blind or visually impaired.

###Choose the Installation Device <a name="installation_device"></a>
Refer to the Parabola wiki, for finding and choosing the proper installation device,
whether you are using an [Optical Disk](https://wiki.parabola.nu/Beginners%27_guide#Optical_Disks),
or a [USB drive](https://wiki.parabola.nu/Beginners%27_guide#USB_flash_drive).

###Boot Parabola's Install Environment <a name="boot_install_environment"></a>
After downloading the ISO, and creating some kind of bootable media,
you will need to boot into the Live image. If you are unsure of how to do so,
see [How to boot a GNU+Linux installer](grub_boot_installer.md),
and move on to the next step; otherwise, just go to the next step.

Once booted into the environment, either open the **`MATE Terminal`** application 
(if using the MATE Desktop ISO), or simply just enter the commands listed below
(if using any of the other ISO's).

---

## Setting Up Keyboard Layout <a name="setting_keyboard_layout"></a>
To begin the installation, you must first select the proper [keyboard layout](https://wiki.parabola.nu/Beginners%27_guide#Changing_Keyboard).

---

## Establish an Internet Connection <a name="establish_internet_connection"></a>
You will also need to [set up a network connection](https://wiki.parabola.nu/Beginners%27_guide#Establish_an_internet_connection),
to install packages.

---

##Preparing the Storage Device for Installation <a name="prepare_device"></a>

You need to prepare the storage device that we will use to install the operating system.
You can use same [device name](https://wiki.parabola.nu/Beginners%27_guide#USB_flash_drive)
that you used earlier, to determine the installation device for the ISO.

###Wipe Storage Device <a name="wipe_device"></a>
You want to make sure that the device you're using doesn't contain any plaintext
copies of your personal data. If the drive is new, then you can skip the rest of this section;
if it's not new, then there are two ways to handle it:

1. If the drive were not previously encrypted, securely wipe it with the **`dd`** command;
you can either choose to fill it with zeroes or random data; I chose random data (e.g., **`urandom`**),
because it's more secure. Depending on the size of the drive, this could take a while to complete:

>>     # dd if=/dev/urandom of=/dev/sdX; sync

2. If the drive were previously encrypted, all you need to do is wipe the LUKS header.
The size of the header depends upon the specific model of the hard drive;
you can find this information by doing some research online.
Refer to this [article](https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/), for more information about LUKS headers.

>You can either fill the header with zeroes, or with random data;
>again, I chose random data, using **`urandom`**:

>>     # head -c 3145728 /dev/urandom > /dev/sdX; sync

Also, if you're using an SSD, there are a two things you should keep in mind:

-    There are issues with TRIM; it's not enabled by default through LUKS,
and there are security issues, if you do enable it. See [this page](https://wiki.archlinux.org/index.php/Dm-cryptSpecialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29) for more info.
-    Make sure to read [this article](https://wiki.archlinux.org/index.php/Solid_State_Drives),
for information on managing SSD's in Arch Linux (the information applies to Parabola, as well).

###Formatting the Storage Device <a name="format_device"></a>
Now that all the personal data has been deleted from the disk, it's time to format it.
We'll begin by creating a single, large partition on it, and then encrypting it using LUKS.
>####Create the LUKS partition <a name="create_luks_partition"></a>
>
>You will need the **`device-mapper`** kernel module during the installation;
>this will enable us to set up our encrypted disk. To load it, use the following command:
>
>>	 # modprobe dm-mod
>
>We then need to select the **device name** of the drive we're installing the operating system on;
>see the above method, if needed, for figuring out device names.

>Now that we have the name of the correct device, we need to create the partition on it.
>For this, we will use the **`cfdisk`** command:
>
>>	 # cfdisk /dev/sdX
>
>1. Use the arrow keys to select your partition, and if there is already a partition
>on the drive, select **Delete**, and then **New**.
>2. For the partition size, leave it as the default, which will be the entire drive.
>3. You will see an option for **Primary** or **Logical**; choose **Primary**,
>and make sure that the partition type is **Linux (83)**.
>4. Select **Write**; it will ask you if you are sure that you want to overwrite the drive.
>5. Type **yes**, and press enter. A message at the bottom will appear, telling you that
>the partition table has been altered.
>6. Select **Quit**, to return you to the main terminal.
>
>Now that you have created the partition, it's time to create the encrypted volume on it,
>using the **`cryptsetup`** command, like this:
>
>>     # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool \
>>     >--iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdXY
>
>These are just recommended defaults; if you want to use anything else,
>or to find out what options there are, run **`man cryptsetup`**.

>>**NOTE: the default iteration time is 2000ms (2 seconds),
>>if not specified when running the cryptsetup command. You should set a lower time than this;
>>otherwise, there will be an approximately 20-second delay when booting your
>>system. We recommend 500ms (0.5 seconds), and this is included in the
>>prepared** `cryptsetup` **command above. Keep in mind that the iteration time
>>is for security purposes (it mitigates brute force attacks), so anything lower
>>than 5 seconds is probably not very secure.**

>You will now be prompted to enter a passphrase; be sure to make it *secure*.
>For passphrase security, length is more important than complexity
>(e.g., **correct-horse-battery-staple** is more secure than **bf20$3Jhy3**), 
>but it's helpful to include several different types of characters 
>(e.g., uppercase/lowercase letters, numbers, special characters).
>The password length should be as long as you are able to remember,
>without having to write it down, or store it anywhere.

>Use of the [**diceware**](http://world.std.com/~reinhold/diceware.html) method
>is recommended, for generating secure passphrases (rather than passwords).

>####Create the Volume Group and Logical Volumes <a name="create_logical_volumes"></a>
>The next step is to create two Logical Volumes within the LUKS-encrypted partition:
>one will contain your main installation, and the other will contain your swap space.

>We will create this using, the [Logical Volume Manager (LVM)](https://wiki.archlinux.org/index.php/LVM).

>First, we need to open the LUKS partition, at **/dev/mapper/lvm**:

>>     # cryptsetup luksOpen /dev/sdXY lvm

>Then, we create LVM partition:

>>     # pvcreate /dev/mapper/lvm

>Check to make sure tha the partition was created:

>>     # pvdisplay

>Next, we create the volume group, inside of which the logical volumes will
>be created. For this example, we will call this group **matrix**. You can call
>yours whatever you would like; just make sure that you remember its name:

>>     # vgcreate matrix /dev/mapper/lvm

>Check to make sure that the group was created:

>>     # vgdisplay

>Lastly, we need to create the logical volumes themselves, inside the volume group;
>one will be our swap, cleverly named **swapvol**, and the other will be our root partition,
>equally cleverly named as **root**.

>1. We will create the **swapvol** first (again, choose your own name, if you like).
>Also, make sure to [choose an appropriate swap size](http://www.linux.com/news/software/applications/8208-all-about-linux-swap-space)
>(e.g., **2G** refers to two gigabytes; change this however you see fit):
>>          # lvcreate -L 2G matrix -n swapvol

>2. Now, we will create a single, large partition in the rest of the space, for **root**:
>>         # lvcreate -l +100%FREE matrix -n root

>You can also be flexible here, for example you can specify a **/boot**, a **/**,
>a **/home**, a **/var**, or a **/usr** volume. For example, if you will be running a
>web/mail server then you want **/var** (where logs are stored) in its own partition,
>so that if it fills up with logs, it won't crash your system.
>For a home/laptop system (typical use case), just a root and a swap will do.

>Verify that the logical volumes were created correctly:

>>     # lvdisplay

>####Make the root and swap Partitions Ready for Installation <a name="make_root_and_swap"></a>

>The last steps of setting up the drive for installation are turning **swapvol**
>into an active swap partition, and formatting **root**.

>To make **swapvol** into a swap partition, we run the **`mkswap`** (i.e., make swap) command:

>>    # mkswap /dev/mapper/matrix-swapvol

>Activate the **swapvol**, allowing it to now be used as swap,
>using **`swapon`** (i.e., turn swap on) command:

>>     # swapon /dev/matrix/swapvol

>Now I have to format **root**, to make it ready for installation;
>I do this with the **`mkfs`** (i.e., make file system) command.
>I choose the **ext4** filesystem, but you could use a different one,
>depending on your use case:

>>     # mkfs.ext4 /dev/mapper/matrix-root

>Lastly, I need to mount **root**. Fortunately, GNU+Linux has a directory
>for this very purpose: **/mnt**:

>>     # mount /dev/matrix/root /mnt

>####Create the /boot and /home Directories <a name="create_boot_and_home"></a>

>Now that you have mounted **root**, you need to create the two most important
>folders on it: **/boot** and **/home**; these folder contain your boot files,
>as well as each user's personal documents, videos, etc..

>Since you mounted **root** at **/mnt**, this is where you must create them;
>you will do so using **`mkdir`**:

>>     # mkdir -p /mnt/home
>>     # mkdir -p /mnt/boot

>You could also create two separate partitions for **/boot** and **/home**,
>but such a setup would be for advanced users, and is thus not covered in this guide.
>For more information on how to do this, refer to the Parabola/Arch wiki on [partitions](https://wiki.parabola.nu/Beginners%27_guide#Create_new_partition_table).

>The setup of the drive and partitions is now complete; it's time to actually install Parabola.

---

## Select a Mirror <a name="select_mirror"></a>
The first step of the actual installation is to choose the server from where
we will need to download the packages; for this, we will again refer to the [Parabola Wiki](https://wiki.parabola.nu/Beginners%27_guide#Select_a_mirror).
For beginners, I recommend that the edit the file using **`nano`** (a command-line text editor);
you can learn more about it [here](https://www.nano-editor.org/); for non-beginners,
simply edit it with your favorite text editor.

---

## Install the Base System <a name="install_base_system"></a>
We need to install the essential applications needed for your Parabola installation to run;
refer to [Install the Base System](https://wiki.parabola.nu/Beginners%27_guide#Install_the_base_system), on the Parabola wiki.

---

## Generate an fstab <a name="generate_fstab"></a>
The next step in the process is to generate a file known as an **fstab**;
the purpose of this file is for the operating system to identify the storage device
used by your installation. [Here](https://wiki.parabola.nu/Beginners%27_guide#Generate_an_fstab) are the instructions to generate that file.

---

##Chroot into and Configure the System <a name="chroot_and_configure"></a>
Now, you need to **`chroot`** into your new installation, to complete the setup
and installation process. **Chrooting** refers to changing the root directory
of an operating system  to a different one; in this instance, it means changing your root
directory to the one you created in the previous steps, so that you can modify files
and install software onto it, as if it were the host operating system.

To **`chroot`** into your installation, follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Chroot_and_configure_the_base_system).

###Setting up the Locale <a name="locale"></a>
Locale refers to the language that your operating system will use, as well as some
other considerations related to the region in which you live. To set this up,
follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Locale).

###Setting up the Consolefont and Keymap <a name="consolefont_keymap"></a>
This will determine the keyboard layout of your new installation; follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Console_font_and_keymap).

###Setting up the Time Zone <a name="time_zone"></a>
You'll need to set your current time zone in the operating system; this will enable applications
that require accurate time to work properly (e.g., the web browser).
To do this, follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Time_zone).

###Setting up the Hardware Clock <a name="hardware_clock"></a>
To make sure that your computer has the right time, you'll have to set the time in your computer's internal clock.
Follow the instructions [here](https://wiki.parabola.nu/Beginners%27_guide#Hardware_clock) to do that.

###Setting up the Kernel Modules <a name="kernel_modules"></a>
Now we need to make sure that the kernel has all the modules that it needs
to boot the operating system. To do this, we need to edit a file called **mkinitcpio.conf**.
More information about this file can be found [here](https://wiki.parabola.nu/Mkinitcpio),
but for the sake of this guide, you simply need to run the following command.

>     # nano /etc/mkinitcpio.conf

There are several modifications that we need to make to the file:

1.  Change the value of the uncommented **`MODULES`** line to **`i915`**.

    * This forces the driver to load earlier, so that the console font you selected earlier
      isn’t wiped out after getting to login.
    * If you are using a **Macbook 2,1** you will also need to add **`hid-generic`**,
      **`hid`**, and **`hid-apple`** inside the quotation marks, in order to have
      a working keyboard when asked to enter the LUKS password.
      Make sure to separate each module by one space.

2.  Change the value of the uncommented **`HOOKS`** line to the following:
    “**`base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown`**”;
    here's what each module does:

    * **`keymap`** adds to *initramfs* the keymap that you specified in **/etc/vconsole.conf**
    * **`consolefont`** adds to *initramfs* the font that you specified in **/etc/vconsole.conf**
    * **`encrypt`** adds LUKS support to the initramfs - needed to unlock your disks at boot time
    * **`lvm2`** adds LVM support to the initramfs - needed to mount the LVM partitions at boot time
    * **`shutdown`** is needed according to Parabola wiki, for unmounting devices (such as LUKS/LVM) during shutdown

After modifying the file and saving it, we need to update the kernel(s) with the new settings.
Before doing this, we want to install a Long-Term Support (LTS) kernel as a backup, in the event
that we encounter problems with the default Linux-Libre kernel (which is continually updated).

We will also install the **`grub`** package, which we will need later,
to make our modifications to the GRUB configuration file:

>     # pacman -S linux-libre-lts grub

Then, we update both kernels like this:

>     # mkinitcpio -p linux-libre

>     # mkinitcpio -p linux-libre-lts

###Setting up the Hostname <a name="set_up_hostname"></a>

Now we need to set up the hostname for the system; this is so that our device
can be identified by the network. Refer to [this section](https://wiki.parabola.nu/Beginners%27_guide#Hostname)
of the Parabola wiki's Beginner's Guide. You can make the hostname anything you like;
for example, if you wanted to choose the hostname **parabola**,
you would run the **`echo`** command, like this:

>    # echo parabola > /etc/hostname

And then you would modify **/etc/hosts** like this, adding the hostname to it:

>    # nano /etc/hosts

>     #<ip-address> <hostname.domain.org>   <hostname>
>     127.0.0.1     localhost.localdomain   localhost   parabola
>     ::1           localhost.localdomain   localhost   parabola

###Configure the Network <a name="configure_network"></a>

Now that we have a hostname, we need to configure the settings for the rest of the network.
Instructions for setting up a wired connection are [here](https://wiki.parabola.nu/Beginners%27_guide#Wired),
and instructions for setting up a wireless connection are [here](https://wiki.parabola.nu/Beginners%27_guide#Wireless_2).

###Set the root Password <a name="root_password"></a>
The **root** account has control over all the files in the computer; for security,
we want to protect it with a password. The password requirements given above,
for the LUKS passphrase, apply here as well. You will set this password with the **`passwd`** command:

>     # passwd

###Extra Security Tweaks <a name="security_tweaks"></a>

There are some final changes that we can make to the installation, to make it
significantly more secure; these are based on the [Security](https://wiki.archlinux.org/index.php/Securit) section of the Arch wiki.

>####Key Strengthening <a name="key_strengthening"></a>

>We will want to open the configuration file for password settings, and increase
>the strength of our **root** password:

>>    # nano /etc/pam.d/passwd

>Add **`rounds=65536`** at the end of the uncommented 'password' line; in simple terms,
>this will force an attacker to take more time with each password guess, mitigating
>the threat of brute force attacks.

>####Restrict Access to Important Directories <a name="restrict_directory_access"></a>

>You can prevent any user, other than the root user, from accessing the most important
>directories in the system, using the **`chmod`** command; to learn more about this command,
>run **`man chmod`**:

>>   # chmod 700 /boot /etc/{iptables,arptables}

>####Lockout User After Three Failed Login Attempts <a name="lockout_user"></a>

>We can also setup the system to lock a user's account, after three failed login attempts.

>To do this, we will need to edit the file **/etc/pam.d/system-login**,
>and comment out this line:

>>    auth required pam\_tally.so onerr=succeed file=/var/log/faillog*\

>You could also just delete it. Above it, put the following line:

>>    auth required pam\_tally.so deny=2 unlock\_time=600 onerr=succeed file=/var/log/faillog

>This configuration will lock the user out for ten minutes.
>You can unlock a user's account manually, using the **root** account, with this command:

>>    # pam_tally --user *theusername* --reset

---

##Unmount All Partitions and Reboot <a name="unmount_reboot"></a>

Congratulations! You have finished the installation of Parabola GNU+Linux-Libre.
Now it is time to reboot the system, but first, there are several preliminary steps:

Exit from **`chroot`**, using the **`exit`** command:

>    # exit

Unmount all of the partitions from **/mnt**, and "turn off" the swap volume:

>    # umount -R /mnt
>    # swapoff -a

Deactivate the **root** and **swapvol** logical volumes:

>    # lvchange -an /dev/matrix/root
>    # lvchange -an /dev/matrix/swapvol

Lock the encrypted partition (i.e., close it):

>    # cryptsetup luksClose lvm

Shutdown the machine:

>    # shutdown -h now

After the machine is off, remove the installation media, and turn it on.

---

##Booting the New Installation, from GRUB <a name="grub_boot"></a>

When starting your installation for the first time, you have to manually boot
the system by entering a series of commands into the GRUB command line.

After the computer starts, Press **C** to bring up the GRUB command line.
You can either boot the normal kernel, or the LTS kernel we installed;
here are the commands for the normal kernel:

>     grub> cryptomount -a
>     grub> set root='lvm/matrix-root'
>	  grub> linux /boot/vmlinuz-linux-libre root=/dev/matrix/root cryptdevice=/dev/sda1:root
>     grub> initrd /boot/initramfs-linux-libre.img
>     grub> boot

If you're trying to boot the LTS kernel, simply add **-lts** to the end
of each command that contains the kernel (e.g., **/boot/vmlinuz-linux-libre**
would be **/boot/vmlinuz/linux-libre-lts**).

**NOTE: on some Thinkpads, during boot, a faulty DVD drive can cause
the** `cryptomount -a` **command to fail, as well as the error** `AHCI transfer timed out`
**(when the Thinkpad X200 is connected to an UltraBase). For both issues,
the workaround was to remove the DVD drive (if using the UltraBase,
then the whole device must be removed).**

---

##Follow-Up Tutorial: Configuring Parabola <a name="follow_up"></a>

The next step of the setup process is to modify the configuration file that
GRUB uses, so that we don't have to manually type in those commands above, each time we want
to boot our system.

To make this process much easier, we need to install a graphical interface,
as well as install some other packages that will make the system more user-friendly.
These additions will also sharply reduce the probability of "bricking" our computer.

[Configuring Parabola (Post-Install)](configuring_parabola.md) provides an example setup, but don't feel
as if you must follow it verbatim (of course, you can, if you want to);
Parabola is user-centric and very customizable, which means that you have maximum control
of the system, and a near-limitless number of options for setting it up. For more information,
read [The Arch Way](https://wiki.archlinux.org/index.php/The_Arch_Way) (Parabola also follows it).

After setting up the graphical interface, refer to [How to Modify GRUB Configuration](grub_cbfs.md),
for instructions on doing just that, as well as flashing the ROM (if necessary).

---

Copyright © 2014, 2015, 2016 Leah Rowe <info@minifree.org>

Copyright © 2015 Jeroen Quint <jezza@diplomail.ch>

Copyright © 2017 Elijah Smith <esmith1412@posteo.net>

---

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License Version 1.3 or any later
version published by the Free Software Foundation
with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts.
A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md)