14 KiB
title: Installing Trisquel GNU+Linux with Full-Disk Encryption (including /boot) x-toc enable: true ...
TODO: this guide needs to be updated based on the latest Trisquel 9.0 release.
This guide is written for the Trisquel 7.0 (Belenos) GNU+Linux distribution, but it should also work for Trisquel 6.0 (Toutatis).
Do not precisely follow this guide for Trisquel 9.0. There are a lot of steps
needed after the installation, especially if you're using btrfs for your
file system. If you're using the ext4 file system, this guide will probably
just work for Trisquel 9. TODO: update this guide!
Gigabyte GA-G41M-ES2L
To boot the Trisquel net installer, make sure to specify fb=false on the linux kernel parameters in GRUB. This will boot the installer in text mode instead of using a framebuffer.
Boot the Installation Media
Boot your operating system, with the installation media. If you don't know how to do so, refer to How to Prepare and Boot a USB Installer in Libreboot Systems.
When the Trisquel GRUB screen appears, select the Install Trisquel in Text Mode option.
Select a Language
The first part of the installation is to select your system's language; I chose English.
Select Your Location
You will need to select your location; I choose United States.
Configure the Keyboard
You need to select the right layout for your keyboard; if you want to installer to do it automatically, choose Yes, and it will ask you whether or not a series of keys are present on your keyboard. Simply choose Yes or No, accordingly.
If you don't want the installer to automatically detect your keyboard layout, choose No, and simply select it from a list.
Configure the Network
Choose the Network Inteface
You will need to select the network interface to be used for the installation. If you have an ethernet (i.e., wired) connection, choose etho0; otherwise, choose wlan0 (for wireless).
If you choose wlan0, enter the passphrase that corresponds to your wireless network's WPA/WPA2 key (Your wireless network should have a password, and no modern router should be using the WEP protocol).
Choose Your Hostname
You will need to choose a hostname for the system, which identifies your computer to the network; it can be anything, but it must only consist of numbers, uppercase and lowercase letters, and dashes -.
Choose a Mirror of the Trisquel Archive
Choose the server from where you will download the Trisquel packages needed for the installation. The choices are separated by country; simply select the one that is closest to where you are.
After you select the country, you will be taken to a list of different individual servers. If there is more than one option, choose the one that is closest to you; otherwise, select whichever one is available.
The last step of setting up the network will be entering an HTTP proxy (if you need one to access the network). If you have one, type it here; otherwise, press Tab, and then choose Continue (using the arrow keys).
Loading Additional Components
Now the installer needs to download some more packages, to continue the installation. Depending on your network bandwidth, this could take up to a few minutes to complete.
Set Up Users and Passwords
Enter the full name of the user here. You can use your real name, or just a pseudonym; then, choose Continue.
Then it will ask you to enter a username. Pick whatever you like, and enter it here. Select Continue.
Choose a passphrase (better than a password). The diceware method is highly recommended for coming up with one.
I recommend combining the diceware method with something personal about yourself. An example of this would be to choose four words from the diceware list, and then come up with a fifth "word" (i.e., a combination of characters that is unique to you, like some name plus a number/special character); this combination dramatically increases the security of a diceware passphrase (i.e., even if someone had the entire diceware word list, they couldn't figure out your passphrase through brute force).
NOTE: This would be difficult for a person to do, even if you only used words from the list.
For example, say that your cat's name is Max, and he is three years old; you could do something like this:
diceware_word_1 diceware_word_2 diceware_word_3 diceware_word_4 Max=3old
This has a large degree of randomness (due to the usage of the diceware method), and also contains a unique piece of personal information that someone would need to know you, in order to guess; it's a very potent combination.
After entering this password twice, choose Continue.
It will now ask you if you want to encrypt your home directory. Remember, this is NOT to be confused with encrypting your entire disk (the purpose of this guide); it will just be the files that reside in ~, and it uses a different encryption protocol (ecryptfs). If you want to encrypt your home directory here, choose Yes; however, since we are going to encrypt the entire installation, that would not only be redundant, but it would also add a noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and NOT recommended. Choose No.
Configure the Clock
The installer will try to auto-detect your time zone; if it chooses correctly, select Yes; otherwise, choose No, and it will prompt you to select the correct one.
Partition Disks
Now it's time to partition the disk; you will be shown several options; choose Manual partitioning.
-
Use the arrow keys to select the drive (look for a matching size and manufacturer name in the description), and press
Enter. It will ask you if you want to create a new, empty partition table on the device; chooseYes. -
Your drive will now show as having a single partition, labeled
#1; select it (it will sayFREE SPACEbeside it), and pressEnter. -
Choose
Create a new partition. By default, the partition size will be the whole drive; leave it as-is, and selectContinue. -
When it asks for partition type, go with
Primary; you'll be taken to a screen with a list of information about your new partition; make sure to fill out each field as follows (using the up and down arrows to navigate, andEnterto modify an option):-
Use as:
physical volume for encryption -
Encryption method:
Device-mapper (dm-crypt) -
Encryption:
aes -
key size:
256 -
IV algorithm:
xts-plain64 -
Encryption key:
passphrase -
Erase data:
YesFor the
Erase datafield, only chooseNo, if this is either a new drive that doesn't have any of your plaintext data, or else if it previously had full-disk encryption.
-
-
Choose
Done setting up the partition. It will take you back to the main partitioning menu. -
Choose
Configure encrypted volumes; the installer will ask if you want to write the changes to disk, and configure the encrypted volumes; chooseYes. -
Select
Create encrypted volumes. -
Select your partition with the arrow keys (pressing
Spacebarwill make an*appear between the brackets; that's how you know it's been selected). PressTab, and chooseContinue. -
Select
Finish. You will be asked if you really want to erase the drive; chooseYes(Erase will take a long time, so be patient. If your old system were encrypted, just let this run for about a minute, and then chooseCancel; this will make sure that the LUKS header is completely wiped out). -
Now you need to enter a passphrase for encrypting the entire disk. Make sure that this is different from your user password that you created earlier, but still use the diceware method to create it. You will have to enter the password twice; afterwards, you will be returned to the main partitioning menu.
-
You will now see your encrypted device at the top of the device list. It will begin with something like this:
Encrypted volume (sdXY_crypt). Choose the partition labeled#1. -
Change the value of
Use astophysical volume for LVM. Then chooseDone setting up the partition; you will be taken back to the main partitioning menu. -
Choose
Configure the Logical Volume Manager. You will be asked if you want toKeep current partition layout and configure LVM; chooseYes. -
Choose
Create volume group. You will have to enter a name for the group; use matrix. Select the encrypted partition as the device (by pressingSpacebar, which will make an*appear between the brackets; that's how you know it's been selected). PressTab, and chooseContinue. -
Choose
Create logical volume. Select the volume group you created in the previous step (i.e., matrix), and name it rootvol; make the size the entire drive minus 2048 MB (for the swap space). PressEnter. -
Choose
Create logical volumeagain, and select matrix. Name this one swap, and make the size the default value (it should be about 2048MB). PressEnter, and then chooseFinish. -
Now you are back at the main partitioning screen. You will simply set the mount points and filesystems to use for each partition you just created. Under
LVM VG matrix, LV rootvol, select the first partition:#1. Change the values in this section to reflect the following; then chooseDone setting up partition:- use as:
ext4 - mount point:
/
- use as:
-
Under
LVM VG matrix, LV swap, select the first partition:#1. Change the value ofuse astoswap area. ChooseDone setting up partition. -
Finally, when back at the main partitioning screen, choose
Finish partitioning and write changes to disk. It will ask you to verify that you want to do this; chooseYes.
Installing the Base System
The hardest part of the installation is done; the installer will now download and install the packages necessary for your system to boot/run. The rest of the process will be mostly automated, but there will be a few things that you have to do yourself.
Choose a Kernel
It will ask you which kernel you want to use; choose linux-generic.
NOTE: After installation, if you want the most up-to-date version of the Linux kernel (Trisquel's kernel is sometimes outdated, even in the testing distro), you might consider using this repository instead. These kernels are also deblobbed, like Trisquel's (meaning there are no binary blobs present).
Update Policy
You have to select a policy for installing security updates; I recommend that you choose Install security updates automatically, but you can choose not to, if you prefer.
Choose a Desktop Environment
When prompted to choose a desktop environment, use the arrow keys to navigate the choices, and press Spacebar to choose an option; here are some guidelines:
- If you want GNOME, choose Trisquel Desktop Environment
- If you want LDXE, choose Trisquel-mini Desktop Environment
- If you want KDE, choose Triskel Desktop Environment
You might also want to choose some of the other package groups (or none of them, if you want a basic shell); it's up to you. Once you've chosen the option you want, press Tab, and then choose Continue.
Install the GRUB boot loader to the master boot record
The installer will ask you if you want to install the GRUB bootloader to the master boot record; choose Yes. While you do not need to install GRUB bootloader, since in Libreboot, you are using the GRUB payload on the ROM to boot your syste, you still need to install grub package (preferably grub-coreboot) and generate distro's grub.cfg with grub-mkconfig.
The next window will prompt you to enter a Device for boot loader installation. Leave the line blank; press Tab, and choose Continue.
System Clock
The installer will ask if your system clock is set to UTC; choose Yes.
Finishing the Installation
The installer will now give you a message that the installation is complete. Choose Continue, remove the installation media, and the system will automatically reboot.
Booting your system manually
At this point, you will have finished the installation. To boot system manually, at your GRUB boot screen, press C to get to the command line, and enter the following commands at the grub> prompt:
grub> cryptomount -a
grub> set root='lvm/matrix-rootvol'
grub> linux /vmlinuz root=/dev/mapper/matrix-rootvol \
>cryptdevice=/dev/mapper/matrix-rootvol:root
grub> initrd /initrd.img
grub> boot
Without specifying a device, cryptomount's -a parameter tries to unlock all detected LUKS volumes (i.e., any LUKS-encrypted device that is connected to the system). You can also specify -u (for a UUID). Once logged into the operating system, you can find the UUID by using the blkid command:
sudo blkid
ecryptfs
If you didn't encrypt your home directory, then you can safely ignore this section; if you did choose to encrypt it, then after you log in, you'll need to run this command:
sudo ecryptfs-unwrap-passphrase
This will be needed in the future, if you ever need to recover your home directory from another system. Write it down, or (preferably) store it using a password manager (I recommend keepass,keepasX, or keepassXC).
Modify grub.cfg (CBFS)
As the last step of the proccess you can modify your grub.cfg file (in the firmware), and flash the new configuration, using this tutorial; this is so you can make your GRUB configuration much more secure, by following this guide. This step is entirely optional, libreboot supports FDE scheme without any changes to its grub.cfg.
Troubleshooting
During boot, some Thinkpads have a faulty DVD drive, which can cause the cryptomount -a command to fail, as well as the error AHCI transfer timed out (when the Thinkpad X200 is connected to an UltraBase). For both issues, the workaround was to remove the DVD drive (if using the UltraBase, then the whole device must be removed).
Copyright © 2014, 2015 Leah Rowe info@minifree.org
Copyright © 2017 Elijah Smith esmith1412@posteo.net
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts. A copy of this license is found in ../fdl-1.3.md