How simple/complex is your installation process?

20 replies [Last post]
hack and hack
Offline
Joined: 04/02/2015

Mine is (to me) complicated, and takes a lot of time.
Ideally, I want to automate as much as I can to make it simpler at least.

I choose full disk encryption (I don't know if swap is covered, so I might need dmdecrypt or something. Yet another thing to check).
Because other partial encryptions are just that, partial. Might as well not other with those.
This in itself is long and complicated. I need an additional unencrypted /boot folder, and make GRUB point at it. For the rest, I use Libreboot's guide (which includes swap, so I shouldn't need dm-decrypt in theory). I also need to not make a root user, create a username+passphrase, an encryption passphrase, and maybe I forget one.

Then I choose to encrypt /boot, because either I encrypt everything, or I don't. I want to try this, but that's another set of complex manipulations: http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/

But that would be fine without taking backups into account, like here and here (rather hard to understand):
http://linuxgazette.net/140/kapil.html
https://debian-administration.org/article/692/Look_before_you_leap_into_Disk_Encryption

Then I might want to update the kernel, which seems straightforward. But that's yet another step. Not vital, but not to long.

The more extreme aspect would be to compile one with grsecurity.
The less complicated aspect would be to set up apparmor and firejail foor every app.

I could try an additional bit for not having to type the decryption passphrase twice (again, not easy even to understand): http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/

And then there is the easier/fun part about installing software, which might need a couple of tweaking.

Maybe after a month I can finish my install...

Else I can encrypt nor backup nothing and live dangerously, but have my system running in half an hour.

I might want to setup a VM, just to run a browser with javascript when needed (maybe Firejail/apparmor is enough for this).

So grsecurity aside, full disk encryption including /boot+backups seems essential to me, yet very hard and long to do.

How do you do it (if you do it), and is there another way (scripts maybe)?

It's really a lot of hard work and time, but maybe I'm doing something wrong.

Legimet
Offline
Joined: 12/10/2013

I don't make a separate boot partition while installing. Instead, I make a root partition, home partition, and swap partition on an encrypted LVM. When the installer tries to install GRUB, it fails. Then I switch to a tty to add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub, after which the GRUB installation can be tried again and should succeed.

The Pavel Kogan link just puts a keyfile in your initramfs so that after GRUB loads the kernel, the kernel will use the keyfile so that you don't have to enter your password twice.

hack and hack
Offline
Joined: 04/02/2015

Why do you make a /home partition by hand since one is automatically made when only setting root and swap? Oh, wait, partition and not folder, right? That way all your user data is in there and maybe is easier to backup? But what advantage there is over just the classic home/user folder?

So right after you get a failure message, you switch to a tty? I'll try that. If I can make this work, it's a huge time saver, thanks for the tip!

The Pavel Kogan link still gives me a headache though, but it's non-vital stuff, I'll take my time and try to make it work.

EDIT:
It didn't work for me: right after failing to install GRUB on /dev/sda (or anywhere else), I switch to a tty, press enter to activate the console (ash), and cd to /etc/default/, but inside, there's only cryptdisks and keyboard.
No GRUB (after all it failed to be installed, so I'm half surprised only).
How did you do it exactly?
I also find no home folder (maybe just not installed at this stage yet), and no vi to modify files.

These guys did it right: https://bugs.mageia.org/show_bug.cgi?id=14741
I'll refrain from venting off against the useless complexity of all this as much as I can, but this is so frustrating... So much time wasted on BS.

EDIT:
Nevermind, it seems nano is the default, and that the system files are in the /target folder.
Now I just have to try AGAIN, and maybe this time it will work...
I'm trying Debian btw.

Ok, I made it work (painfully). Thanks again for the tip Legimet.
Next step is to make this grub parameter a default one in Debian, so Trisquel would benefit from it too.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

On the "part about installing software", GNUbahn and I recently wrote https://trisquel.info/en/wiki/cloning-system-or-how-make-copy-installed-packages-one-computer-another

I personally only encrypt /home: one box to click in Trisquel's installer. Interesting things (in the worst case passwords) might be found in my swap if my computer is stolen. By curiosity, I have just 'grep'ped my password... and found it. :-S

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

A few months ago I encrypted /home and /swap. You can very easily encrypt your swap partition, Magique.

The performance hit (due to encryption) on my 2004 potato is barely noticeable.

Hack: FDE means the swap partition will be included (encrypted) AFAIK.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

How about writing a manual you would link in https://trisquel.info/en/wiki/setup ?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Sure :)

edit: heh, I just checked before creating the new page and found this link, which is exactly how I did it. The wiki is bigger than meets the eye.

https://trisquel.info/en/wiki/encrypt-home-directory-after-install

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Well, hard to be easier:
$ sudo ecryptfs-setup-swap
The command must be run while the swap is on. Swap encryption breaks Hibernate/Resume (not suspend/Resume) as the command warns. But I think it is worth it: currently encrypting...

hack and hack
Offline
Joined: 04/02/2015

Sorry I didn't make time to answer to all yet, but quickly this:
https://wiki.archlinux.org/index.php/disk_encryption#Data_encryption_vs_system_encryption

It suggest to (at least) take care of /tmp and /var, and all this is only for online tampering.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>Well, hard to be easier

Yeah :)
to check do a lsblk, the swap partition should display something along the lines:

├─sda5 8:5 0 1.9G 0 part
│ └─cryptswap1 254:0 0 1.9G 0 crypt [SWAP]

cheers

hack and hack
Offline
Joined: 04/02/2015

Thanks SuperTramp, it indeed does look like the full disk encryption covers everything but /boot (by default).

hack and hack
Offline
Joined: 04/02/2015

That's a fast and easy way to transfer a favorite list of programs, which I've already tried thanks to you.

But now I'm willing to make an effort to write a small install script with --no-install-recommends as an option, and thus not having to install Synaptic.

So you did "grep yourpassphrase" ? Or are there more parameters to put in ? Maybe be in /swap first I suppose.

Btw, thanks for dejadup, this looks like a nice solution for back up. I like the CLI, But I'd rather have a GUI for some programs. Sometimes it's just the best (safer, faster) way for me.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

You can export/import the list of installed packages with 'dselect' in a terminal.

I executed 'sudo grep passphrase /dev/sda1' because /dev/sda1 was my swap partition. I wrote "was" because, for some reason, 'sudo ecryptfs-setup-swap' never terminated (I waited hours) and I aborted it. As a result, I have no swap now. I will recreate one.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I managed to get the swap encrypted and functional:
$ swapon -s
Filename Type Size Used Priority
/dev/mapper/cryptswap1 partition 8388604 384 -1

However, I am not quite sure how! Something I did was to only have that line in /etc/crypttab:
cryptswap1 /dev/sda1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
/etc/crypttab was containing several lines (probably one per attempt to run 'sudo ecryptfs-setup-swap'), where the swap partition was specified by UUID... with a different UUID on each line. As you can see above, I specified the device (/dev/sda1; to change if 'lsblk' indicates another device) rather than its UUID. I then rebooted. But I guess there is a way to enable the encrypted swap without rebooting.

Notice that I kept that line that 'sudo ecryptfs-setup-swap' added to /etc/fstab:
/dev/mapper/cryptswap1 none swap sw 0 0

hack and hack
Offline
Joined: 04/02/2015

I found this to be interesting: https://ubuntuforums.org/showthread.php?t=1712826

That means all packages are minimal.
But let's say that for some reason, I nstall a package with apt-get, will it appear in the exported list?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

> However, I am not quite sure how! Something I did was to only have that line in /etc/crypttab:
cryptswap1 /dev/sda1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

Yeah, the line is here too.

hack and hack
Offline
Joined: 04/02/2015

Ok,

So here's my list again:
- full disk encryption is a bit advanced (partitionning, LVM, switching to a tty to modify GRUB), but accessible to me (minus the keyfile to avoid typing the passphrase twice). Otherwise, encrypting home and swap should be a relative breeze for a beginner.

- Sandboxing programs from the web: Firejail not being even in Debian's repo, I'll pass for now. Apparmor seems rather complicated. Same for a virtual machine, or Wine if it can work that way for native programs. Grsecurity is clearly overkill (might be worth it for a server though).

- kernel update is only needed if some hardware is not supported bu the current one.

- re-installing programs: exporting a list from Synaptic looks like the easiest way. but before that, I needed to install with apt-get, and the option --no install recommends (after getting my ethernet interface running in DHCP):
- Wicd for wifi (less headaches with a GUI sometimes)
- Synaptic
- xorg of course
- some window manager/desktop environment

- Backup: DéjàDup or Back in Time are most likely the easiest programs.
I guess I'll partition a huge external drive so I can have a backup partition, and a storage partition for personal data I don't access every day (and ecrypt the whole thing of course).

- Config files: It's OK to just keep the Home folder with all these, but there are also tons of weird text files that accumulate which I most likely don't need. So with this one, I do it by hand for now.

Do you have better ideas for this? Specially for sandboxing the browser (I might need JavaScript on occasionally, but I don't want a malicios script to have access to more than the browser (not even the bookmarks actually).

The rest is pretty much aesthetics/workflow preferences, which is personal to each user. For example, I like my display to be minimal, and I want to use the keyboard instead of the mouse whenever possible, and that's what I did.
It implies learning a few shortcuts per program, but it's an investment. Plus there's always the man command.

EDIT:
Well, grsecurity seems available in Debian either as a backport or in Sid.
I assume it's "only" something to install, but it's usually more complicated.
Also, then there is authorizations to setup per program (pax something).
It's worth trying.
Both Apparmor and Firejail (the latter available in Sid) are vulnerable to X11 attacks (minimized for Firejail as it uses a dedicated X11 server or something).

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>Firejail not being even in Debian's repo, I'll pass for now.

Firejail is in: sid, testing and **jessie-backports**

I installed it from backports, it's great, the thing can sandbox anything and it couldn't be easier to use.

>Do you have better ideas for this? Specially for sandboxing the browser

With the firefox profile already tuned very well in /etc/firejail it is as simple as:
firejail firefox

>malicios script

https://noscript.net

>have access to more than the browser

Here is what my firejailed seamonkey has access to in /home:

/home/.config/dconf
/home/.config/gtk-2.0
/home/Downloads/
/home/.mozilla
/home/.cache/mozilla/

hack and hack
Offline
Joined: 04/02/2015

One more reason to try the backports, plus I'm not sure I'm ready for Sid (or that I need it). Thanks for this!

Well, with firejail/apparmor/grsec, or firejail only, is it really needed to disable Javascript?
I mean sure, some data can still be stolen (still in a limited way), and it would allow some pages to work better.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

I have been using stable ever since the first day it came out, I used briefly testing but I like more stable for you set it and forget it, never an issue, crash or bug :)

With the combo firejail/apparmor I think it would be extremely difficult for anyone to exploit your browser, even with js turned on, but I may be wrong. Anyway security (lack of) is just one of many reasons I don't like js and so I don't really have the dilemma, I keep it off.

hack and hack
Offline
Joined: 04/02/2015

Sounds great, count me as a Stable user!

Apparmor demands some more education than Firejail (which can be applied system-wide, it seems).
Grsecurity even more (even if I don't compile it, but it seems the version in the repo is buggy, according to root_vegetable).
And it seems I'm barely scratching the surface here (see post #5):
https://ubuntuforums.org/showthread.php?t=2338868

and from the same post:
https://www.debian.org/doc/manuals/securing-debian-howto/

I don't really care that much about security, but this is helping me understand computers a bit more.
Most likely I'll start with Firejail, then keep on learning bit by bit.
But not everything is worth setting up, I'm sure.
For example, setting a GRUB password, or preventing hardware flashing of Libreboot is a bit extreme.

I was asking Legimet about why he set up /Home in a separated partition, here's another reason:
Any directory tree which a user has write permissions to, such as e.g. /home, /tmp and /var/tmp/, should be on a separate partition. This reduces the risk of a user DoS by filling up your "/" mount point and rendering the system unusable (Note: this is not strictly true, since there is always some space reserved for root which a normal user cannot fill), and it also prevents hardlink attacks.
Interesting.