This guide is based on Debian OS because in my opinion is one of best Linux distributions and works well with future works we will go to do. I guess we are working on Windows OS (it is just for some tools we are going to use).
First of all, download the Debian .iso from:
- 64-bit:
https://cdimage.debian.org/mirror/cdimage/archive/8.10.0/amd64/iso-cd/debian-8.10.0-amd64-netinst.iso
https://cdimage.debian.org/mirror/cdimage/archive/10.2.0/amd64/iso-cd/debian-10.2.0-amd64-netinst.iso - 32-bit:
https://cdimage.debian.org/mirror/cdimage/archive/8.10.0/i386/iso-cd/debian-8.10.0-i386-netinst.iso
https://cdimage.debian.org/mirror/cdimage/archive/10.2.0/i386/iso-cd/debian-10.2.0-i386-netinst.iso
Run the gpg4win installation, press always next and install the application. Then we need to download the files needed the verify our .iso. The files to be downloaded are:
- 64-bit:
https://cdimage.debian.org/mirror/cdimage/archive/8.10.0/amd64/iso-cd/SHA256SUMS
https://cdimage.debian.org/mirror/cdimage/archive/8.10.0/amd64/iso-cd/SHA256SUMS.sign
https://cdimage.debian.org/mirror/cdimage/archive/10.2.0/amd64/iso-cd/SHA256SUMS
https://cdimage.debian.org/mirror/cdimage/archive/10.2.0/amd64/iso-cd/SHA256SUMS.sign - 32-bit:
https://cdimage.debian.org/mirror/cdimage/archive/8.10.0/i386/iso-cd/SHA256SUMS
https://cdimage.debian.org/mirror/cdimage/archive/8.10.0/i386/iso-cd/SHA256SUMS.sign
https://cdimage.debian.org/mirror/cdimage/archive/10.2.0/i386/iso-cd/SHA256SUMS
https://cdimage.debian.org/mirror/cdimage/archive/10.2.0/i386/iso-cd/SHA256SUMS.sign
- gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 <RSA: 1>
Then we must verify the fingerprint of the .iso signing key by typing:
- gpg --fingerprint DF9B9C49EAA9298432589D76DA87E80D6294BE9B
pub 4096R/6294BE9B 2011-01-05
Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
uid [ unknown] Debian CD signing key <debian-cd@lists.debian.org>
sub 4096R/11CD9819 2011-01-05
Then, we verify the checksum file we downloaded by typing:
- gpg -v SHA256SUMS.sign
Successively type:
- type SHA256SUMS |findstr netinst > sha256.sum
At the end, to verify the Debian .iso file, type:
- "C:\Program Files (x86)\GNU\GnuPG\sha256sum.exe" -c sha256.sum
Anyway if you get the OK, the Debian .iso is correct while if you get FAILED, it was tampered or corrupted. In this case you should to re-download the .iso file.
Note: if you don't want to install Debian but another distro, to know what is the key that you should import, download its SHA256SUMS.sign and type
- gpg -v SHA256SUMS.sign
Then you will get the public key to import and you can import it by using the option --recv-keys as before.
The verification phase is ended. Now the next step is to make a bootable USB with Debian OS. As software I use Universal USB Installer, a portable application used to make bootable USB, downloadable from https://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3
As Step 1 select Debian netinst, then in the Step 2 select the downloaded Debian .iso and in the Step 3 select your USB drive. At the right of Step 3, a format option should appear. Select it and choose FAT32 format, then click on Create and wait the process ends. Before the reboot, you need to do a last thing: to avoid that during the loading of firmwares it gives you missing firmwares messages that can bring to not install and configure the wlan interface, it is important to download a set of firmwares from http://cdimage.debian.org/cdimage/unofficial/non-free/firmware and unzip it inside your ready USB in the firmware folder. It is good practice to be connected via Ethernet for the Debian installation.
At this point, insert USB on the PC, reboot and when Debian is booted, click on Install (or Graphical Install). Select a language and a location, then your preferred keymap. The next step of installation is the configuration of the network: as Hostname leave the default debian and press Enter, then leave empty the Domain name and press Enter, press Enter also when it asks for Root password and confirm again by Enter, then leave blank the Full name for the new user and when it asks you for an username for your account, type user and press Enter and choose a good password and press again Enter. Successively, select a time zone, and now the "smoking gun" will be on:
At Partition disks part select Manual, then we need to have three partitions: one for boot (otherwise the grub may produce an error at the end of installation and will be not installed), one for swap memory and the last one for Debian OS. To do this, select a partition (or a set of partitions that we don't need) that we can use for our purpose. If this partition (or set of partitions) is not free, you must delete it and allocate again by allocating the necessary memory. The allocated part should refer as FREE SPACE. To generate the partition of Debian OS, click on the part of disk set as FREE SPACE. We get a window, so click on Create a new partition, set your preferred partition size, for example 100 GB, then at the next window choose Logical, then Beginning and, in the next window, set only the Use as parameter like
- Use as: click Enter and choose physical volume for encryption. At this point another window will open and you can choose to Erase data or not. If you do, the data will be overwritten with pseudo-random data. Erasing data is a good advice to do for improving security. The other parameters can be left but if you prefer, you can change them. Then click on Done setting up the partition. At this point you will be returned to the list of partitions window.
is NOT a “Password Strength Meter.”
After you choose the passphrase, you will be returned on the list of partitions window. Then click on Configure the Logical Volume Manager. At the next window press yes, then click on Create volume group, another window appears where you should type a name for the volume group, for example write: debian-vg.
On the next window you should select the devices for the just created volume group. Select by the space bar of the keyboard the partition with the name as sda#_crypt (# is a number) then press Enter. On the next window select Create logical volume and press Enter, choose debian-vg, as logical volume name type: root. Then press Enter. At this point you must set the size of this logical volume. Now there are two ways for creating an encrypted swap partition. The difference of the two ways is that on the first way, the swap and the OS partitions will need only of one (same) passphrase to be accessed while by the second way you need two (same of different) passphrases, one to access to the OS and the other one to access to the swap area, so more security.
The first way is: since we need of swap partition (it is optional but we want it), it shows already a default size. We subtract that size minus 8 GB (or what you prefer) and press Enter. This 8 GB will be used for swap partition.to make another logical volume by Create logical volume option on the debian-vg volume group, giving it a name as swap1 and a logical volume size of 8 GB, then click on Finish. END FIRST WAY!
The second way is: set the size of logical volume as default. When we made the logical volume of the Debian OS partition, click on Finish. At this point we must do again all the same steps done for the Debian OS partition. So, in the list of partitions window, if there is a free space dedicated for swap, click on Create a new partition, set 8 GB (or what you prefer), then at the next window choose Logical, then Beginning and, in the next window, set only the Use as parameter like
- Use as: click Enter and choose physical volume for encryption. At this point another window will open and you can choose to Erase data or not. If you do, the data will be overwritten with pseudo-random data. Erasing data is a good advice to do for improving security. The other parameters can be left but if you prefer, you can change them. Then click on Done setting up the partition. At this point you will be returned to the list of partitions window.
At this point click on Configure encrypted volumes, on the next screen press yes, and then on Finish. If you chose to erase data, the next window will ask you to erase the partition. Press yes. It will take long time. At the end of the process, you should choose a strong passphrase. Note again that if you lose the passphrase, you will lose everything on your partition.
After you choose the passphrase, you will be returned on the list of partitions window. Then click on Configure the Logical Volume Manager. At the next window press yes, then press on Extend volume group and click on debian-vg.
On the next window you should select the devices for the just created volume group. Select by the space bar of the keyboard the partition with the name as sda#_crypt (# is a number) then press Enter. On the next window select Create logical volume and press Enter, choose debian-vg, as logical volume name type: swap1. Then press Enter. At this point you must set the size of this logical volume. You can leave the default size and press Enter then click on Finish. END SECOND WAY!
At this point, both of the ways will bring you on the list of partitions window and we see that we have two partitions on the LVM VG debian-vg section, one is for Debian OS and the other one is for the swap. At this point click on the partition related to the Debian OS, labeled as LV root, and set the parameters as
- Use as: Ext4 journaling file system
- Mount point: /
- The other parameters are left as default
Then press on Done setting up the partition. now we are back on the list of partitions window. Click on the partition labeled by LV swap1 and set the parameter as
- Use as: swap area
Then click on Done setting up the partition.
The last part to be deal is the creation of a boot partition. Create a new partition sized 256 MB, Primary and located at Beginning, then as parameters set
- Use as: Ext4 journaling file system
- Mount point: /boot
- The other parameters are left as default
At the end we are on the list of partitions window and we must click on Finish partitioning and write changes to disk, then confirm to write the changes to disks so the installation can begin.
During the installation, different windows appear: the first one is the Debian archive mirror country window. Choose your nearest location and select what link you prefer. As HTTP proxy information on the next window, leave blank. If during the installation it asks you for a survey, press no. It will ask you also for software to install: choose Debian desktop environment and standard system utilities only by space bar of the keyboard and press Enter.
Finally it will ask you to install the GRUB boot loader and press yes and select the sd# where your Debian OS, swap and boot partitions are located. If it asks you if the system clock is set to UTC, press no. The installation is ended.
Note: if the grub gives error during the installation, choose to not install it. Probably it occurs when you do not create a boot partition. Reboot the PC and you will get an error bringing you to grub rescue command line. To solve this problem, make a bootable USB with Ubuntu, plug the USB on PC and reboot. Perform the Live mode of Ubuntu, open a Terminal and execute these commands:
- sudo cryptsetup open /dev/sdXY linux (sdXY corresponds to the encrypted partition of Debian, i.e. sda3)
- sudo cryptsetup open /dev/sdXY swap(sdXY corresponds to the encrypted partition of swap, i.e. sda6). We need to do this step to avoid the WARNING: Device for PV randomcharacters not found or rejected by a filter when we install the grub
- sudo mount /dev/mapper/linux /mnt
- sudo mount --bind /dev /mnt/dev
- sudo mount --bind /dev/pts /mnt/dev/pts
- sudo mount --bind /proc /mnt/proc
- sudo mount --bind /sys /mnt/sys
- sudo chroot /mnt
- update-grub
- grub-install /dev/sdX (i.e. sda)
- update-grub
- exit
- sudo umount /mnt/sys
- sudo umount /mnt/proc
- sudo umount /mnt/dev/pts
- sudo umount /mnt/dev
- sudo umount /mnt
Reboot. If you had another OS in dual boot and it is not shown during the reboot, this time go on Debian, and on the Terminal type sudo update-grub and reboot the PC.
If it does not work, try to install the GRUB by booting Debian via USB, select Advanced options->Rescue mode. Then insert all information and when it asks you to select the root partition, select debian-vg/root and Reinstall the grub, then reboot.
If it does not work, try to install the GRUB by booting Debian via USB, select Advanced options->Rescue mode. Then insert all information and when it asks you to select the root partition, select debian-vg/root and Reinstall the grub, then reboot.
There is another level of security that we can add on our system. We can use cryptodisk on the grub bootloader such that to access to the bootloader, the user must insert the passphrase set for Debian OS. It can seem stupid since if an attacker knows this, if he knows the passphrase of Debian OS, it can access also to the grub bootloader. But if the attacker does not know the passphrase of Debian OS, by this additional security level, he cannot access to any OS inside the hard drive since the grub bootloader not only block the access to Debian but also to the other OS installed.
To add this additional level of security, go on Debian and edit the file /etc/default/grub by
- sudo nano /etc/default/grub
Save the file and close it. Then, on the Terminal, type
- sudo update-grub
An important note: the keyboard during the decryption phase for the GRUB is set to en-US. It can be useful if your keymap is different, an attacker near your keyboard knows your Debian passphrase but does not know that the keyboard is set to en-US for inserting the passphrase for GRUB. It is not stupid, it is always a little help for protection.
The encryption of the bootloader results as
After the insertion of the correct passphrase, we get this screen for the passphrase of Debian OS
and the screen of the swap area passphrase
WE GOT OUR ENCRYPTED OS!
Nessun commento:
Posta un commento