11 KiB
+++ title="Linux Essentials" description="The Basics Needed to Use Tails or Qubes" date=2023-04-04
[taxonomies] categories = ["Defensive"] tags = ["intro", "linux", "tails", "qubes", "easy"]
[extra] blogimage="/gifs/destroy.gif" blogimagepng="/images/destroy.png" toc=true dateedit=2023-05-10 a4="linux-a4.pdf" letter="linux-letter.pdf" +++
As an anarchist, you've probably heard the recommendation to use a Linux computer. This article is intended to get you started by giving you a brief overview of what you need to know.
What is Linux and Why Use It?
If you are reading this, you are probably using either Windows or macOS on your computer. These are both operating systems, which is the system software that runs your device. They're also both "closed-source", which means that the software's "source code" is not available (closed) to the public, so it can't be audited for privacy and security. Windows and macOS computers send your data to Microsoft and Apple, and you can't trust their full-disk encryption to protect your data if the computer is physically accessed (like after a house raid).
Linux is a set of operating systems that are open-source, which means that the source code can be analyzed by anyone. Linux is the name given to the core (kernel) of the operating system, and many different distributions (or 'distros') are based on it. Simply put, Linux is the only type of computer that anarchists can trust.
Linux distributions that anarchists are likely to have heard of are Debian, Ubuntu and Tails. Each Linux distribution makes different choices about how to manage software, what kernel version to use, etc. In fact, both Ubuntu and Tails are adaptations of Debian for the specific use cases of being user-friendly (Ubuntu) and providing anonymity (Tails).
How Software Works
In Linux, the term for an application is a package. Instead of downloading applications from various sites on the Internet (as in Windows and macOS), a Linux distribution has a centralized repository where the software lives. This has the advantage that the integrity of the software is verified by the distribution, and it is guaranteed to work with that Linux distribution. It is still possible to install software from outside of a distro's repository, but it is generally considered riskier, and verifying the integrity is your responsibility. Installing a package requires knowing its name, and all packages in a repository can be browsed using a web browser for both Debian and Fedora.
How do you actually install from a software repository? Each distribution also has a package manager, which is an application that installs software from a software repository. Debian and distributions based on it use the apt
package manager. In some distributions, it is possible to install software with a Graphical User Interface (GUI) that uses the package manager in the background, such as the Synaptic Package Manager in Tails.
Software Alternatives
Part of the learning curve for Linux is figuring out which open-source software to use instead of the closed-source options you are used to in Windows and macOS. For example, instead of using Microsoft Word, you might use LibreOffice. The fact that an application is open-source is an essential criterion, but it is not enough to be considered secure. For example, Telegram advertises itself as open-source, but the servers are not open-source and the cryptography is garbage. The list of included software for Tails will cover many of your needs with reputable choices, and you can also check out switching.software.
The Command Line Interface
The dreaded command line! What even is it? You are used to interacting with applications through a Graphical User Interface (GUI), which means pointing and clicking buttons with your mouse. Some applications can also be interacted with through a Command Line Interface (CLI), which is textual. Many applications are available in both CLI and GUI versions.
For example, navigating the contents of your computer with the File Manager GUI is pretty standard - you click on a folder (called a directory in Linux), and it opens. The same navigation through the file system is also possible from the CLI.
When you open a Terminal (the CLI application), you get a prompt. It is called a prompt because it is prompting you to say something in a language that the Terminal understands. Prompts differ in what information is displayed, but they all end with the $
character. You then give commands to the Terminal. The Terminal responds, then redisplays the prompt to take more commands.
The best way to learn the basics of the command line is to interact with it. We recommend the Foundations: Linux Journey exercise to learn some basic commands. The Software Distribution and Packages exercise will teach you what you need to know to install software in Qubes.
Some commands require elevated privileges, equivalent to "Open as Administrator" in Windows. For example, installing software usually requires this. Prefixing a command with sudo
will execute it as the administrative user, named root (note: the root user is not the same as the root directory, and the two should not be confused). A root prompt will display #
instead of $
. Be especially careful with any commands you run while using these elevated privileges, as you'll have the power to erase your entire hard drive or change important files. It is helpful to know that text is pasted in the Terminal with Ctrl+Shift+V (i.e. the Shift key must also be pressed).
Most Linux users will rarely need to use the CLI. If you're using Tails, you shouldn't need it at all, although you will need the following commands for a more secure installation:
wget
: this downloads files from the Internet using the Command Line (rather than a web browser)gpg
: this handles GPG encryption operations. This is used to verify the integrity and authenticity of the Tails download.apt
: this manages packages in Debian.dd
: this copies a file from one disk to another.
The Qubes installation requires the same commands (during the verification phase). The Command Line Interface is otherwise only needed to install software:
apt install <PACKAGE_NAME>
: this will install packages on Debiandnf install <PACKAGE_NAME>
: this will install packages on Fedora
If you ever don't understand what a command does, try searching explainshell for it.
GPG Explanation
Using gpg
during the installation of Tails or Qubes OS will be less confusing if you understand how it works.
First, some clarification. PGP and GPG are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication (although we don't recommend it), but we use it here only to verify the integrity and authenticity of files.
GPG is a classic example of public-key cryptography. GPG provides cryptographic functions for encrypting, decrypting, and signing files; our concern here is digitally signing files. The Qubes and Tails teams both digitally sign on their .img releases. GPG gives us a way to verify that the file has actually been "signed" by the developers, which allows us to trust that it hasn't been tampered with.
Now you need to understand the basics of public-key cryptography. This Computerphile video has a great overview with visual aids. To summarize, a secret/private key is used to sign messages, and only the user who has that key can do so. Each private key has a corresponding public key - this is called a key pair. The public key is shared with everyone and is used to verify the signature. Confused? Watch the video!
Tails and Qubes OS sign their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the Tails verification instructions, which are less convoluted than the Qubes OS equivalent.
Step: Generate a Key-Pair
Tails recommends this Riseup guide to generate a key-pair.
gpg --gen-key
will prompt you for some configuration options and then generate your key-pair.
Step: Verify the Tails public key
gpg --import < tails-signing.key
imports the Tails public key into your keyring so that it can be used.gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import
imports the public key of a Debian developer into your keyring so that it can be used.gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F
allows you to verify the Tails public key with the Debian developer's public key by examining the output as instructed. This is so that if the source of the Tails public key (tails.net) is compromised, you have an external source of truth to alert you.gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F
will certify the Tails public key with the key you created in the last step.
Now we know that we have a genuine version of the Tails public key. gpg
also knows this because we chose to certify it.
Step: Verify the downloaded Tails .img file
TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.10.img.sig tails-amd64-5.10.img
allows you to verify that the .img file is signed as it should be by examining the output as instructed.
Now that we know that we have a genuine version of the Tails .img file, we can proceed to install it on a USB.
Going Further
If you want to learn more about Linux, we'd recommend:
- The rest of the Tech Learning Collective's Foundations exercises will give you a much more comprehensive foundation than what you need to use Qubes or Tails.
- Linux Fundamentals at Hack The Box Academy is another interactive learning environment with a less comprehensive overview.