Merge branch 'custom-install-4.0'

2025-02-17 21:34:17 -05:00 · 2019-01-14 00:14:22 -06:00 · 2019-01-14 00:14:22 -06:00 · 069c3e2a7c
commit 069c3e2a7c
parent 154c307931 2f51f414a3
1 changed files with 163 additions and 19 deletions
--- a/installing/custom-install.md
+++ b/installing/custom-install.md
@ -9,39 +9,179 @@ redirect_from:
 Custom Installation
 ===================

-In the present context, "custom installation" refers to things like manual
-partitioning, setting up LVM and RAID, and manual LUKS encryption configuration.
+In the present context, "custom installation" refers to things like manual partitioning, setting up LVM and RAID, and manual LUKS encryption configuration.


-Installer Defaults (R3.2)
-------------------------
+## Qubes 4.0
+
+### Installer Defaults
+
+For reference, these are the typical defaults for a single disk with legacy boot:
+
+~~~
+Mount Point: /boot
+Desired Capacity: 1024 MiB
+Device Type: Standard Partition
+File System: ext4
+Name: (none)
+
+Mount Point: /
+Desired Capacity: (your choice)
+Device Type: LVM Thin Provisioning
+Volume Group: qubes_dom0
+File System: ext4
+Name: root
+
+Mount Point: (none)
+Desired Capacity: 10 GiB
+Device Type: LVM
+Volume Group: qubes_dom0
+File System: swap
+Name: swap
+~~~
+
+~~~
+SUMMARY OF CHANGES
+
+Order   Action              Type                    Device              Mount point
+
+1       Destroy Format      Unknown                 Disk (sda)
+2       Create Format       partition table (MSDOS) Disk (sda)
+3       Create Device       partition               sda1 on Disk
+4       Create Format       ext4                    sda1 on Disk        /boot
+5       Create Device       partition               sda2 on Disk
+6       Create Format       LUKS                    sda2 on Disk
+7       Create Device       luks/dm-crypt           luks-sda2
+8       Create Format       physical volume (LVM)   luks-sda2
+9       Create Device       lvmvg                   qubes_dom0
+10      Create Device       lvmthinpool             qubes_dom0-pool00
+11      Create Device       lvmthinlv               qubes_dom0-root
+12      Create Device       lvmlv                   qubes_dom0-swap
+13      Create Format       swap                    qubes_dom0-swap
+14      Create Format       ext4                    qubes_dom0-root     /
+~~~
+
+
+### Typical Partition Schemes
+
+If you want your partition/LVM scheme to look like the Qubes default but with a few tweaks, follow this example.
+With a single disk, the result should look something like this:
+
+~~~
+NAME                                SIZE    TYPE    MOUNTPOINT
+sda                                         disk
+├──sda1                               1G    part    /boot
+└──sda2                                     part
+   └──luks-<UUID>                           crypt
+      ├──qubes_dom0-pool00_tmeta            lvm
+      ├──qubes_dom0-pool00_tdata            lvm
+      └──qubes_dom0-swap                    lvm     [SWAP]
+~~~
+
+
+### Encryption Defaults
+
+By default, `cryptsetup 1.7.5` will create a LUKS/dm-crypt volume as follows:
+
+~~~
+Version:            1
+Cipher name:        aes
+Cipher mode:        xts-plain64
+Hash spec:          sha256
+~~~
+
+~~~
+$ cryptsetup --help
+[...]
+Default compiled-in device cipher parameters:
+        loop-AES: aes, Key 256 bits
+        plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripdemd160
+        LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
+~~~
+
+This means that, by default, Qubes inherits these upstream defaults:
+
+ - AES-128 [[1]][cryptsetup-faq][[2]][dm-crypt][[3]][tomb-238]
+ - SHA-256
+ - `/dev/urandom`
+ - probably an `iter-time` of one second
+
+If, instead, you'd like to use AES-256, SHA-512, `/dev/random`, and a longer `iter-time`, for example, you can configure encryption manually by following the instructions below.
+
+
+### Example: Custom LUKS Configuration
+
+Boot into the Qubes installer, then press `ctrl`+`alt`+`F2` to get a virtual console.
+
+1. (Optional) Wipe the disk:
+
+        # dd if=/dev/zero of=/dev/sda bs=1M status=progress && sync
+
+2. Create partitions:
+
+        # fdisk /dev/sda
+
+   Follow the steps to create two partitions:
+   
+   - ~500MiB-1GiB for `/boot`
+   - The rest for `/` (might want to leave some for overprovisioning if it's an SSD)
+
+4. Create LUKS encrypted volume:
+
+        # cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 10000 --verify-passphrase luksFormat /dev/sda2
+
+5. Open encrypted volume:
+
+        # cryptsetup open /dev/sda2 luks
+
+6. Create LVM volumes:
+
+        # pvcreate /dev/mapper/luks
+        # vgcreate qubes_dom0 /dev/mapper/luks
+        # lvcreate -n swap -L 10G qubes_dom0
+        # lvcreate -T -l +100%FREE qubes_dom0/pool00
+        # lvcreate -V1G -T qubes_dom0/pool00 -n root
+        # lvextend -L <size_of_pool00> /dev/qubes_dom0/root
+
+8. Proceed with the installer.
+   At the disk selection screen, select:
+
+        [x] I will configure partitioning.
+        [ ] Encrypt my data.
+
+Decrypt your partition, then assign `/`, `/boot`, and `swap`.
+Proceed normally from there.
+
+
+## Qubes 3.2
+
+### Installer Defaults

 For reference, these are the defaults for a single disk:

 ~~~
-Mount Point: `/`
+Mount Point: /
 Desired Capacity: (your choice)
-Device Type: `LVM`
-Volume Group: `qubes_dom0`
-File System: `ext4`
-Name: `root`
+Device Type: LVM
+Volume Group: qubes_dom0
+File System: ext4
+Name: root

-Mount Point: `/boot`
+Mount Point: /boot
 Desired Capacity: 500 MiB (recommended)
 Device Type: Standard Partition
-File System: `ext4`
+File System: ext4

 Mount Point: (none)
 Desired Capacity: 9.44 GiB (recommended)
 Device Type: LVM
 Volume Group: qubes_dom0
-File System: `swap`
-Name: `swap`
+File System: swap
+Name: swap
 ~~~


-Typical Partition Schemes
-------------------------
+### Typical Partition Schemes

 If you want your partition/LVM scheme to look like the Qubes default but
 with a few tweaks, follow these examples. With a single disk, the result
@ -80,8 +220,7 @@ If you're using `mdadm` software RAID, it should look something like this:
 ~~~


-Example: LVM on LUKS on RAID (R3.2)
-----------------------------------
+### Example: LVM on LUKS on RAID0

 Boot into the Qubes installer, then press `ctrl`+`alt`+`F2` to get a virtual
 console.
@ -128,8 +267,9 @@ console.
 Continue normally from here.


-Manual Encryption Configuration (R3.1)
--------------------------------------
+## Qubes 3.1
+
+### Manual Encryption Configuration

 Qubes OS uses full disk encryption (FDE) by default. If you are an advanced
 user who wishes to customize your encryption parameters during installation,
@ -191,3 +331,7 @@ configure the encryption options while installing Qubes as follows:

        # cryptsetup luksDump /dev/sda2

+[cryptsetup-faq]: https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
+[dm-crypt]: https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
+[tomb-238]: https://github.com/dyne/Tomb/issues/238
+