diff --git a/installing/custom-install.md b/installing/custom-install.md index 56c540c3..1ff9547a 100644 --- a/installing/custom-install.md +++ b/installing/custom-install.md @@ -13,35 +13,183 @@ In the present context, "custom installation" refers to things like manual partitioning, setting up LVM and RAID, and manual LUKS encryption configuration. -Installer Defaults (R3.2) -------------------------- +## Qubes 4.0 + +### Installer Defaults + +For reference, these are the typical defaults for a single disk: + +~~~ +Mount Point: /boot +Desired Capacity: 1024 MiB +Device Type: Standard Partition +File System: ext4 +Name: (none) + +Mount Point: / +Desired Capacity: (your choice) +Device Type: LVM Thin Provisioning +Volume Group: qubes_dom0 +File System: ext4 +Name: root + +Mount Point: (none) +Desired Capacity: 15.37 GiB +Device Type: LVM +Volume Group: qubes_dom0 +File System: swap +Name: swap +~~~ + +~~~ +SUMMARY OF CHANGES + +Order Action Type Device Mount point + +1 Destroy Format Unknown Disk (sda) +2 Create Format partition table (MSDOS) Disk (sda) +3 Create Device partition sda1 on Disk +4 Create Format ext4 sda1 on Disk /boot +5 Create Device partition sda2 on Disk +6 Create Format LUKS sda2 on Disk +7 Create Device luks/dm-crypt luks-sda2 +8 Create Format physical volume (LVM) luks-sda2 +9 Create Device lvmvg qubes_dom0 +10 Create Device lvmthinpool qubes_dom0-pool00 +11 Create Device lvmthinlv qubes_dom0-root +12 Create Device lvmlv qubes_dom0-swap +13 Create Format swap qubes_dom0-swap +14 Create Format ext4 qubes_dom0-root / +~~~ + + +### Typical Partition Schemes + +If you want your partition/LVM scheme to look like the Qubes default but +with a few tweaks, follow these examples. With a single disk, the result +should look something like this: + +~~~ +NAME SIZE TYPE MOUNTPOINT +sda disk +├──sda1 1G part /boot +└──sda2 part + └──luks- crypt + ├──qubes_dom0-pool00_tmeta lvm + ├──qubes_dom0-pool00_tdata lvm + └──qubes_dom0-swap lvm [SWAP] +~~~ + + +### Encryption Defaults + +By default, `cryptsetup 1.7.5` will create a LUKS/dm-crypt volume as follows: + +~~~ +Version: 1 +Cipher name: aes +Cipher mode: xts-plain64 +Hash spec: sha256 +~~~ + +~~~ +$ cryptsetup --help +[...] +Default compiled-in device cipher parameters: + loop-AES: aes, Key 256 bits + plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripdemd160 + LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom +~~~ + +This means that, by default, Qubes inherits these upstream defaults: + + - AES-128 [[1]][cryptsetup-faq][[2]][dm-crypt][[3]][tomb-238] + - SHA-256 + - `/dev/urandom` + - probably an `iter-time` of one second + +If, instead, you'd like to use AES-256, SHA-512, `/dev/random`, and a longer `iter-time`, you can configure encryption manually by following the instructions below. + + +### Example: Custom LUKS Configuration + +Boot into the Qubes installer, then press `ctrl`+`alt`+`F2` to get a virtual console. + +1. (Optional) Wipe the disk: + + # dd if=/dev/zero of=/dev/sda bs=1M status=progress && sync + +2. Create partiions: + + # fdisk /dev/sda + n + p + 1 + +1G + a + n + p + 2 + (your choice; might want to leave overprovisioning space on an SSD) + p (check and confirm that everything makes sense) + w + +4. Create LUKS encrypted volume: + + # cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 10000 --verify-passphrase luksFormat /dev/sda2 + +5. Open encrypted volume: + + # cryptsetup open /dev/sda2 luks + +6. Create LVM volumes: + + # pvcreate /dev/mapper/luks + # vgcreate qubes_dom0 /dev/mapper/luks + # lvcreate -n swap -L 10G qubes_dom0 + # lvcreate -T -l +100%FREE qubes_dom0/pool00 + # lvcreate -V1G -T qubes_dom0/pool00 -n root + # lvextend -L /dev/qubes_dom0/root + +8. Proceed with the installer. + At the disk selection screen, select: + + [x] I will configure partitioning. + [ ] Encrypt my data. + +Decrypt your partition, then assign `/`, `/boot`, and `swap`. +Proceed normally from there. + + +## Qubes 3.2 + +### Installer Defaults For reference, these are the defaults for a single disk: ~~~ -Mount Point: `/` +Mount Point: / Desired Capacity: (your choice) -Device Type: `LVM` -Volume Group: `qubes_dom0` -File System: `ext4` -Name: `root` +Device Type: LVM +Volume Group: qubes_dom0 +File System: ext4 +Name: root -Mount Point: `/boot` +Mount Point: /boot Desired Capacity: 500 MiB (recommended) Device Type: Standard Partition -File System: `ext4` +File System: ext4 Mount Point: (none) Desired Capacity: 9.44 GiB (recommended) Device Type: LVM Volume Group: qubes_dom0 -File System: `swap` -Name: `swap` +File System: swap +Name: swap ~~~ -Typical Partition Schemes -------------------------- +### Typical Partition Schemes If you want your partition/LVM scheme to look like the Qubes default but with a few tweaks, follow these examples. With a single disk, the result @@ -80,8 +228,7 @@ If you're using `mdadm` software RAID, it should look something like this: ~~~ -Example: LVM on LUKS on RAID (R3.2) ------------------------------------ +### Example: LVM on LUKS on RAID0 Boot into the Qubes installer, then press `ctrl`+`alt`+`F2` to get a virtual console. @@ -128,8 +275,9 @@ console. Continue normally from here. -Manual Encryption Configuration (R3.1) --------------------------------------- +## Qubes 3.1 + +### Manual Encryption Configuration Qubes OS uses full disk encryption (FDE) by default. If you are an advanced user who wishes to customize your encryption parameters during installation, @@ -191,3 +339,7 @@ configure the encryption options while installing Qubes as follows: # cryptsetup luksDump /dev/sda2 +[cryptsetup-faq]: https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions +[dm-crypt]: https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption +[tomb-238]: https://github.com/dyne/Tomb/issues/238 +