Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update custom installation instructions for 4.0

Browse Source
This commit is contained in:
Andrew David Wong 2019-01-12 15:26:37 -06:00
parent 154c307931
commit 66d6918be6
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 169 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
installing/custom-install.md
View File

@ -13,35 +13,183 @@ In the present context, "custom installation" refers to things like manual
partitioning, setting up LVM and RAID, and manual LUKS encryption configuration. partitioning, setting up LVM and RAID, and manual LUKS encryption configuration.
Installer Defaults (R3.2) ## Qubes 4.0
-------------------------
### Installer Defaults
For reference, these are the typical defaults for a single disk:
~~~
Mount Point: /boot
Desired Capacity: 1024 MiB
Device Type: Standard Partition
File System: ext4
Name: (none)
Mount Point: /
Desired Capacity: (your choice)
Device Type: LVM Thin Provisioning
Volume Group: qubes_dom0
File System: ext4
Name: root
Mount Point: (none)
Desired Capacity: 15.37 GiB
Device Type: LVM
Volume Group: qubes_dom0
File System: swap
Name: swap
~~~
~~~
SUMMARY OF CHANGES
Order Action Type Device Mount point
1 Destroy Format Unknown Disk (sda)
2 Create Format partition table (MSDOS) Disk (sda)
3 Create Device partition sda1 on Disk
4 Create Format ext4 sda1 on Disk /boot
5 Create Device partition sda2 on Disk
6 Create Format LUKS sda2 on Disk
7 Create Device luks/dm-crypt luks-sda2
8 Create Format physical volume (LVM) luks-sda2
9 Create Device lvmvg qubes_dom0
10 Create Device lvmthinpool qubes_dom0-pool00
11 Create Device lvmthinlv qubes_dom0-root
12 Create Device lvmlv qubes_dom0-swap
13 Create Format swap qubes_dom0-swap
14 Create Format ext4 qubes_dom0-root /
~~~
### Typical Partition Schemes
If you want your partition/LVM scheme to look like the Qubes default but
with a few tweaks, follow these examples. With a single disk, the result
should look something like this:
~~~
NAME SIZE TYPE MOUNTPOINT
sda disk
├──sda1 1G part /boot
└──sda2 part
└──luks-<UUID> crypt
├──qubes_dom0-pool00_tmeta lvm
├──qubes_dom0-pool00_tdata lvm
└──qubes_dom0-swap lvm [SWAP]
~~~
### Encryption Defaults
By default, `cryptsetup 1.7.5` will create a LUKS/dm-crypt volume as follows:
~~~
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
~~~
~~~
$ cryptsetup --help
[...]
Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripdemd160
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
~~~
This means that, by default, Qubes inherits these upstream defaults:
- AES-128 [[1]][cryptsetup-faq][[2]][dm-crypt][[3]][tomb-238]
- SHA-256
- `/dev/urandom`
- probably an `iter-time` of one second
If, instead, you'd like to use AES-256, SHA-512, `/dev/random`, and a longer `iter-time`, you can configure encryption manually by following the instructions below.
### Example: Custom LUKS Configuration
Boot into the Qubes installer, then press `ctrl`+`alt`+`F2` to get a virtual console.
1. (Optional) Wipe the disk:
# dd if=/dev/zero of=/dev/sda bs=1M status=progress && sync
2. Create partiions:
# fdisk /dev/sda
n
p
1
+1G
a
n
p
2
(your choice; might want to leave overprovisioning space on an SSD)
p (check and confirm that everything makes sense)
w
4. Create LUKS encrypted volume:
# cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 10000 --verify-passphrase luksFormat /dev/sda2
5. Open encrypted volume:
# cryptsetup open /dev/sda2 luks
6. Create LVM volumes:
# pvcreate /dev/mapper/luks
# vgcreate qubes_dom0 /dev/mapper/luks
# lvcreate -n swap -L 10G qubes_dom0
# lvcreate -T -l +100%FREE qubes_dom0/pool00
# lvcreate -V1G -T qubes_dom0/pool00 -n root
# lvextend -L <size_of_pool00> /dev/qubes_dom0/root
8. Proceed with the installer.
At the disk selection screen, select:
[x] I will configure partitioning.
[ ] Encrypt my data.
Decrypt your partition, then assign `/`, `/boot`, and `swap`.
Proceed normally from there.
## Qubes 3.2
### Installer Defaults
For reference, these are the defaults for a single disk: For reference, these are the defaults for a single disk:
~~~ ~~~
Mount Point: `/` Mount Point: /
Desired Capacity: (your choice) Desired Capacity: (your choice)
Device Type: `LVM` Device Type: LVM
Volume Group: `qubes_dom0` Volume Group: qubes_dom0
File System: `ext4` File System: ext4
Name: `root` Name: root
Mount Point: `/boot` Mount Point: /boot
Desired Capacity: 500 MiB (recommended) Desired Capacity: 500 MiB (recommended)
Device Type: Standard Partition Device Type: Standard Partition
File System: `ext4` File System: ext4
Mount Point: (none) Mount Point: (none)
Desired Capacity: 9.44 GiB (recommended) Desired Capacity: 9.44 GiB (recommended)
Device Type: LVM Device Type: LVM
Volume Group: qubes_dom0 Volume Group: qubes_dom0
File System: `swap` File System: swap
Name: `swap` Name: swap
~~~ ~~~
Typical Partition Schemes ### Typical Partition Schemes
-------------------------
If you want your partition/LVM scheme to look like the Qubes default but If you want your partition/LVM scheme to look like the Qubes default but
with a few tweaks, follow these examples. With a single disk, the result with a few tweaks, follow these examples. With a single disk, the result
@ -80,8 +228,7 @@ If you're using `mdadm` software RAID, it should look something like this:
~~~ ~~~
Example: LVM on LUKS on RAID (R3.2) ### Example: LVM on LUKS on RAID0
-----------------------------------
Boot into the Qubes installer, then press `ctrl`+`alt`+`F2` to get a virtual Boot into the Qubes installer, then press `ctrl`+`alt`+`F2` to get a virtual
console. console.
@ -128,8 +275,9 @@ console.
Continue normally from here. Continue normally from here.
Manual Encryption Configuration (R3.1) ## Qubes 3.1
--------------------------------------
### Manual Encryption Configuration
Qubes OS uses full disk encryption (FDE) by default. If you are an advanced Qubes OS uses full disk encryption (FDE) by default. If you are an advanced
user who wishes to customize your encryption parameters during installation, user who wishes to customize your encryption parameters during installation,
@ -191,3 +339,7 @@ configure the encryption options while installing Qubes as follows:
# cryptsetup luksDump /dev/sda2 # cryptsetup luksDump /dev/sda2
[cryptsetup-faq]: https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
[dm-crypt]: https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
[tomb-238]: https://github.com/dyne/Tomb/issues/238