meeas

For directly installing Debian Sid not supported by the Debian installer, namely:

• Single LUKS2 encrypted partition which contains the full installation
• Single BTRFS filesystem (integrated home partition)
• Encrypted swapfile in BTRFS subvolume (supports laptop suspend but not hibernate)
• Uses systemd-boot bootloader (instead of Grub2, also optional rEFInd instructions)
• Minimal Gnome install (plus instructions for any other DE you wish)
• Proper user groups for common security tools like sudo-less Wireshark, etc...
• Optional removal of crypto keys from RAM during laptop suspend
• Optional configurations for laptops (including fingerprint readers)

b6461bd246843f70ac1328401405b2b4e72599d

1. Introduction

Hello,

this guide is aimed at people who are currently going out to protest in the US. It contains tips and advice on how to communicate securely and avoid surveillance during the demonstrations. It contains proven techniques from Hong Kong mixed with general security advice. This guide is aimed to be easy to understand, there is no explanation of the underlying technologies. If you are a technologist and you want to have a discussion or advice on how to improve the guide presented here, write me an e-mail: b6461bd246843f70ac1328401405b2b4e725994d@protonmail.com.

2. Communication

The most important step is to make sure you can communicate securely without being surveilled. You need a way to communicate privately with your peer group and a way to stay up to date with what's happening around you and where demonstrations are taking place. For that, it's recommended to use two apps: Telegram and Signal. You can find them on either Google's Play Store if you're on Android or Apple's Appsto

lijikun

Automatic Signing of DKMS-Generated Kernel Modules for Secure Boot (Nvidia Driver on CentOS 8 as Example)

First I thank Nvidia for sponsoring the video card.

Secure Boot isn't exactly easy to configure to work with Linux and disabling it isn't really a good idea. Many modern Linux distributions provide the Microsoft-signed shim EFI binary to interpose between Secure Boot and the grub2 bootloader, making booting Linux easy enough if you only ever use kernels and drivers from the official repos. Still, enabling Secure Boot prevents the loading of kernel or modules without a proper digital signature. For example, the propriatary Nvidia GPU driver won't work, unless your distro really went to great lengths to distribute a signed version of the kernel module.

To make Secure Boot play nicely with the driver (i.e. to work at all), we can generate and import a Machine Owner Key (MOK)

darrenldl

Ubuntu LUKS keyfile guide

Goal

We want to be able to set up an encrypted Ubuntu installation where we can unlock using just an external USB key without entering any passwords

We do not consider evil maid attacks in this case, and are only worried about data leak

We also assume USB key is kept securely, thus we are not concerned with USB key not being encrypted

da-n

Configuration for passwordless root filesystem

Source: https://www.howtoforge.com/tutorial/passwordless-encryption-of-linux-root-partition/

The process of entering the passphrase at boot time will now be automated using an USB memory stick. Instead of using a passphrase , the secret key on the USB will decrypt the encrypted volumes. Connect an USB stick to the VM and locate it using the dmesg command. It is detected as /dev/sdb in my VM.

The secret key of 8192 random byte is extracted from the usb stick using the dd command.

dd if=/dev/sdb of=/root/secret.key bs=512 skip=4 count=16

luispabon

• Based on https://gist.github.com/mdziekon/221bdb597cf32b46c50ffab96dbec08a
• Installation date: 16-08-2019
• Additional notes based on my own experience
• EFI boot
• Ubuntu 19.04 -> 21.04
• This should work on any computer. Only the RAID > AHCI change described below and the device name for the nvme ssd drive are specific to this laptop.
• The process describes a completely fresh installation with complete repartitioning, however it should work fine when Windows is already installed (eg. brand new machine with Windows preinstalled) as long as Windows already boots with EFI.
• The process was conducted on Dell's XPS 15 9560 (2017) with specs:
• CPU: i7-7700HQ

gbrlsnchs

Installation guide for Void Linux with LUKS-encrypted btrfs root

NOTE

I have ported this Gist to a handbook. I'll not maintain this Gist anymore, but will keep it here for future references. You can access the respective chapter in the handbook here.

Introduction

In this guide you will find:

• btrfs with Zstandard compression
• LUKS-encrypted root and swapfile
• GRUB with UEFI

HardenedArray

# OBJECTIVE:  Install Arch Linux with encrypted root and swap filesystems with an ENCRYPTED BOOT and boot from UEFI.  We will
also decrypt and mount our entire encrypted system using a single LUKS passphrase entry.

# Note:  This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.

# External USB HDD/SSD Installers Notes:  Encrypted Arch installs can be booted and run from an external USB HDD or SSD, but
# only when the installation is correctly set up.  There are several necessary changes to my standard procedure you'll want
# to make during the install process.  Read my External USB HDD/SSD Installation section below before proceeding.

reillysiemens

Signing VirtualBox Kernel Modules

These are the steps I followed enable VirtualBox on my laptop without disabling UEFI Secure Boot. They're nearly identical to the process described on [Øyvind Stegard's blog][blog], save for a few key details. The images here are borrowed from the [Systemtap UEFI Secure Boot Wiki][systemtap].

1. Install the VirtualBox package (this might be different for your platform).

   src='https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo'

judy2k

#!/usr/bin/env python3

import argparse
from random import randint, choice

def uk():
    return randint(447700900000, 447700900999+1)


def us_area_code():