Skip to content

Instantly share code, notes, and snippets.

View RENANZG's full-sized avatar
📤
💥 ฅ^•ﻌ•^ฅ

Renan Zamboni Gomes RENANZG

📤
💥 ฅ^•ﻌ•^ฅ
View GitHub Profile
@meeas
meeas / DebianSid_on_LUKS-BTRFS_with_systemd-boot.md
Last active June 9, 2024 07:46
For installing Debian Sid with LUKS2 encrypted BTRFS filesystem with Systemd-boot and rEFInd bootloaders plus an option for dualboot to Windows

For directly installing Debian Sid not supported by the Debian installer, namely:

  • Single LUKS2 encrypted partition which contains the full installation
  • Single BTRFS filesystem (integrated home partition)
  • Encrypted swapfile in BTRFS subvolume (supports laptop suspend but not hibernate)
  • Uses systemd-boot bootloader (instead of Grub2, also optional rEFInd instructions)
  • Minimal Gnome install (plus instructions for any other DE you wish)
  • Proper user groups for common security tools like sudo-less Wireshark, etc...
  • Optional removal of crypto keys from RAM during laptop suspend
  • Optional configurations for laptops (including fingerprint readers)

1. Introduction

Hello,

this guide is aimed at people who are currently going out to protest in the US. It contains tips and advice on how to communicate securely and avoid surveillance during the demonstrations. It contains proven techniques from Hong Kong mixed with general security advice. This guide is aimed to be easy to understand, there is no explanation of the underlying technologies. If you are a technologist and you want to have a discussion or advice on how to improve the guide presented here, write me an e-mail: b6461bd246843f70ac1328401405b2b4e725994d@protonmail.com.

2. Communication

The most important step is to make sure you can communicate securely without being surveilled. You need a way to communicate privately with your peer group and a way to stay up to date with what's happening around you and where demonstrations are taking place. For that, it's recommended to use two apps: Telegram and Signal. You can find them on either Google's Play Store if you're on Android or Apple's Appsto

@lijikun
lijikun / dkms-kmod-auto-mok-signing.md
Last active June 20, 2024 20:12
Automatic Signing of DKMS-Generated Kernel Modules for Secure Boot

Automatic Signing of DKMS-Generated Kernel Modules for Secure Boot (Nvidia Driver on CentOS 8 as Example)

First I thank Nvidia for sponsoring the video card.

Secure Boot isn't exactly easy to configure to work with Linux and disabling it isn't really a good idea. Many modern Linux distributions provide the Microsoft-signed shim EFI binary to interpose between Secure Boot and the grub2 bootloader, making booting Linux easy enough if you only ever use kernels and drivers from the official repos. Still, enabling Secure Boot prevents the loading of kernel or modules without a proper digital signature. For example, the propriatary Nvidia GPU driver won't work, unless your distro really went to great lengths to distribute a signed version of the kernel module.

To make Secure Boot play nicely with the driver (i.e. to work at all), we can generate and import a Machine Owner Key (MOK)

@darrenldl
darrenldl / ubuntu_luks_keyfile_guide.md
Last active July 14, 2023 17:18
Ubuntu keyfile boot

Ubuntu LUKS keyfile guide

Goal

We want to be able to set up an encrypted Ubuntu installation where we can unlock using just an external USB key without entering any passwords

We do not consider evil maid attacks in this case, and are only worried about data leak

We also assume USB key is kept securely, thus we are not concerned with USB key not being encrypted

@da-n
da-n / usb-unlock-luks.md
Created August 24, 2019 13:11
Unlock LUKS full disk with USB stick

Configuration for passwordless root filesystem

Source: https://www.howtoforge.com/tutorial/passwordless-encryption-of-linux-root-partition/

The process of entering the passphrase at boot time will now be automated using an USB memory stick. Instead of using a passphrase , the secret key on the USB will decrypt the encrypted volumes. Connect an USB stick to the VM and locate it using the dmesg command. It is detected as /dev/sdb in my VM.

The secret key of 8192 random byte is extracted from the usb stick using the dd command.

dd if=/dev/sdb of=/root/secret.key bs=512 skip=4 count=16
  • Based on https://gist.github.com/mdziekon/221bdb597cf32b46c50ffab96dbec08a
  • Installation date: 16-08-2019
  • Additional notes based on my own experience
  • EFI boot
  • Ubuntu 19.04 -> 21.04
  • This should work on any computer. Only the RAID > AHCI change described below and the device name for the nvme ssd drive are specific to this laptop.
  • The process describes a completely fresh installation with complete repartitioning, however it should work fine when Windows is already installed (eg. brand new machine with Windows preinstalled) as long as Windows already boots with EFI.
  • The process was conducted on Dell's XPS 15 9560 (2017) with specs:
  • CPU: i7-7700HQ
@gbrlsnchs
gbrlsnchs / README.md
Last active June 8, 2024 17:58
Void Linux Installation Guide (UEFI + chroot + brtfs + LUKS-encrypted root and swapfile)

Installation guide for Void Linux with LUKS-encrypted btrfs root

NOTE

I have ported this Gist to a handbook. I'll not maintain this Gist anymore, but will keep it here for future references. You can access the respective chapter in the handbook here.

Introduction

In this guide you will find:

  • btrfs with Zstandard compression
  • LUKS-encrypted root and swapfile
  • GRUB with UEFI
@HardenedArray
HardenedArray / Efficient UEFI Encrypted Root and Swap Arch Linux Installation Procedure with an ENCRYPTED BOOT
Last active May 14, 2024 13:45
Efficient UEFI Encrypted Root and Swap Arch Linux Installation with an ENCRYPTED BOOT
# OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems with an ENCRYPTED BOOT and boot from UEFI. We will
also decrypt and mount our entire encrypted system using a single LUKS passphrase entry.
# Note: This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.
# External USB HDD/SSD Installers Notes: Encrypted Arch installs can be booted and run from an external USB HDD or SSD, but
# only when the installation is correctly set up. There are several necessary changes to my standard procedure you'll want
# to make during the install process. Read my External USB HDD/SSD Installation section below before proceeding.
@reillysiemens
reillysiemens / signing-vbox-kernel-modules.md
Last active June 20, 2024 02:56
Signing VirtualBox Kernel Modules

Signing VirtualBox Kernel Modules

These are the steps I followed enable VirtualBox on my laptop without disabling UEFI Secure Boot. They're nearly identical to the process described on [Øyvind Stegard's blog][blog], save for a few key details. The images here are borrowed from the [Systemtap UEFI Secure Boot Wiki][systemtap].

  1. Install the VirtualBox package (this might be different for your platform).
    src='https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo'
@judy2k
judy2k / phony.py
Created January 23, 2019 16:32
Phony! Fake phone number generator.
#!/usr/bin/env python3
import argparse
from random import randint, choice
def uk():
return randint(447700900000, 447700900999+1)
def us_area_code():