The Freedombone system can be installed onto a Beaglebone Black, or any system capable of running Debian Jessie, and allows you to host your own email and web services. With Freedombone you can enjoy true freedom and independence in the cloud. It comes in a variety of flavours.
Freedombone has an emphasis on security and privacy, and when installed on a Beaglebone Black it uses the built-in hardware random number generator as an entropy source. All communications with the box are encrypted by default using the recommendations from https://bettercrypto.org. The firewall is configured to only allow communications on the necessary ports and to drop all other packets, icmp is disabled by default, emails are stored in encrypted form using your public key and time synchronisation occurs via TLS only. Backups are also encrypted and can be local or remote.
You don't have to trust images downloaded from random internet locations signed with untrusted keys. You can build one from scratch yourself, and this is the recommended procedure for maximum security. For guidance on how to build images see the manpage for the **freedombone-image** command.
A typical use case to build an 8GB image for a Beaglebone Black is as follows. You can change the size depending upon the capacity of your microSD card.
freedombone-image -t beaglebone -s 8G
If you prefer an advanced installation with all of the options available then use:
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Jessie onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
If there is no existing image available then you can build one from scratch. See the section above on how to do that. If an existing image is available then you can download it and check the signature with:
gpg --verify filename.img.asc
And the hash with:
sha256sum filename.img
If the image is compressed then decompress it with:
tar -xjvf filename.tar.bz2
Then copy it to a microSD card. Depending on your system you may need an adaptor to be able to do that.
Where **sdX** is the microSD drive. You can check which drive is the microSD drive using:
ls /dev/sd*
With the drive removed and inserted. Copying to the microSD will take a while, so go and do something less boring instead. When it's complete remove it from your system and insert it into the SBC. Connect an ethernet cable between the SBC and your internet router, then connect the power cable. On the Beaglebone Black you will see some flashing LEDs, but on other SBCs there may not be any visual indication that anything is booting.
With the board connected and running you can ssh into the system with:
The default login will be username 'fbone' and password 'freedombone'. Take a note of the new login password then you can proceed through the installation.
Social Key Management (aka "The Unforgettable Key")
If you are using the interactive installer then you will be aked if you wish to import GPG keys. If you don't already possess GPG keys then just select "Ok" and they will be generated during the install. If you do already have GPG keys then there are a few possibilities
**You have the gnupg keyring on an encrypted USB drive**
If you previously made a master keydrive containing the full keyring (the .gnupg directory). This is the most straightforward case, but not as secure as splitting the key into fragments.
**You have a number of key fragments on USB drives retrieved from friends**
If you previously made some USB drives containing key fragments then retrieve them from your friends and plug them in one after the other. After the last drive has been read then remove it and just select "Ok". The system will then try to reconstruct the key. For this to work you will need to have previously made three or more **Keydrives**.
**You can specify some ssh login details for friends servers containing key fragments**
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
After installing for the first time it's a good idea to create some keydrives. These will store your gpg key so that if all else fails you will still be able to restore from backup. There are two ways to do this:
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the *Disk Utility* application. Then plug it into the Freedombone system, then from your local machine run:
ssh myusername@mydomainname -p 2222
sudo control
Select *Backup and Restore* then *Backup GPG key to USB (master keydrive)*.
**Fragment keydrives**
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the *Disk Utility* application. Plug it into the Freedombone system then from your local machine run the following commands:
ssh myusername@mydomainname -p 2222
sudo control
Select *Backup and Restore* then *Backup GPG key to USB (fragment keydrive)*.
Fragments are randomly assigned and so you will need at least three or four keydrives to have enough fragments to reconstruct your original key in a worst case scenario. You can store fragments for different Freedombone systems on the same encrypted USB drive, so you can help to ensure that your friends can also recover their systems. This might be called *"the web of backups"* or *"the web of encryption"*. Since you can only write a single key fragment from your Freedombone system to a given USB drive each friend doesn't have enough information to decrypt your backups or steal your identity, even if they turn evil. This is based on the assumption that it may be difficult to get three or more friends to conspire against you all at once.
Passwords
=========
Passwords for server applications are randomly generated and can be found within **/home/username/README** after the system has fully installed. You should move those passwords into a password manager, such as KeepassX.
Administering the system
========================
To administer the system after installation log in via ssh, become the root user and then launch the control panel.
ssh fbone@freedombone.local -p 2222
sudo control
From there you will be able to perform various tasks, such as backups, adding and removing users and so on. You can also do this via commands, which are typically installed as /usr/local/bin/freedombone* and the corresponding manpages.