You don't have to trust images downloaded from random internet locations signed with untrusted keys. You can build one from scratch yourself, and this is the recommended procedure for maximum security. For guidance on how to build images see the manpage for the *freedombone-image* command.
A typical use case to build an 8GB image for a Beaglebone Black is as follows. You can change the size depending upon the capacity of your microSD card.
#+BEGIN_SRC bash
freedombone-image -t beaglebone -s 8G
#+END_SRC
If you prefer an advanced installation with all of the options available then use:
#+BEGIN_SRC bash
freedombone-image -t beaglebone -s 8G --minimal no
* Have some domains, or subdomains, registered with a dynamic DNS service. For the full install you may need two "official" purchased domains or be using a subdomain provider which is supported by Let's Encrypt.
* System with a new installation of Debian Jessie or a downloaded/prepared disk image
* Ethernet connection between the system and your internet router
* That it is possible to forward ports from the internet router to the system, typically via firewall settings
* Have ssh access to the system, typically via fbone@freedombone.local on port 2222
* Installation
There are three install options: Laptop/Desktop/Netbook, SBC and Virtual Machine.
** On a Laptop, Netbook or Desktop machine
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Jessie onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
If there is no existing image available then you can build one from scratch. See the section above on how to do that. If an existing image is available then you can download it and check the signature with:
With the drive removed and inserted. Copying to the microSD will take a while, so go and do something less boring instead. When it's complete remove it from your system and insert it into the SBC. Connect an ethernet cable between the SBC and your internet router, then connect the power cable. On the Beaglebone Black you will see some flashing LEDs, but on other SBCs there may not be any visual indication that anything is booting.
With the board connected and running you can ssh into the system with:
The default login will be username 'fbone' and password 'freedombone'. Take a note of the new login password and then you can proceed through the rest of the installation.
During the install procedure you will be asked if you wish to import GPG keys. If you don't already possess GPG keys then just select "Ok" and they will be generated during the install. If you do already have GPG keys then there are a few possibilities
** You have the gnupg keyring on an encrypted USB drive
If you previously made a master keydrive containing the full keyring (the .gnupg directory). This is the most straightforward case, but not as secure as splitting the key into fragments.
** You have a number of key fragments on USB drives retrieved from friends
If you previously made some USB drives containing key fragments then retrieve them from your friends and plug them in one after the other. After the last drive has been read then remove it and just select "Ok". The system will then try to reconstruct the key. For this to work you will need to have previously made three or more [[Keydrives]].
** You can specify some ssh login details for friends servers containing key fragments
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
On your internet router, typically under firewall settings, open the following ports and forward them to your server.
After installing for the first time it's a good idea to create some keydrives. These will store your gpg key so that if all else fails you will still be able to restore from backup. There are two ways to do this:
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][done from the /Disk Utility/ application]]. Then plug it into the Freedombone system, then from your local machine run:
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][can be done from the /Disk Utility/ application]]. Plug it into the Freedombone system then from your local machine run the following commands:
Fragments are randomly assigned and so you will need at least three or four keydrives to have enough fragments to reconstruct your original key in a worst case scenario. You can store fragments for different Freedombone systems on the same encrypted USB drive, so you can help to ensure that your friends can also recover their systems. This might be called "/the web of backups/" or "/the web of encryption/". Since you can only write a single key fragment from your Freedombone system to a given USB drive each friend doesn't have enough information to decrypt your backups or steal your identity, even if they turn evil. This is based on the assumption that it may be difficult to get three or more friends to conspire against you all at once.
You can configure laptops or desktop machines which connect to the Freedombone server in the following way. This alters encryption settings to improve overall security.
From there you will be able to perform various tasks, such as backups, adding and removing users and so on. You can also do this via commands, which are typically installed as /usr/local/bin/freedombone* and the corresponding manpages.