In this tutorial we're going to cover why it's important to have an Opensource host-OS and virtualisation software for privacy purposes and we're going to go through all the steps we need to set it up.
Most people talk about opsec, but they don't realize how bad their opsec is. You wouldn't barricade your bedroom door before barricading the frontdoor right ? In this case, the hardware and the host OS are the front door, and the rest is inside your house. You are leaving your front door opened when you're using a closed source Host OS (for example Windows, or MacOS, or similar). Hence you need a Linux host OS. for example we're going to setup the latest Debian in this case.
[ mainpc ] [ /dev/pts/4 ] [~/Downloads]
→ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
--2024-01-30 14:53:15-- https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
Resolving cdimage.debian.org (cdimage.debian.org)... 194.71.11.165, 194.71.11.173, 194.71.11.163, ...
Connecting to cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso [following]
--2024-01-30 14:53:15-- https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
Resolving gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)... 194.71.11.137, 2001:6b0:19::137
Connecting to gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)|194.71.11.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 658505728 (628M) [application/x-iso9660-image]
Saving to: ‘debian-12.4.0-amd64-netinst.iso’
debian-12.4.0-amd64-netinst.i 100%[=================================================>] 628.00M 6.85MB/s in 83s
2024-01-30 14:54:39 (7.55 MB/s) - ‘debian-12.4.0-amd64-netinst.iso’ saved [658505728/658505728]
Then flash it onto an usb stick (heres how you do it from linux below):
[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 3.6T 0 disk
sdb 8:16 1 14.6G 0 disk
└─sdb1 8:17 1 14.6G 0 part /media/nihilist/022E-0C69
[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo umount /media/nihilist/022E-0C69
umount: /media/nihilist/022E-0C69: not mounted.
[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 3.6T 0 disk
sdb 8:16 1 14.6G 0 disk
└─sdb1 8:17 1 14.6G 0 part
→ sudo dd if=debian-12.4.0-amd64-netinst.iso of=/dev/sdb1 bs=8M status=progress
[sudo] password for nihilist:
78+1 records in
78+1 records out
658505728 bytes (659 MB, 628 MiB) copied, 45.6007 s, 14.4 MB/s
You can use tools like balenaetcher to do the same from other OSes like Windows.
Now that's done, we need to reboot the host OS and get into the BIOS:
In this case we need to spam the F2 key upon booting to arrive into the BIOS. Then navigate to the Boot selection in order to boot to the USB key. for example it can be :
Here instead you just choose the usb key you flashed the linux image on, and boot onto it. Then do as follows:
Now that's done, follow the installation of the host OS on the harddrive you prefer. Make sure it's LUKS encrypted.
Then make sure it has a desktop environment (i recommend cinnamon).
Then let the install finish and then reboot the computer and remove the usb key, it should then boot into a clean host OS.
Now that we're in our host OS, let's do a few basic things to harden it:
su -
apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks
usermod -aG sudo nothing
nothing@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y
Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.
nothing@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
nothing@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades
Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system.
nothing@debian:~$ su -
root@debian:~# crontab -e # run it as the root user!
* * * * * echo "" > /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log ; dmesg -c ; dmesg -n 1 ; dmesg -c
0 * * * * apt clean -y ; apt autoremove -y
#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors
root@debian:~# vim /etc/sysctl.conf
root@debian:~# cat /etc/sysctl.conf | grep printk
kernel.printk = 3 4 1 3
Like so we're making sure that logfiles, and that kernel output is minutely cleared
Next we do not virtualize anything using closed-source software like VMWare Workstation or else. We use QEMU/KVM with virt-manager, which is an open source hypervisor:
nothing@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
sudo systemctl enable --now libvirtd
nothing@debian:~# sudo usermod -a -G libvirt nothing
nothing@debian:~# sudo usermod -a -G kvm nothing
nothing@debian:~# sudo vim /etc/libvirt/libvirtd.conf
nothing@debian:~# cat /etc/libvirt/libvirtd.conf | grep sock_group
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
nothing@debian:~# sudo chmod 770 -R VMs
nothing@debian:~# sudo chown nothing:libvirt -R VMs
nothing@debian:~# cat /etc/libvirt/qemu.conf
group = "libvirt"
user = "nothing"
nothing@debian:~# systemctl restart libvirtd.service
virt-manager
Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:
nothing@debian:~$ mkdir ISOs
nothing@debian:~$ mkdir VMs
nothing@debian:~$ sudo chmod 770 -R VMs
nothing@debian:~$ sudo chmod 770 -R ISOs
nothing@debian:~$ sudo chown nothing:libvirt -R VMs
nothing@debian:~$ sudo chown nothing:libvirt -R ISOs
Then you can add the file directories in virt-manager like so:
And now you're all set to start making VMs while maintaining the open-source requirement. If you still want to use a closed-source OS, you can do so in a QEMU VM from virt-manager. always remember that closed-source OSes like Windows belong in a VM, never out of one.
Additional notes: you can prevent an adversary to tamper with your laptop, by using glitter polish as shown in mullvad's tutorial, and also make sure that your phone does not have a closed-source host OS by using Graphene OS.
Until there is Nothing left.
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)