| Last tested | ISO | Result |
|---|---|---|
| 2020-09-07 | void-live-x86_64-20191109.iso | PASS |
| 2020-09-07 | void-live-x86_64-musl-20191109.iso | PASS |
| 2020-09-07 | void-live-i686-20191109.iso | PASS |
Bootstrap Void with FDE
Voidvault bootstraps Void with whole system Btrfs on LUKS.
Voidvault works on Void with Intel or AMD x86 CPU. It assumes you are comfortable working on the cmdline, and that you have no need for booting any other operating systems on the target partition.
WARNING: failure to give appropriate values during Voidvault setup could cause catastrophic data loss and system instability.
- whole system Btrfs on LUKS, including encrypted
/boot - runit PID 1
- GPT partitioning
- no swap partition, uses zram via zramen
- GRUB bootloader with both legacy BIOS and UEFI support
- custom GRUB command line username and password
- custom root, admin, guest, and SFTP user account passwords
- custom repository selection for
xbps-install(optional) - adds randomized key to LUKS volume for double password entry avoidance on boot
- configures OpenSSH
- SFTP-only user enforced with OpenSSH
ChrootDirectoryandForceCommand internal-sftp(see: resources/etc/ssh/sshd_config)
- SFTP-only user enforced with OpenSSH
- uses nftables instead of iptables (see: resources/etc/nftables.conf)
- configures kernel parameters with Sysctl (see: resources/etc/sysctl.d/99-sysctl.conf)
- blacklists kernel modules for floppy drives, beeping speakers, Intel ME, firewire, bluetooth and thunderbolt (see: resources/etc/modprobe.d/modprobe.conf)
- configures dnscrypt-proxy
- server must support DNS security extensions (DNSSEC)
- always use TCP to connect to upstream servers
- create new, unique key for each DNS query
- disable TLS session tickets
- unconditionally use fallback resolver
- wait up to 7 minutes for network connectivity at startup
- disable DNS cache
- modify
/etc/resolv.conf(see: resources/etc/resolvconf.conf)
- forces password entry with every
sudo- passwordless
sudo rebootandsudo shutdown
- passwordless
- ten minute shell timeout, your current shell or user session will end after ten minutes of inactivity (see: resources/etc/profile.d/shell-timeout.sh)
- hides process information from all other users besides admin
- denies console login as root
- disables GRUB recovery mode
- uses mq-deadline I/O scheduler for SSDs, BFQ for HDDs (see: resources/etc/udev/rules.d/60-io-schedulers.rules)
- enables runit service for dnscrypt-proxy, nftables and socklog
- configures Xorg, but does not install any Xorg packages (see: resources/etc/X11)
- optionally disables IPv6, and makes IPv4-only adjustments to dhcpcd, dnscrypt-proxy, openresolv, OpenSSH
/dev/sdX1is the BIOS boot sector (size: 2MB)/dev/sdX2is the EFI system partition (size: 550MB)/dev/sdX3is the root Btrfs filesystem on LUKS (size: remainder)
Voidvault creates the following Btrfs subvolumes with a flat layout:
| Subvolume name | Mounting point |
|---|---|
@ |
/ |
@home |
/home |
@opt |
/opt |
@srv |
/srv |
@var |
/var |
@var-cache-xbps |
/var/cache/xbps |
@var-lib-ex |
/var/lib/ex |
@var-log |
/var/log |
@var-opt |
/var/opt |
@var-spool |
/var/spool |
@var-tmp |
/var/tmp |
Voidvault disables Btrfs CoW on /srv,
/var/lib/ex, /var/log, /var/spool and /var/tmp.
Voidvault mounts directories /srv, /tmp, /var/lib/ex, /var/log,
/var/spool and /var/tmp with options nodev,noexec,nosuid.
Bootstrap Voidvault. Must be run as root.
Supply options interactively (recommended):
voidvault newSupply options via environment variables:
export VOIDVAULT_ADMIN_NAME="live"
export VOIDVAULT_ADMIN_PASS="your admin user's password"
voidvault newVoidvault recognizes the following environment variables:
VOIDVAULT_ADMIN_NAME="live"
VOIDVAULT_ADMIN_PASS="your admin user's password"
VOIDVAULT_ADMIN_PASS_HASH='$6$rounds=700000$sleJxKNAgRnG7E8s$Fjg0/vuRz.GgF0FwDE04gP2i6oMq/Y4kodb1RLTbR3SpABVDKGdhCVfLpC5LwCOXDMEU.ylyV40..jrGmI.4N0'
VOIDVAULT_GUEST_NAME="guest"
VOIDVAULT_GUEST_PASS="your guest user's password"
VOIDVAULT_GUEST_PASS_HASH='$6$rounds=700000$H0WWMRVAqKMmJVUx$X9NiHaL.cvZ1/nQzUL5fcRP12wvOyrZ/0YV57cFddcTEkVZKbtIBv48EEd4SVu.1D5RWVX43dfTuyudYem0gf0'
VOIDVAULT_SFTP_NAME="variable"
VOIDVAULT_SFTP_PASS="your sftp user's password"
VOIDVAULT_SFTP_PASS_HASH='$6$rounds=700000$H0WWMRVAqKMmJVUx$X9NiHaL.cvZ1/nQzUL5fcRP12wvOyrZ/0YV57cFddcTEkVZKbtIBv48EEd4SVu.1D5RWVX43dfTuyudYem0gf0'
VOIDVAULT_GRUB_NAME="grub"
VOIDVAULT_GRUB_PASS="your grub user's password"
VOIDVAULT_GRUB_PASS_HASH='grub.pbkdf2.sha512.25000.4A7BC4FE022FA7E7D32B0B132B4AA5A61A63C8076FF6A8AF38C718FF334772E499F45D186C9EECF3622E7BA24B02C24F283261AE2D18163D54FD2CAF7FF3F7B7610F85AAB2BB7BAF806EF381B73730D5032E9CF75548C8BA1813B62121DC29A75E677ED6.5C1B9525BDE9F79A90221DC423AA66D1108731C8F2F5B0A9DC74279562242F05A8CCA4522706A2A74308B272EC05D0ACC1DCDA7263B09BF2F4C006623B3CEC842AC061B6D73B09A0067B23E9BF8560F053F940D5061F413C23C9F4544FDFC3F9BD026FB7'
VOIDVAULT_ROOT_PASS="your root password"
VOIDVAULT_ROOT_PASS_HASH='$6$rounds=700000$xDn3UJKNvfOxJ1Ds$YEaaBAvQQgVdtV7jFfVnwmh57Do1awMh8vTBtI1higrZMAXUisX2XKuYbdTcxgQMleWZvK3zkSJQ4F3Jyd5Ln1'
VOIDVAULT_VAULT_NAME="vault"
VOIDVAULT_VAULT_PASS="your LUKS encrypted volume's password"
VOIDVAULT_HOSTNAME="vault"
VOIDVAULT_PARTITION="/dev/sdb"
VOIDVAULT_PROCESSOR="other"
VOIDVAULT_GRAPHICS="intel"
VOIDVAULT_DISK_TYPE="usb"
VOIDVAULT_LOCALE="en_US"
VOIDVAULT_KEYMAP="us"
VOIDVAULT_TIMEZONE="America/Los_Angeles"
VOIDVAULT_REPOSITORY="/path/to/void/repository"
VOIDVAULT_IGNORE_CONF_REPOS=1
VOIDVAULT_AUGMENT=1
VOIDVAULT_DISABLE_IPV6=1Supply options via cmdline flags:
voidvault --admin-name="live" \
--admin-pass="your admin user's password" \
--guest-name="guest" \
--guest-pass="your guest user's password" \
--sftp-name="variable" \
--sftp-pass="your sftp user's password" \
--grub-name="grub" \
--grub-pass="your grub user's password" \
--root-pass="your root password" \
--vault-name="vault" \
--vault-pass="your LUKS encrypted volume's password" \
--hostname="vault" \
--partition="/dev/sdb" \
--processor="other" \
--graphics="intel" \
--disk-type="usb" \
--locale="en_US" \
--keymap="us" \
--timezone="America/Los_Angeles" \
--repository="/path/to/void/repository" \
--ignore-conf-repos \
--augment \
newGenerate a password hash suitable for creating Linux user accounts or password-protecting the GRUB command line.
voidvault gen-pass-hash
Enter new password:
Retype new password:
$6$rounds=700000$sleJxKNAgRnG7E8s$Fjg0/vuRz.GgF0FwDE04gP2i6oMq/Y4kodb1RLTbR3SpABVDKGdhCVfLpC5LwCOXDMEU.ylyV40..jrGmI.4N0An example of using the generated hash with Voidvault:
voidvault \
--admin-name='live' \
--admin-pass-hash='$6$rounds=700000$sleJxKNAgRnG7E8s$Fjg0/vuRz.GgF0FwDE04gP2i6oMq/Y4kodb1RLTbR3SpABVDKGdhCVfLpC5LwCOXDMEU.ylyV40..jrGmI.4N0' \
newList system information including keymaps, locales, timezones, and partitions.
It's recommended to run voidvault ls <keymaps|locales|timezones>
before running voidvault new to ensure Voidvault types
Keymap, Locale, Timezone are working properly (see:
doc/TROUBLESHOOTING.md).
List keymaps:
voidvault ls keymapsList locales:
voidvault ls localesList partitions:
voidvault ls partitionsList timezones:
voidvault ls timezonesDisable the Copy-on-Write attribute for Btrfs directories.
voidvault -r disable-cow dest/See: INSTALL.md.
| Name | Provides | Included in Void ISO¹? |
|---|---|---|
| btrfs-progs | Btrfs support | Y |
| coreutils | chmod, chown, chroot, cp, rm |
Y |
| cryptsetup | FDE with LUKS | Y |
| dosfstools | create VFAT filesystem for UEFI with mkfs.vfat |
Y |
| e2fsprogs | chattr |
Y |
| efibootmgr | UEFI support | Y |
| expect | interactive command prompt automation | N |
| glibc² | libcrypt, locale data in /usr/share/i18n/locales |
Y |
| gptfdisk | GPT disk partitioning with sgdisk |
N |
| grub | FDE on /boot, grub-mkpasswd-pbkdf2 |
Y |
| kbd | keymap data in /usr/share/kbd/keymaps, setfont |
Y |
| kmod | modprobe |
Y |
| libressl | user password salts | Y |
| musl² | libcrypt | Y |
| procps-ng | pkill |
Y |
| rakudo | voidvault Raku runtime |
N |
| tzdata | timezone data in /usr/share/zoneinfo/zone.tab |
Y |
| util-linux | hwclock, lsblk, mkfs, mount, umount, unshare |
Y |
| xbps | xbps-install, xbps-query, xbps-reconfigure |
Y |
¹: the official installation medium
²: glibc or musl
| Name | Provides | Included in Void ISO? |
|---|---|---|
| dialog | ncurses user input menu | Y |
dialog is needed if you do not provide by cmdline flag or environment
variable values for all configuration options aside from:
--admin-name--admin-pass-hash--admin-pass--augment--disable-ipv6--grub-name--grub-pass-hash--grub-pass--guest-name--guest-pass-hash--guest-pass--hostname--ignore-conf-repos--repository--root-pass-hash--root-pass--sftp-name--sftp-pass-hash--sftp-pass--vault-name--vault-pass
For these options, console input is read with either cryptsetup or
the built-in Raku subroutine prompt().
No console input is read for configuration options:
--admin-pass-hash--augment--disable-ipv6--grub-pass-hash--guest-pass-hash--ignore-conf-repos--repository--root-pass-hash--sftp-pass-hash
For user input of all other options, the dialog program is used.
This is free and unencumbered public domain software. For more information, see http://unlicense.org/ or the accompanying UNLICENSE file.