This page describes the general usage scenarios, focusing mainly on security and anonymity features. Using Liberté Linux should be otherwise intuitive (more so if you are familiar with Linux, but not necessarily).
Find out how to enable booting from USB, which may be as simple as pressing
Esc
during POST, and choosing the corresponding option. Press Tab
in
Liberté boot menu to change the kernel options. The settings may be made
permanent in liberte/boot/…
:
syslinux/syslinux.cfg
— for BIOS bootgrub/grub.cfg
— for (U)EFI bootComments in these configuration files summarize the effects of various boot options, some of which are listed at the end of this section.
If it is the first time that you boot Liberté, you will be asked to provide a
new password for encrypting the OTFE volume (located in the otfe
directory). You will need to enter that password upon each subsequent boot
sequence.
During the first boot, cables communication certificates will be generated, too. It is a time-intensive operation due to the asymmetric key size, and typically takes a few minutes.
If possible, use proper shutdown procedures (via logout menu or short power-off button press) which ensure clean states for all writable filesystems (including the encrypted volume). It is, however, possible to just pull out the USB stick — the computer will immediately power off. In either case, RAM is cleared just prior to the actual shutdown / reboot.
Picking a secure password for the encrypted volume is extremely important,
since all user’s persistent data is kept on this virtual partition, accessible
via ~/persist
directory. Do not take the various security “experts”
(typically, trained system administration monkeys) too seriously, and consider
writing the (long) passphrase down on something that is secured and that you
will not carry with the boot media.
You should make regular backups of the .vol
file in the otfe
directory
(the volume header is already backed up in the same directory). Erasing the
.vol
file is equivalent to making a fresh install of Liberté Linux.
Alternatively, upgrading Liberté does not affect the encrypted volume, and is
backward-compatible with the volume contents.
Removing settings/config.tar.xz
on the volume resets the user
configuration in ~/config
— remove the file and pull out the USB stick
after pressing Win-S
to achieve that. Adding nosettings
to the boot
options temporarily inhibits extraction and saving of user configuration. Note
that important data such as cables identity and mailboxes / message queues,
hashed passwords, encryption keys, etc. is stored directly in ~/persist
,
and should not be affected when user configuration is removed. Configuration
exclusion patterns can be customized in ~/config/persist.excludes
.
The volume can be transparently resized by running sudo otfe-resize
in a
terminal.
If you only modify data on the encrypted volume, no traces will be left on the
computer after shutdown. However, all accessible media (including removable
disks) are available at /media
. Opening a subdirectory actually mounts the
corresponding disk or partition. Each NTFS filesystem has two possible mount
points: read-write and read-only. It is advised to use the read-only mount
point in order to avoid leaving traces on the filesystem. Note that if the
system has been hibernated in Windows, only the read-only mount point is
accessible. Other journaling filesystems (ext3
, ext4
) are always
mounted read-only.
Whenever necessary, use secure file deletion (srm -f
) to erase files on
unencrypted filesystems. Multiple rewrites are
unnecessary and
misguided due to on-controller write caching — just use the fast rewrite mode.
Note that modern flash memory devices with
wear leveling
(as well as modern HDDs with automatic bad sectors remapping)
cannot guarantee
such secure file deletion.
Always synchronize pending writes (Win-S
) before extracting removable
media.
Wireless MAC addresses are automatically changed during boot. If you are
connecting via an Ethernet cable, and DHCP IP address assignment does not
depend on MAC being left intact, you can change the latter by running sudo
mac-randomize
in a terminal.
Some wireless networks (mainly unsecured hotspots, but sometimes secured networks with guest authentication) require web registration before full connectivity is available. Since all network traffic in Liberté is routed via Tor, which requires such connectivity to operate, this situation is problematic. The solution is to run the Unsafe Browser (which bypasses the firewall) in order to register. Some networks also require bringing the connection down and up after the registration. Needless to say, Unsafe Browser is unsafe, —K.O.
When setting up a VPN connection (including PPTP that is used by some
ISPs), the server address must be given as a numeric IP address. Use
tor-resolve
in console to resolve a hostname without leaking DNS requests.
Note that unsafe browser’s traffic goes through VPN circuit, if one has been
set up (assuming default routes).
NOTE: I2P support is currently experimental and is disabled by default. To
enable I2P (for both browsing and cables communication), add i2p
to the
kernel parameters in the boot menu, or modify the relevant entry in
syslinux.cfg
.
Do not visit unfamiliar sites, since they expose the browser to local
exploits. Enable scripting only for trusted sites. Connecting to non-https
non-onion
sites (i.e., most websites) exposes the traffic on Tor exit
node. Same is true for non-SSL connections to IRC and IM servers.
Note that https
/SSL communication is only secure between you and the
server. E.g., administrative access to an IRC server allows to record all
private messages and channel communication where one of the participants is
connected to that server.
The Language and Time Zone applet, accessible via Preferences in the start menu, provides a list of UI locales, timezones, and keyboard layouts (e.g., German qwertz or French azerty). Re-login into the X session to activate the changes.
Input languages can be selected by clicking on the uim icons near the tray. Note the difference between languages and keyboard layouts above.
In the X server environment, the system can be locked with Win-L
key
sequence, by running xlock
via the menu, or by closing the laptop lid.
During the first lock attempt, you will be prompted for a password to
permanently store as a secure hash. To unlock, blindly type the password
preceded and followed by the Enter
key. After successfully unlocking the
system, all delayed tray notification events (if any) will be activated. To
reset the password, remove ~/persist/security/lock/passwd.*
.
Keybinding in Openbox | Action |
---|---|
Win-E , Win-T , Win-C |
File explorer, Terminal, Calculator |
Win-L , Win-D , Display |
Lock screen, Show / restore desktop, Monitor(s) settings |
Win-S , Win-Escape |
Synchronize media, Logout |
Win-F1 , -F2 , … |
Show desktop №1, 2, … |
Ctrl / Shift-Alt-Left / Right |
Switch / send window to left / right desktop |
Print / Alt-Print |
Take desktop / window snapshot |
Mail , WWW |
Mail user agent, Internet browser |
AudioMute |
Toggle master audio output |
AudioRaiseVolume / AudioLowerVolume |
Raise / lower master audio volume by 5% |
Alt-Tab , Alt-Escape , Alt-F4 |
Switch windows, Minimize window, Close window |
Ctrl-Space |
Toggle selected language (uim keybinding) |
The gentoo=
prefix below is optional, and can combine several parameters
(e.g., gentoo=nox,root
).
Boot option | Effect |
---|---|
readonly |
Set read-only access for the relevant boot media partition (disabling persistence) |
[no]toram |
Copy SquashFS image to RAM (on by default in .iso images) |
blacklist=module,… |
Comma-separated list of kernel modules to blacklist from autoloading |
gentoo=root |
Unlock root password (liberte ) and disable root console timeout |
gentoo=xvesa |
Force VESA video driver in Xorg |
gentoo=xfb |
Force framebuffer video driver in Xorg (useful for EFI when VESA is unavailable) |
gentoo=i2p |
Enable I2P |
gentoo=nosettings |
Do not save/restore user-level application settings in ~/persist/settings/config.tar.xz |
gentoo=nox |
Disable X server configuration (manual startx may still work) |
gentoo=nologo |
Disable desktop background logo (includes the lock screen) |
gentoo=noanon |
Non-anonymous clearnet mode with separate user settings |
bridges=IP[:port],… |
Comma-separated list of Tor bridges to use instead of direct connections to relays (default port is 443 ) |
Root access is possible during the first 2 minutes after boot. Switching to
the second terminal (logout to shell, Alt-F2
) and typing okroot
during
that timeframe enables the root user’s password: liberte
. After that,
switch to the first terminal and launch X server (Alt-F1
, Ctrl-D
). You
can now become root using su -
in a terminal. Same effect can be achieved
by adding root
to the boot menu options (after pressing Tab
).
The Administrator Console entry in Liberté boot menu does not configure or start the X server, and simplifies root access by making the procedure above unnecessary.
Adding debug
to the boot options runs the shell in initramfs script right
after the modules loading phase, where you can check why the boot media cannot
be mounted, for example.