Installation - wizardofhoms/risks GitHub Wiki
Notes
- There are only two files to be installed in the vault VM: the
risks
CLI, and its_risks
completion script. Since these scripts are used to handle sensitive data, you should spend the required time to thorougly review the code in them. A good hour should be needed for this, since these scripts are quite long (although most of the CLI is auto-generated, and redundant, so quickly reviewed). - It is strongly advised to use a
debian-minimal
template for the vault: all installation instructions are adapted for this distribution.
To follow the installation instructions and proceed fast and without problems, you need:
- A
debian-minimal
TemplateVM, in which to install the vault dependencies. - A
whonix
AppVM with network access, in which to download and build some tools.
TemplateVM Setup
Runtime dependencies
First, install most packages through apt
in the TemplateVM:
sudo apt install zsh cryptsetup steghide dosfstools wipe xclip pass e2fsprogs qubes-gpg-split gnupg2 socat pinentry-curses ssh-askpass-gnome libnotify-bin sox haveged rng-tools make file rig
Building and installing fscrypt
We then install fscrypt
, a high-level encryption tool. For this tool to be built, we need to have a recent Go
toolchain, build the library with a glibc version available on Debian, so the following instructions should be
used in a disposable client Whonix VM, with network access.
It is important to perform all the following operations in the same shell session/terminal:
# Install dependencies
sudo apt install libpam0-dev
# Install Go
git clone https://github.com/udhos/update-golang && cd update-golang
wget -qO hash.txt https://raw.githubusercontent.com/udhos/update-golang/master/update-golang.sh.sha256
sha256sum -c hash.txt
sudo ./update-golang.sh -declutter
export PATH=/usr/local/go/bin:$PATH
# Dowload and build the fscrypt binary
cd /tmp && git clone https://github.com/google/fscrypt && cd fscrypt
make
# Move to the TemplateVM
qvm-copy ./bin/fscrypt
Then, install the produced binary into the vault
TemplateVM:
sudo cp /home/user/QubesIncoming/<disp_where_fscrypt_was_build>/fscrypt /usr/bin
Building and installing Spectre
Still in the Whonix disposable VM with network access, we build the spectre
password manager
and copy the resulting binary to our TemplateVM with the following commands:
sudo apt install libncurses-dev libsodium-dev libjson-c-dev jq
cd /tmp && git clone --recursive https://gitlab.com/spectre.app/cli.git && cd cli
./build
./spectre-cli-tests
qvm-copy spectre
In the TemplateVM, install the binary:
sudo cp QubesIncoming/<disp_whonix_vm>/spectre /usr/bin
Tomb
First download the tomb script from the Whonix VM, and copy it in the TemplateVM:
cd /tmp
wget -c https://files.dyne.org/tomb/releases/Tomb-2.9.tar.gz
wget -c https://files.dyne.org/tomb/releases/Tomb-2.9.tar.gz.sha
sha256sum -c Tomb-2.9.tar.gz.sha
qvm-copy Tomb-2.9.tar.gz
After, install the tomb script in the TemplateVM, and remove unneeded packages/artifacts:
cd ~/QubesIncoming/<vm_where_tomb_was_downloaded>
tar xvfz Tomb-2.9.tar.gz
cd Tomb-2.9
sudo make install PREFIX=/usr
cd ..
rm -fR Tomb-2.9
sudo apt remove make
GPG-split (optional)
It is likely that you will need to use GPG keys outside of the vault. If yes, install GPG-split:
sudo apt install qubes-gpg-split
Final setup steps
Initialize the fscrypt tool (which will create a conf in /etc/fscrypt.conf
and a /.fscrypt
directory).
Answer "N" to the fscrypt prompt, then shutdown the template:
sudo fscrypt setup
Accessorily, set the user shell to ZSH:
sudo chsh user -s /usr/bin/zsh
The TemplateVM for the vault
is now ready, and can be powered off.
Vault AppVM Setup
Installing risks
Now that our vault VM has all the required dependencies, we can install the risks
tools.
The following commands download the CLI, its completions, the signature and the sha256sum,
and verify that the sha256 and GPG signature are valid/correct.
wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/risks
wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/risks.gpg
wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/risks.sha
wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/_risks
# Import wizardofhoms GPG key
gpg --keyserver keys.openpgp.org --search [email protected]
gpg --verify risks.gpg risks
sha256sum -c risks.sha
Alternatively, you can get the GPG keys here: https://keys.openpgp.org/[email protected]
Once done, move the files over to the vault VM:
qvm-copy risks _risks
Copy the files to their respective places (adapt the directories of this example), and launch a new terminal to load changes:
# Command script
sudo cp QubesIncoming/joe-dvq/risks /usr/local/bin/risks && sudo chmod +x /usr/local/bin/risks
# Completions
sudo mkdir -p /usr/local/share/zsh/site-functions
sudo cp QubesIncoming/joe-dvq/_risks /usr/local/share/zsh/site-functions/_risks
Final setup steps
Enable filesystem encryption in the /rw device, needed by fscypt, and setup fscrypt itself on the corresponding mount point (answer 'N' to the fscrypt prompt):
sudo /sbin/tune2fs -O encrypt /dev/xvdb # /dev/xvdb is the device storing the /rw filesystem in Qubes
sudo fscrypt setup /rw
We disable history in the VM. ZSH, by default does not save any history.
Ensure you don't have these settings in .zshrc
. For bash
, use the following commands:
echo 'unset HISTFILE' >> .bashrc
source .bashrc
wipe -f .bash_history
Then, we disable swap for the VM, since tomb
requires it to be off.
sudo sh -c "sed 's/bin\/sh/bin\/bash/g' -i /rw/config/rc.local"
sudo sh -c 'echo "swapoff -a" >> /rw/config/rc.local'
Finally, run the CLI without command. This will create a ~/.risks/
directory and will write the default configuration file in it:
$ risks
risks . Creating RISKS directory in /home/user/.risks
risks . Writing default configuration file to /home/user/.risks/config.ini
You can check the generated configuration file ~/.risks/config.ini
, which stores all values needed by risks
.
By default, none of those settings need to be changed. Should you want to modify them, you can either edit
the configuration file in place, or use risks config set <variable> <value>
commands (autocompleted).
The vault AppVM is now ready for correct operation of the risks
CLI.
Optional setup
The risks
CLI has a hidden command risks identity
, printing the currently active identity.
It can be useful to integrate a call to this command somewhere in the prompt, like this in ZSH:
setopt promptsubst
PROMPT="my_prompt_variables [ $(risks identity) ] $"
Once an identity is active, the prompt should look like this:
[email protected] [ John_Doe ] $