Installation - wizardofhoms/risks GitHub Wiki
- There are only two files to be installed in the vault VM: the
risksCLI, and its
_riskscompletion script. Since these scripts are used to handle sensitive data, you should spend the required time to thorougly review the code in them. A good hour should be needed for this, since these scripts are quite long (although most of the CLI is auto-generated, and redundant, so quickly reviewed).
- It is strongly advised to use a
debian-minimaltemplate for the vault: all installation instructions are adapted for this distribution.
To follow the installation instructions and proceed fast and without problems, you need:
debian-minimalTemplateVM, in which to install the vault dependencies.
whonixAppVM with network access, in which to download and build some tools.
First, install most packages through
apt in the TemplateVM:
sudo apt install zsh cryptsetup steghide dosfstools wipe xclip pass e2fsprogs qubes-gpg-split gnupg2 socat pinentry-curses ssh-askpass-gnome libnotify-bin sox haveged rng-tools make file rig
Building and installing fscrypt
We then install
fscrypt, a high-level encryption tool. For this tool to be built, we need to have a recent Go
toolchain, build the library with a glibc version available on Debian, so the following instructions should be
used in a disposable client Whonix VM, with network access.
It is important to perform all the following operations in the same shell session/terminal:
# Install dependencies sudo apt install libpam0-dev # Install Go git clone https://github.com/udhos/update-golang && cd update-golang wget -qO hash.txt https://raw.githubusercontent.com/udhos/update-golang/master/update-golang.sh.sha256 sha256sum -c hash.txt sudo ./update-golang.sh -declutter export PATH=/usr/local/go/bin:$PATH # Dowload and build the fscrypt binary cd /tmp && git clone https://github.com/google/fscrypt && cd fscrypt make # Move to the TemplateVM qvm-copy ./bin/fscrypt
Then, install the produced binary into the
sudo cp /home/user/QubesIncoming/<disp_where_fscrypt_was_build>/fscrypt /usr/bin
Building and installing Spectre
Still in the Whonix disposable VM with network access, we build the
spectre password manager
and copy the resulting binary to our TemplateVM with the following commands:
sudo apt install libncurses-dev libsodium-dev libjson-c-dev jq cd /tmp && git clone --recursive https://gitlab.com/spectre.app/cli.git && cd cli ./build ./spectre-cli-tests qvm-copy spectre
In the TemplateVM, install the binary:
sudo cp QubesIncoming/<disp_whonix_vm>/spectre /usr/bin
First download the tomb script from the Whonix VM, and copy it in the TemplateVM:
cd /tmp wget -c https://files.dyne.org/tomb/releases/Tomb-2.9.tar.gz wget -c https://files.dyne.org/tomb/releases/Tomb-2.9.tar.gz.sha sha256sum -c Tomb-2.9.tar.gz.sha qvm-copy Tomb-2.9.tar.gz
After, install the tomb script in the TemplateVM, and remove unneeded packages/artifacts:
cd ~/QubesIncoming/<vm_where_tomb_was_downloaded> tar xvfz Tomb-2.9.tar.gz cd Tomb-2.9 sudo make install PREFIX=/usr cd .. rm -fR Tomb-2.9 sudo apt remove make
It is likely that you will need to use GPG keys outside of the vault. If yes, install GPG-split:
sudo apt install qubes-gpg-split
Final setup steps
Initialize the fscrypt tool (which will create a conf in
/etc/fscrypt.conf and a
Answer "N" to the fscrypt prompt, then shutdown the template:
sudo fscrypt setup
Accessorily, set the user shell to ZSH:
sudo chsh user -s /usr/bin/zsh
The TemplateVM for the
vault is now ready, and can be powered off.
Vault AppVM Setup
Now that our vault VM has all the required dependencies, we can install the
The following commands download the CLI, its completions, the signature and the sha256sum,
and verify that the sha256 and GPG signature are valid/correct.
wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/risks wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/risks.gpg wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/risks.sha wget https://github.com/wizardofhoms/risks/releases/download/0.2.2/_risks # Import wizardofhoms GPG key gpg --keyserver keys.openpgp.org --search [email protected] gpg --verify risks.gpg risks sha256sum -c risks.sha
Alternatively, you can get the GPG keys here: https://keys.openpgp.org/[email protected]
Once done, move the files over to the vault VM:
qvm-copy risks _risks
Copy the files to their respective places (adapt the directories of this example), and launch a new terminal to load changes:
# Command script sudo cp QubesIncoming/joe-dvq/risks /usr/local/bin/risks && sudo chmod +x /usr/local/bin/risks # Completions sudo mkdir -p /usr/local/share/zsh/site-functions sudo cp QubesIncoming/joe-dvq/_risks /usr/local/share/zsh/site-functions/_risks
Final setup steps
Enable filesystem encryption in the /rw device, needed by fscypt, and setup fscrypt itself on the corresponding mount point (answer 'N' to the fscrypt prompt):
sudo /sbin/tune2fs -O encrypt /dev/xvdb # /dev/xvdb is the device storing the /rw filesystem in Qubes sudo fscrypt setup /rw
We disable history in the VM. ZSH, by default does not save any history.
Ensure you don't have these settings in
bash, use the following commands:
echo 'unset HISTFILE' >> .bashrc source .bashrc wipe -f .bash_history
Then, we disable swap for the VM, since
tomb requires it to be off.
sudo sh -c "sed 's/bin\/sh/bin\/bash/g' -i /rw/config/rc.local" sudo sh -c 'echo "swapoff -a" >> /rw/config/rc.local'
Finally, run the CLI without command. This will create a
directory and will write the default configuration file in it:
$ risks risks . Creating RISKS directory in /home/user/.risks risks . Writing default configuration file to /home/user/.risks/config.ini
You can check the generated configuration file
~/.risks/config.ini, which stores all values needed by
By default, none of those settings need to be changed. Should you want to modify them, you can either edit
the configuration file in place, or use
risks config set <variable> <value> commands (autocompleted).
The vault AppVM is now ready for correct operation of the
risks CLI has a hidden command
risks identity, printing the currently active identity.
It can be useful to integrate a call to this command somewhere in the prompt, like this in ZSH:
setopt promptsubst PROMPT="my_prompt_variables [ $(risks identity) ] $"
Once an identity is active, the prompt should look like this:
[email protected] [ John_Doe ] $