Secure Desktop Project

For this project option, you will create a fully encrypted, secure desktop environment. This environment must run directly on a physical computer (or a Raspberry Pi) by the end of the project. While a virtual machine can be used for testing and development purposes, the ultimate objective of this environment is to be usable as a replacement operating system for real hardware.

Background

Alpine Linux is a security-oriented Linux distribution that is primarily designed for use with containers and servers. However, I have found it to be usable as a desktop operating system, where its security hardening features have some advantages over other desktop systems. In fact, I am running the exact setup for this project (Alpine Linux on a fully encrypted system) as my laptop operating system.

One nice property of Alpine Linux is that it will install and run quite happily from a removable USB drive, which can be helpful if you only have access to one physical system and are not yet ready to change your desktop OS. Alpine Linux is also available for the Raspberry Pi single-board computer, which would be an option for this project if you already own one. At this time, supply chain disruptions are resulting in significant price scalping for Raspberry Pi boards, resulting in prices well in excess of $150 for a board that has a base price starting at $35. Therefore, I do not recommend purchasing one of these devices for this project – just use your laptop and an external USB drive instead.

The objective of this project is to have a fully-working desktop environment that you can use for day-to-day activities. In fact, you might find that you can replace your existing operating system with Alpine Linux and still be able to do everything you’re used to doing with your computer.

Additional Reading

• Drive Preparation - ArchWiki
• Alternate: Overwrite LUKS Partition with Random Data
• LVM on LUKS

While the final installation must run directly on the metal, you might find it useful to do some testing in a virtual machine.

Project Requirements

A successful implementation of this project:

1. Boots directly on a laptop, desktop, or Raspberry Pi device. On a laptop or desktop computer, the system boots using UEFI and not legacy BIOS (also known as the Compatibility Support Module, or CSM). (An exception to the UEFI requirement can be made if you’re using a really old laptop or desktop computer for this project.)
2. Is fully encrypted, with the exception of the EFI System Partition (on a laptop or desktop) or boot partition (on a Raspberry Pi).
3. Uses two partitions: the EFI or Raspberry Pi-specific partition required to hold the bootloader, and a second partition fully encrypted with LUKS version 1.
4. Uses LVM within the encrypted container to support segmentation of the root, home, and (except on Raspberry Pi) boot file systems.
5. Has a working firewall that blocks access to all incoming ports, except for related and established traffic and for the ICMP packets required for IPv6.
6. Has a working graphical user interface (GUI). This can be a desktop environment (e.g. KDE Plasma, Xfce, MATE, Gnome, etc.) or a lightweight window manager.
7. Has a working LibreOffice suite (Flatpak version recommended on x86_64).
8. Has a working Firefox browser.
9. Can play at least basic video games. Open source games are fine for satisfying this requirement, although installing Steam and running at least one game from your Steam Library is also acceptable. Your hardware will determine what games will run (e.g. a Raspberry Pi can’t run Steam, and a laptop that can run Steam might not have the graphics card required to play certain titles).

To calculate the Project Outcome grade at the end of the semester, the Secure Desktop Project Rubric will be used.

Milestones

Milestone 1

For Milestone 1, prepare a video presentation that covers the following items:

1. Using either a virtual or physical machine, show that you have performed a basic installation of Alpine Linux with the GRUB bootloader. The installation does not have to be encrypted yet.
2. Identify which tool you used to partition the disk used for the installation.
3. Explain your thought process and progress toward selecting a desktop environment or window manager.
4. Identify and show the hardware device that you will use for the bare metal (non-VM) installation. This device can be a laptop or desktop computer, a USB stick or external SSD, or a Raspberry Pi.

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 1.

Milestone 2

For Milestone 2, prepare a video presentation that covers the following items:

1. Using a physical machine (not a VM), demonstrate that you have successfully installed Alpine Linux on a fully encrypted system using LVM to separate /boot, /, and /home (or, on Raspberry Pi only, / and /home). You may need to record video or take screenshots with your cell phone, since your machine probably isn’t yet to a point where it can do screen recording. You can demonstrate the presence of LVM and your partition layout easily by installing the correct software to be able to run the lsblk command.
2. Demonstrate that you have correctly set up iptables and ip6tables by running the following commands as root and showing the output:

iptables -S
ip6tables -S

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 2.

Milestone 3

For Milestone 3, prepare a video presentation that covers the following items:

1. Using physical hardware (not a virtual machine), demonstrate that you have added a graphical desktop environment (or window manager) to your installation.
2. Demonstrate that you have added LibreOffice and Firefox to your installation. I recommend the Flatpak version if your system is x86_64 (not available on Raspberry Pi).

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 3.

Milestone 4

For Milestone 4, prepare a video presentation that covers the following items:

1. Using OBS Studio, record your presentation from the Alpine Linux installation you created. This might not be possible if you used a Raspberry Pi or a limited system with an old or weak CPU, in which case you can use your phone instead.
2. Demonstrate that you can play a video game using your installed system.
3. Reflect on the project. What did you learn about the technologies you used? What did you learn about teamwork?

Each person in the group should present for approximately equal time.

Before submitting, review the Grading Rubric for Milestone 4.

Tips

• Be sure that you’re using UEFI boot, and not legacy or “CSM” (compatibility support module) booting. Modern computers use UEFI. Also, for the best compatibility with modern computer systems, be sure to use a GPT partition table.
• Use LUKS version 1 (Luks1 in the Alpine “LVM on LUKS” wiki entry). LUKS version 2 isn’t yet fully supported by GRUB.
• When doing the bare metal (non-VM) installation on a USB drive, be sure you get the device node correct! If you make a mistake, you could overwrite the hard drive on your computer. Be sure to back up your data first, just in case. Also, it is advisable to install the lsblk package in the installation environment and double-check that the device node is correct. You might also want to wait to plug in the target USB drive until after you’ve booted Alpine Linux, then run the dmesg command after plugging in the target USB drive. The device node (/dev/sdX, where X is an arbitrary letter) will be near the bottom of the dmesg output.
• Your final installation of Alpine Linux should NOT have sshd running. The secure shell (ssh) enables remote access to the system over the network. This software is typically more appropriate for a server than it is for a desktop.
• I suggest adding the polkit-openrc package and enabling the polkit service.
• If you want local manual pages and documentation, add the man-pages, mandoc, and docs packages. You might want to skip these inside a VM (to keep the size down) or on a USB drive that has limited space.

GRUB

Note that this section does not apply if you’re installing on a Raspberry Pi.

You must use the GRUB bootloader. None of the other bootloaders are capable of booting a fully encrypted system. While it is technically possible to use an unencrypted /boot partition with another bootloader, this isn’t secure for several reasons. First, it gives away the presence of a working Linux distribution, where a fully encrypted system maintains some plausible deniability that anything is actually installed on the drive. Second, a malicious actor could replace the kernel on an unencrypted /boot partition with one that captures and transmits the encryption key (or otherwise lets them bypass encryption), permitting access to your data.

As of Alpine Linux v3.16, the setup-alpine script hasn’t been reliable for installing the bootloader correctly. This is especially true on fully encrypted systems. See the GRUB Installation Notes section of the Alpine Linux Notes document for some general steps. You need to do a couple other things inside the chroot environment before running the grub-install step.

Following the “LVM on LUKS” Alpine Wiki entry, be sure to do the extra steps in the “Installing Alpine Linux” section. In particular, you will need both the cryptsetup and cryptkey features in mkinitfs.conf.

After configuring the initfs, follow the “GRUB with EFI” section under “Installing a bootloader” in the same wiki document. To get the UUID for the filesystem, use the blkid command and pass it the device node of the encrypted partition. Be sure to use the partition’s device node, NOT anything in /dev/mapper. For example, if your USB drive is /dev/sda, then the partition is probably /dev/sda2.

Before leaving the chroot environment, re-generate the initramfs one more time. We need to embed the crypto_keyfile.bin into it, so as to avoid a second password prompt when booting the system:

mkinitfs $(ls /lib/modules/)

Desktop Environment

After rebooting into your new installation, you will need to pick a desktop environment. Several choices are available. I use KDE Plasma, but Xfce, Gnome, and MATE are also available in the standard repositories in Alpine. I recommend using the following Wiki pages to get your environment configured:

• Wi-Fi explains the process for configuring wireless Internet.
• Setting up a new user - I recommend adding this user to the wheel, disk, lp, floppy, audio, cdrom, dialout, tape, video, netdev, kvm, games, cdrw, usb, users, and input groups. Configure doas for root access for the wheel group, as documented in this wiki page.
• How to get regular stuff working - These steps will make Alpine Linux work a bit more like other distributions. I also add the zsh shell (in addition to bash) and use zsh as my default shell.
• setup-xorg-base - This section of the Alpine setup scripts document explains the setup-xorg-base script. For a portable USB installation, I also recommend xf86-video-amdgpu in case the system has an AMD graphics card. Note that I do NOT recommend installing xf86-video-intel, as the default modesetting driver tends to do a better job than this (outdated) 2D driver. However, 3D graphics on an Intel CPU requires the mesa-dri-gallium package, while hardware accelerated video encoding and decoding needs the libva-intel-driver package.
• PipeWire is the recommended sound server. I normally install pipewire, wireplumber, pipewire-alsa, pipewire-pulse, pipewire-jack, bluez, bluez-openrc, and pipewire-spa-bluez. Add the bluetooth service to the default runlevel for Bluetooth support.
• NetworkManager makes it easier to connect to wireless (and wired) networks. Note that you still need to add the contents of /etc/NetworkManager/NetworkManager.conf as shown in the wpa_supplicant section, even if you use iwd as the wireless backend. In the case of iwd, only the wifi.backend setting should be different. It isn’t documented on the wiki page, but the networkmanager-wifi package is also needed. I recommend networkmanager-tui and networkmanager-cli as well.
• Once you have done the previous steps, select a desktop environment and follow the appropriate wiki page.
• Add Flatpak to get access to quite a bit more software, including a version of Firefox that supports Netflix, the latest LibreOffice, Steam, etc. Reboot the system after installing Flatpak. NOTE: Flatpak isn’t available for the Raspberry Pi (or any architecture other than x86_64).

Flatpak vs. apk

Several packages are available both from Flatpak and via the apk command. You will need to do some trial and error to determine which version works better for your use case. In my daily use of Alpine Linux as a desktop system, I’ve observed the following:

• I use Firefox from Flatpak, since it supports the Widevine library required for online streaming services like Netflix.
• I also use LibreOffice from Flatpak, as I’ve encountered some odd bugs with the Alpine native versions.
• Extra packages I typically install from apk include musl-locales, hunspell-en, vim, and gcompat.
• For completing the final milestone, you will need a screencasting tool. OBS Studio is good for this purpose, and it can be installed from apk or Flatpak. You’ll need to test to see which works better on your system.

Firewall

Even though a default installation of Alpine Linux as a desktop doesn’t expose any running services, a firewall must still be deployed on the system for security purposes. See my iptables page for information about the firewall configuration.

Laptop Touchpad Issues

If you’re using a laptop, and you find that touchpad scrolling or tapping stops working randomly, create (as root) a file at /etc/modprobe.d/psmouse.conf with the following contents:

blacklist psmouse

Then reboot and check touchpad operation.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.