The following hardware is required.
Physically removing internal disk(s) and wireless interface(s) if not soldered to motherboard or disabling interface(s) using BIOS if soldered is recommended to strengthen data persistence and air gap hardening.
Installing Ubuntu for desktops on datAshur PRO² USB flash drive is recommended to enforce access control, data persistence and tamper resistance hardening.
Go to https://www.raspberrypi.com/software/, download and install Raspberry Pi Imager.
Heads-up: depends on Qt.
$ sudo add-apt-repository -y universe
$ sudo apt install -y rpi-imager
$ defaults write org.raspberrypi.Imager.plist telemetry -bool NO
$ mkdir -p ~/.config/Raspberry\ Pi
$ cat << "EOF" > ~/.config/Raspberry\ Pi/Imager.conf
[General]
telemetry=false
EOF
Heads-up: for additional security, verify Ubuntu for desktops download.
Go to https://ubuntu.com/download/desktop and download Ubuntu 22.04.1 LTS.
Open “Raspberry Pi Imager”, click “CHOOSE OS”, then “Use custom”, select Ubuntu for desktops .iso
, click “CHOOSE STORAGE”, select USB flash drive and, finally, click “WRITE”.
👍
/
on USB flash drive on which Ubuntu for desktops is being installedWARNING: make sure changes only apply to USB flash drive on which Ubuntu for desktops is being installed.
update-manager
and click “Install Now”$ gsettings set org.gnome.mutter center-new-windows true
$ gsettings set org.gnome.desktop.interface color-scheme prefer-dark
$ gsettings set org.gnome.desktop.interface gtk-theme Yaru-dark
$ gsettings set org.gnome.desktop.media-handling automount false
universe
APT repository$ sudo add-apt-repository -y universe
curl
, libfuse2
, overlayroot
and zbar-tools
$ sudo apt install -y curl libfuse2 overlayroot zbar-tools
superbacked.AppImage
as programHeads-up: replace
ABCDEFGH
with your license code.
Heads-up: for additional security, verify Superbacked download.
$ curl --fail --location --output ~/Desktop/superbacked.AppImage "https://superbacked.com/api/downloads/superbacked-std-x64-latest.AppImage?license=ABCDEFGH"
superbacked.AppImage
as programRight-click “superbacked.AppImage”, click “Properties”, click “Permissions” and, finally, select “Allow executing file as program”.
ext4
and vfat
filesystems to read-only$ sudo sed -i 's/errors=remount-ro/errors=remount-ro,noload,ro/g' /etc/fstab
$ sudo sed -i 's/umask=0077/umask=0077,ro/g' /etc/fstab
fsck.repair
$ sudo sed -i 's/quiet splash/quiet splash fsck.repair=no/g' /etc/default/grub
$ sudo update-grub
overlayroot
to tmpfs
$ sudo sed -i 's/overlayroot=""/overlayroot="tmpfs"/g' /etc/overlayroot.conf
$ history -cw
Heads-up: filesystem will be mounted as read-only following reboot.
$ sudo systemctl reboot
Heads-up: filesystem is ready for optional hardware read-only hardening.
$ sudo systemctl poweroff
👍