<h3id="orgheadline9">On a Laptop, Netbook or Desktop machine</h3>
<divclass="outline-text-3"id="text-orgheadline9">
<p>
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Jessie onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
<h2id="orgheadline4">Social Key Management - the 'Unforgettable Key'</h2>
<divclass="outline-text-2"id="text-orgheadline4">
<p>
During the install procedure you will be asked if you wish to import GPG keys. If you don't already possess GPG keys then just select "Ok" and they will be generated during the install. If you do already have GPG keys then there are a few possibilities
If you previously made a master keydrive containing the full keyring (the .gnupg directory). This is the most straightforward case, but not as secure as splitting the key into fragments.
If you previously made some USB drives containing key fragments then retrieve them from your friends and plug them in one after the other. After the last drive has been read then remove it and just select "Ok". The system will then try to reconstruct the key. For this to work you will need to have previously made three or more <ahref="#orgheadline7">Keydrives</a>.
If you previously made some USB drives containing key fragments then retrieve them from your friends and plug them in one after the other. After the last drive has been read then remove it and just select "Ok". The system will then try to reconstruct the key. For this to work you will need to have previously made three or more <ahref="#orgheadline6">Keydrives</a>.
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
</p>
...
...
@@ -602,16 +594,16 @@ On your internet router, typically under firewall settings, open the following p
After installing for the first time it's a good idea to create some keydrives. These will store your gpg key so that if all else fails you will still be able to restore from backup. There are two ways to do this:
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be <ahref="https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage">done from the <i>Disk Utility</i> application</a>. Then plug it into the Freedombone system, then from your local machine run:
</p>
...
...
@@ -628,9 +620,9 @@ Select <i>Backup and Restore</i> then <i>Backup GPG key to USB (master keydrive)
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this <ahref="https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage">can be done from the <i>Disk Utility</i> application</a>. Plug it into the Freedombone system then from your local machine run the following commands:
</p>
...
...
@@ -652,9 +644,9 @@ Fragments are randomly assigned and so you will need at least three or four keyd
You can configure laptops or desktop machines which connect to the Freedombone server in the following way. This alters encryption settings to improve overall security.
