Manual settings & removing security vulnerable software
Select & run Terminal from the list of Activities.
- Right-click the icon on that list, or where you see it appear on the Dock at the side of the screen, to add it to the list of Favorites to keep it on the Dock... you're going to need it!
- Commands to type in the Terminal (also called the Shell or "command line") will appear here like this:
type this stuff into Terminal
Check & set time zone
(optional) If you want to set local UTC time zone, to match timestamps on your node software, for instance):
sudo timedatectl set-timezone UTC
Remove standard packages which may be security risks
Some of these may have side effects and/or security consequences if we ever connect to the Internet.
(optional) Uninstall snap and remove all snaps
Snaps are prefabricated images containing all components of an application, including libraries which may supersede the security vetted libraries of the OS itself. Snaps may contain closed source components.
- Anyone in favour of installing software this way should please keep in mind that the security breach described in our origin story was also the result of using images assembled from dependencies specified somewhere else... which is pretty much how
snapworks.
Specific removal instructions are likely to change with Ubuntu patch levels so please follow instructions here (How do I turn off snap in Ubuntu?) or search the Internet on another machine for a proper installation method. (This is not urgent so you can wait until the next time you've booted the Frankenwallet.)
Uninstall CUPS printer management services
This runs a printer manager service & opens up a web port intended for browser-based administration:
sudo apt remove cups
Disable unattended upgrades
This ensures you'll never be spontaneously checking for packages, even if the software update check settings you made earlier (to the Software & Updates app) are changed or reverted:
sudo apt remove unattended-upgrades
System software installation & update
NOTE for purists who wish to never connect their Frankenwallet to the Internet... not even once, from the baseline Ubuntu software:
➤ Please stay tuned near this section… upon popular demand we can also prepare a list of manual downloads which can be run on the host machine, to produce an alternate script which will allow you to add current packages for libreoffice, 7z and secure-delete, and which match the current Ubuntu baseline from the installation media.
This would allow you to set up your Frankenwallet completely without a single connection to the Internet… not even a single connection under controlled circumstances as suggested below.
If you're not in the "purist" category, connect your Internet cable now — or turn on your regular WiFi — and get ready to disconnect it again as soon as you get to the end of the instructions on this page.
Then execute:
sudo apt update
- to prepare for all the OS & essential application packages that have come out since the last Ubuntu official release.
- if you get a message about having to run “sudo dpkg --configure -a” - usually seen after it reports a package glitch during the installation - do so now.
- This may also happen if system is interrupted in the middle of adding or removing a package.
sudo apt upgrade
- to do all those installations (answer Y and get used to taking a look at what it’s upgrading)
Essential added package: secure file deletion
sudo apt install secure-delete
- makes sure you can delete original key files in a way that zero-writes their file data, and randomises the directory entries before deleting them
Q: Why would we ever need to do this on the Frankenwallet, on which all the files are encrypted?
- A: You don't need this for Frankenwallet files… it's for the Frankenwallet to use on files on the host computer which may be accidentally written there unencrypted or improperly encrypted!
➤ What you'd do in that case: as soon as possible (before rebooting into that computer), random-write and then zero-write that file, as well as the directory entry pointing to it, to be sure it can never be accessed on the host machine even through unclaimed disk space:
srm mySecretFile
Essential added packages: AES encrypting document / spreadsheet editor & file archiver
The greatest benefit of the Frankenwallet is to use LibreOffice and the 7z archive for encrypted storage of keys and passphrases, or other confidential material about your transactions, private addresses, etc... given that you now have an environment on which to cold-encrypt these documents:
sudo apt install libreoffice p7zip-full p7zip-rar
Now you can disconnect again from the Internet, and leave it unconnected indefinitely… until if and when you need to download any CLI software or install network dependent applications for a "cool" environment.
Reboot (for the first time)
Suggestion, especially for those with older or slower USB drives:
➤ Don't reboot by typing sudo reboot, or with reboot or shutdown -h now at a root prompt.
- The system is more likely to have type to
syncthe pending disk write (important to avoid having the fsck when booting) if you shut down via the GNOME interface. - Therefore, click Power Off from the upper-right GNOME menu just to give it time to
sync& unmount the root partition gracefully.