QubesOS¶
Verifikation af forseglet hardware¶
If you have ordered the unit with the option “sealed screws and sealed bag”, please verify the sealing before unpacking. If you do not know what this means, skip this section.
Procedure for sikker opstart¶
With the NitroPad and NitroPC, malicious changes to the BIOS, operating system, and software can be easily detected. For example, if you left your NitroPad in a hotel room, you can use your Nitrokey to check if it has been tampered with while you were away. If an attacker modifies the NitroPad’s firmware or operating system, the Nitrokey will detect this (instructions below).
Each time you start the NitroPad or the NitroPC, you should - if possible - connect your Nitrokey. If the Nitrokey is plugged in and the system has not been modified, the following screen will appear when it is turned on.
The box marked in red contains the information that the BIOS has not been changed and that the shared secret of the NitroPad or the NitroPC and the Nitrokey match. But this information is not sufficient, because an attacker could have faked it. If at the same time the Nitrokey also flashes green, everything is fine. An attacker would have to have had access to the NitroPad or NitroPC and Nitrokey to achieve this result. It is therefore important that you do not leave both devices unattended.
If the information on the NitroPad or NitroPC does not match the information on the Nitrokey, the background would turn red and the message “Invalid Code” would appear. This could indicate that manipulation has taken place.
Hvordan opstartsprocessen kan se ud, hvis systemet er blevet ændret (f.eks. efter en opdatering), og hvilke fejlmeddelelser der ellers kan forekomme, er beskrevet yderligere nedenfor.
Tip
The NitroPad and NitroPC can also be started without the Nitrokey. If you don’t have the Nitrokey with you, but are sure that the hardware has not been manipulated, you can boot your system without checking.
Kom godt i gang¶
Efter købet er adgangskoderne indstillet til en standardværdi og skal ændres af dig:
Tryk på Enter (»Default Boot«) efter opstart af systemet, forudsat at NitroPad ikke har vist nogen fejl, og at Nitrokey er grønt lysende (se ovenfor).
Next, the system will prompt you to enter the passphrase to decrypt the hard disk. The passphrase is initially »12345678«.
Systemet vil derefter guide dig gennem processen med at oprette en brugerkonto. Herefter skulle du have startet systemet op og allerede kunne bruge det normalt.
Open the pre-installed Nitrokey App and change the PINs of your Nitrokey as described here.
Skift passphrase til harddiskkrypteringen ved at søge i Qubes-menuen efter »Change Disk Passwort«. Denne passphrase er forskellig fra din brugerkontos passphrase.
NitroPads leveres med det seneste installationsbillede af Qubes OS, som skal opdateres efter installationen, fordi det ikke indeholder alle de seneste sikkerhedsrettelser. For at opdatere skal du bruge Update Manager som beskrevet i Qubes Documentation.
Bemærk
Specifikt for NitroPad V54 indeholder Qubes 4.2.3 installationsbillede en fejl, der begrænser til kun at bruge den højeste skærmopløsning. Dette er rettet, når du har opdateret dom0 og genstartet.
Adfærd efter en systemopdatering¶
The NitroPad and NitroPC firmware checks certain system files for changes. If your operating system has updated important components, you will be warned the next time you boot the NitroPad or NitroPC. This could look like this, for example:
That’s why it’s important to restart your NitroPad or your NitroPC under controlled conditions after a system update. Only when the new status has been confirmed can you leave the device unattended again. Otherwise, you will not be able to distinguish a possible attack from a system update. Detailed instructions for a system update can be found here.
Failed to Start Load Kernel Modules¶
Under opstart af systemet vises fejlen »Failed to start Load Kernel Modules« (Fejl ved start af Load Kernel Modules«). Dette er et kendt problem, som ikke er kritisk og kan ignoreres.