HOW TO...

Download and verify using OpenPGP
Download the Discreete Linux 2016.01_Beta1 ISO image. The ISO image can be downloaded from here:
Mirror 1:
Download Discreete_Linux_2016.1_beta1 as hybrid ISO.
Mirror 2:
Download Discreete_Linux_2016.1_beta1 as hybrid ISO.
Mirror 3:
Download Discreete_Linux_2016.1_beta1 as hybrid ISO.


Download the Discreete Linux 2016.01_Beta1 signature of the ISO image and save it to the same folder where you saved the ISO image.

To verify the signature you need the PGP key which we use for signing. It is called "Discreete Linux signing key (2016) info@discreete-linux.org and has the Key-ID 0xBA146BB0759613AC. You can retrieve it from any keyserver of the PGP keyserver network, like here or download it here.

Verify the ISO image
IN MAC OS X USING GPGTOOLS:

• Open Finder and navigate to the folder where you saved the ISO image and the signature.
• Right-click on the ISO image and choose Services ▸ OpenPGP: Verify Signature of File.

IN LINUX USING THE COMMAND LINE:
Open a terminal and navigate to the folder where you saved the ISO image and the signature.
Execute:
gpg --keyid-format 0xlong --verify Discreete_Linux_2016.1_beta1.hybrid.iso.asc Discreete_Linux_2016.1_beta1.hybrid.iso

Write ISO image to your media
On a Linux system insert the USB-Drive, open a terminal and run:
dd bs=4M if=path/to/your/Discreete.iso of=/path/to/the/target/device && sync

Then boot computer from your new Discreete boot device

Connect your new Discreete boot device or insert the DVD and start your computer with it. How to do this depends on your machine, in most cases you will need to press any of the F-Keys (F1-F12) or ESC right after power on (before your normal operating system loads!) to get a boot menu, where you can choose which drive to start from. Select the USB drive there. Sometimes you may need to enable booting from USB first in the BIOS setup. It may also help to disable "Fast Boot" in the BIOS, if present. If you are using Windows 8 or 10 (eek , you may need to disable fast shutdown, see https://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.

Once started up, you should create an encrypted volume on the remaining space of your USB drive. To do this, start the CryptoBox wizard from the menu "Applications" -> "Security" -> "CryptoBox Wizard". Choose "Use free space on boot medium" and follow the instructions of the wizard. When the volume is created, you can open it right away by choosing "Applications" -> "Security" -> "Scan for CryptoBox Volumes" from the menu. Or you can reboot and should be asked for the volume password. When you are asked if you want to open this as an extended Volume, say yes.

For exchanging your data with other people, you may want to create a GPG key pair or import an existing one, as well as import keys for your recipients. Select "Applications" -> "Security" -> "Passwords and Keys", here you can create and import GPG keys. Afterwards, please open "Applications" -> "Security" -> "GPG Settings" and check the settings there. Select at least a default key from the "Signing" tab, this will usually be your own GPG key.

Now you can start working. Be sure to save everything inside your new CryptoBox volume. Anything saved on the desktop or within the Home Folder will be lost after reboot. If you want to encrypt something, right-click the file in the file manager and choose "Encrypt". Select the recipients from the list and click OK.

This is still a very terse guide, more detailled explanations as well as an integrated help will follow.

The config tree from our GitHub repository is required for building your own image of Discreete Linux using live-build.

Building has only been tested on Debian 8; building on other versions of Debian or Debian derivatives like Ubuntu may be possible with some tweaks; but has not been tested. If you want to build on other systems including Windows, there are plenty of pre-built Debian Appliances for various virtualization platforms out there.

The configuration pulls in a number of packages from our own apt repository which are required to achieve the functionality of Discreete Linux. If you want to look at the sources, you can either download the sources from the same repository (deb https://www.discreete-linux.org/repository jessie main) or take a look at the git repositories here.

The configuration also includes a pre-built binary of VeraCrypt. You may prefer to build your own binary from sources, see "Building VeraCrypt from Source" below.

Our repository also includes a binary image of a patched kernel which is vital for Discreete Linux. The kernel patch makes sure that Discreete Linux cannot access any internal hard drive. Since kernel images are update quite frequently, we do not include any sources or git repo for this kernel image. Instead we tell you how to build your own, see below.

Requirements

First off, you will need to get our customized version of live-build from here or build it from git sources here. This version supports UEFI booting, see the README for more details.

Then you need our PGP key which we use for signing. It is called "Discreete Linux signing key (2016) info@discreete-linux.org" and has the Key-ID 0x759613AC. You can retrieve it from any keyserver of the PGP keyserver network, like here.

A Note about our PGP keys

In addition to the signing key, there are two other keys of the Discreete Linux team:

1. "Discreete Linux communication key (2016) info@discreete-linux.org", Key-ID 0xDBAFE0E2
2. "Discreete Linux automated signing key (2016-11) info@discreete-linux.org", Key-ID 0x751FCD02

Why do we do this? The signing key is used for signing releases, repositories etc. only; the secret key is on a separate keyring on a separate, permanently offline machine which is only used for that purpose. The communication key is also only used offline in a Discreete environment, but the secret key, by it's nature, is in a keyring which we use on a daily basis. The automated signing key is used for signing individual packages and changelog entries, github commits etc. These are automated processes, the key resides on an online system.

Building Discreete Linux

Download/checkout the config tree:

git clone https://github.com/Discreete-Linux/discreete-linux-build.git

cd to it and verify the signature of the checksum file:

gpg --verify SHA512SUM.asc SHA512SUM

Then verify the checksums:

sha512sum -c SHA512SUM

Now, just to be sure, run:

lb clean

as root, followed by

lb build

Building will take some time, depending on your machine and internet connection. At the end, you should get a file named live.image.hybrid.iso. This is a so-called ISOhybrid image which can be written to DVD as well as USB-Drives or SD cards. For the latter, you can use dd like dd if=live.image.hybrid.iso of=/dev/sdX bs=1M. Be very careful what you type for /dev/sdX, you can overwrite your hard drive without further warning!

Building VeraCrypt from Source

For verifying the Veracrypt sources, you need the PGP key called "VeraCrypt Team veracrypt@idrix.fr" with Key-ID 0x54DDD393.

1. Get VeraCrypt Linux Sources and the signature from https://veracrypt.codeplex.com/
2. Verify the signature like gpg --verify VeraCrypt_1.19_Source.tar.gz.sig VeraCrypt_1.19_Source.tar.gz
3. Unpack the sources
4. Install build requirements with apt-get install make gcc g++ nasm libfuse-dev makeself libwxgtk3.0-dev pkg-config
5. cd to the source dir and run make

Building the kernel image

1. Get the debian sources of the kernel you want to patch. This will in most cases be either the latest kernel from jessie-backports (a dependency of https://packages.debian.org/jessie-backports/linux-image-amd64) or the latest stable kernel from jessie (https://packages.debian.org/jessie/linux-image-amd64). If you choose the kernel from jessie-backports, you will want the unsigned variant. We will tell you how to build a signed kernel image once we have got it working ourselves ;-). You should end up with three files called linux_4.x.dsc resp. linux_3.16.dsc, a corresponding *.orig.tar.xz and *.debian.tar.xz
2. Unpack the sources with dpkg-source -x *.dsc
3. Install all build dependencies as outlined in the *.dsc file, as well as libncurses5-dev and quilt.
4. Copy the patch from here to debian/patches/libata.patch
5. Run these commands in order:
   • sed -i 's/^abiname: .*/abiname: dsctl1/' debian/config/defines
   • echo "libata.patch" >> debian/patches/series
   • quilt push -a
   • debian/rules clean
   • debian/rules clean (yes, again!)
   • fakeroot make -f debian/rules.gen setup_amd64_none_amd64
   • make -C debian/build/build_amd64_none_amd64 nconfig
6. Within the nconfig menu, turn the following off:
   • Device drivers -> IEEE1394
   • Device drivers -> SCSI device support -> SCSI low-level drivers
   • Device drivers -> SCSI device support -> PCMCIA SCSI adapter support
   • Device drivers -> SCSI device support -> SCSI Device Handlers
   • Device drivers -> Network device drivers
   • Networking support -> Amateur radio
   • Networking support -> IrDA (infrared) subsystem support
   • Networking support -> Bluetooth subsystem support
   • Networking support -> Wireless
   • Networking support -> WiMax
   • Networking support -> NFC subsystem
7. Now run:
   • fakeroot debian/rules source
   • fakeroot make -f debian/rules.gen binary-arch_amd64_none_amd64
   • fakeroot make -f debian/rules.gen binary-arch_amd64_none_real

Detailed explanation coming soon.

If you would like to contribute to the project, whether by coding, criticism, translation or other contributions, feel free to contact us here, via email, on Twitter (@DiscreeteLinux) or on GitHub. Donations will be possible soon.