Added Debian installation guides

how-to-configure-hardened-debian-server/README.md

@@ -14,7 +14,7 @@ Listed: true
 
 ## Requirements
 
-- Virtual private server (VPS) or dedicated server running Debian 10 (buster) or Debian 11 (bullseye)
+- Computer, virtual private server (VPS) or dedicated server running Debian 10 (buster) or Debian 11 (bullseye) (lean how to install Debian [here](./misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/README.md))
 - Linux or macOS computer
 
 ## Caveats

how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-debian-based-operating-system/README.md

@@ -0,0 +1,156 @@
+<!--
+Title: How to create Debian bootable installer on Debian-based operating system
+Description: Learn how to create Debian bootable installer on Debian-based operating system.
+Author: Sun Knudsen <https://github.com/sunknudsen>
+Contributors: Sun Knudsen <https://github.com/sunknudsen>
+Reviewers:
+Publication date: 2022-03-20T14:16:12.705Z
+Listed: true
+-->
+
+# How to create Debian bootable installer on Debian-based operating system
+
+## Requirements
+
+- Computer running Debian-based operating system
+- USB flash drive (data will be permanently destroyed)
+
+## Caveats
+
+- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
+
+## Guide
+
+### Step 1: install dependencies
+
+```
+$ sudo apt update
+
+$ sudo apt install curl gnupg
+```
+
+### Step 2: import “Debian CD signing key” PGP public key
+
+```console
+$ gpg --keyserver keyring.debian.org --recv-keys 0xDA87E80D6294BE9B
+gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
+gpg: Total number processed: 1
+gpg:               imported: 1
+```
+
+### Step 3: set [Debian](https://www.debian.org/) release semver environment variable
+
+> Heads-up: replace `11.2.0` with [latest release](https://www.debian.org/download) semver.
+
+```shell
+DEBIAN_RELEASE_SEMVER=11.2.0
+```
+
+### Step 4: download latest version of [Debian](https://www.debian.org/), checksum and associated PGP signature
+
+> Heads-up: replace `amd64` with architecture of computer on which Debian will be installed (run `dpkg --print-architecture` on Linux to get architecture).
+
+```console
+$ cd /tmp
+
+$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100   359  100   359    0     0    518      0 --:--:-- --:--:-- --:--:--   517
+100  378M  100  378M    0     0  21.3M      0  0:00:17  0:00:17 --:--:-- 24.3M
+
+$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100   494  100   494    0     0    713      0 --:--:-- --:--:-- --:--:--   712
+
+$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS.sign
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100   833  100   833    0     0   1032      0 --:--:-- --:--:-- --:--:--  1032
+```
+
+### Step 5: verify integrity of `SHA512SUMS`
+
+```console
+$ gpg --verify SHA512SUMS.sign
+gpg: assuming signed data in 'SHA512SUMS'
+gpg: Signature made Sat 18 Dec 2021 03:45:36 PM EST
+gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
+gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
+
+$ sha512sum --check --ignore-missing SHA512SUMS
+debian-11.2.0-amd64-netinst.iso: OK
+```
+
+Good signature
+
+👍
+
+OK
+
+👍
+
+### Step 5: create bootable installer
+
+> WARNING: DO NOT RUN THE FOLLOWING COMMANDS AS-IS.
+
+> Heads-up: run `sudo fdisk --list` to find device name of USB flash drive to overwrite with bootable installer (`sda` in the following example).
+
+> Heads-up: replace `sdn` with device name of USB flash drive (`sda` in the following example).
+
+```console
+$ sudo fdisk --list
+Disk /dev/nvme0n1: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
+Disk model: Samsung SSD 970 EVO Plus 1TB
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: F053B657-4758-4775-98B1-27256D3B46C9
+
+Device           Start        End    Sectors   Size Type
+/dev/nvme0n1p1    2048    1050623    1048576   512M EFI System
+/dev/nvme0n1p2 1050624    2050047     999424   488M Linux filesystem
+/dev/nvme0n1p3 2050048 1953523711 1951473664 930.5G Linux filesystem
+
+
+Disk /dev/mapper/nvme0n1p3_crypt: 930.52 GiB, 999137738752 bytes, 1951440896 sectors
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+
+
+Disk /dev/mapper/debian--vg-root: 930.52 GiB, 999133544448 bytes, 1951432704 sectors
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+
+
+Disk /dev/sda: 29.88 GiB, 32080200192 bytes, 62656641 sectors
+Disk model: Flash Drive
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: dos
+Disk identifier: 0x2a6b8479
+
+Device     Boot Start    End Sectors  Size Id Type
+/dev/sda1  *        0 774143  774144  378M  0 Empty
+/dev/sda2        4060   9243    5184  2.5M ef EFI (FAT-12/16/32)
+
+$ sudo umount /dev/sdn*
+umount: /dev/sda: not mounted.
+umount: /dev/sda1: not mounted.
+umount: /dev/sda2: not mounted.
+
+$ sudo dd bs=1M if=debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso of=/dev/sdn
+378+0 records in
+378+0 records out
+396361728 bytes (396 MB, 378 MiB) copied, 18.4317 s, 21.5 MB/s
+```
+
+👍

how-to-configure-hardened-debian-server/misc/how-to-create-debian-bootable-installer-on-macos/README.md

@@ -0,0 +1,151 @@
+<!--
+Title: How to create Debian bootable installer on macOS
+Description: Learn how to create Debian bootable installer on macOS.
+Author: Sun Knudsen <https://github.com/sunknudsen>
+Contributors: Sun Knudsen <https://github.com/sunknudsen>
+Reviewers:
+Publication date: 2022-03-20T14:16:12.705Z
+Listed: true
+-->
+
+# How to create Debian bootable installer on macOS
+
+## Requirements
+
+- macOS computer
+- USB flash drive (data will be permanently destroyed)
+
+## Caveats
+
+- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
+
+## Guide
+
+### Step 1: install [Homebrew](https://brew.sh/)
+
+```console
+$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+
+$ uname -m | grep arm64 && echo 'export PATH=$PATH:/opt/homebrew/bin' >> ~/.zshrc && source ~/.zshrc
+```
+
+### Step 2: disable Homebrew analytics
+
+```shell
+brew analytics off
+```
+
+### Step 3: install dependencies
+
+```shell
+brew install gnupg
+```
+
+### Step 4: import “Debian CD signing key” PGP public key
+
+```console
+$ gpg --keyserver keyring.debian.org --recv-keys 0xDA87E80D6294BE9B
+gpg: Total number processed: 1
+gpg:               imported: 1
+```
+
+### Step 5: set [Debian](https://www.debian.org/) release semver environment variable
+
+> Heads-up: replace `11.2.0` with [latest release](https://www.debian.org/download) semver.
+
+```shell
+DEBIAN_RELEASE_SEMVER=11.2.0
+```
+
+### Step 6: download latest version of [Debian](https://www.debian.org/), checksum and associated PGP signature
+
+```console
+$ cd /tmp
+
+$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100   359  100   359    0     0    464      0 --:--:-- --:--:-- --:--:--   464
+100  378M  100  378M    0     0  20.6M      0  0:00:18  0:00:18 --:--:-- 23.6M
+
+$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100   494  100   494    0     0    918      0 --:--:-- --:--:-- --:--:--   918
+
+$ curl --fail --location --remote-name https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA512SUMS.sign
+```
+
+### Step 7: verify integrity of `SHA512SUMS`
+
+```console
+$ gpg --verify SHA512SUMS.sign
+gpg: assuming signed data in 'SHA512SUMS'
+gpg: Signature made Sat 18 Dec 2021 03:45:36 PM EST
+gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
+gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
+
+$ shasum --algorithm 512 --check --ignore-missing SHA512SUMS
+debian-11.2.0-amd64-netinst.iso: OK
+```
+
+Good signature
+
+👍
+
+OK
+
+👍
+
+### Step 8: create bootable installer
+
+> WARNING: DO NOT RUN THE FOLLOWING COMMANDS AS-IS.
+
+> Heads-up: run `diskutil list` to find disk ID of USB flash drive to overwrite with bootable installer (`disk4` in the following example).
+
+> Heads-up: replace `diskn` and `rdiskn` with disk ID of microSD card (`disk4` and `rdisk4` in the following example) and `debian-11.2.0-amd64-netinst.iso` with current image.
+
+> Heads-up: please ignore “The disk you attached was not readable by this computer.” error and click “Eject”.
+
+```console
+$ diskutil list
+/dev/disk0 (internal):
+   #:                       TYPE NAME                    SIZE       IDENTIFIER
+   0:      GUID_partition_scheme                         500.3 GB   disk0
+   1:             Apple_APFS_ISC                         524.3 MB   disk0s1
+   2:                 Apple_APFS Container disk3         494.4 GB   disk0s2
+   3:        Apple_APFS_Recovery                         5.4 GB     disk0s3
+
+/dev/disk3 (synthesized):
+   #:                       TYPE NAME                    SIZE       IDENTIFIER
+   0:      APFS Container Scheme -                      +494.4 GB   disk3
+                                 Physical Store disk0s2
+   1:                APFS Volume Macintosh HD            15.3 GB    disk3s1
+   2:              APFS Snapshot com.apple.os.update-... 15.3 GB    disk3s1s1
+   3:                APFS Volume Preboot                 412.3 MB   disk3s2
+   4:                APFS Volume Recovery                807.3 MB   disk3s3
+   5:                APFS Volume Data                    322.3 GB   disk3s5
+   6:                APFS Volume VM                      2.1 GB     disk3s6
+
+/dev/disk4 (external, physical):
+   #:                       TYPE NAME                    SIZE       IDENTIFIER
+   0:     Apple_partition_scheme                        *32.1 GB    disk4
+   1:        Apple_partition_map                         4.1 KB     disk4s1
+   2:                  Apple_HFS                         2.7 MB     disk4s2
+
+$ sudo diskutil unmount /dev/diskn
+disk4 was already unmounted or it has a partitioning scheme so use "diskutil unmountDisk" instead
+
+$ sudo diskutil unmountDisk /dev/diskn (if previous step fails)
+Unmount of all volumes on disk4 was successful
+
+$ sudo dd bs=1m if=debian-${DEBIAN_RELEASE_SEMVER}-amd64-netinst.iso of=/dev/rdisk4
+378+0 records in
+378+0 records out
+396361728 bytes transferred in 15.700749 secs (25244766 bytes/sec)
+```
+
+👍

how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/README.md

@@ -0,0 +1,174 @@
+<!--
+Title: How to install LUKS-encrypted Debian operating system using bootable installer
+Description: Learn how to install LUKS-encrypted Debian operating system using bootable installer.
+Author: Sun Knudsen <https://github.com/sunknudsen>
+Contributors: Sun Knudsen <https://github.com/sunknudsen>
+Reviewers:
+Publication date: 2022-03-20T14:16:12.705Z
+Listed: true
+-->
+
+# How to install LUKS-encrypted Debian operating system using bootable installer
+
+## Requirements
+
+- Debian-compatible computer with [AES instruction set](https://en.wikipedia.org/wiki/AES_instruction_set)
+- Debian bootable installer (learn how to create one on Debian-based operating system [here](../how-to-create-debian-bootable-installer-on-debian-based-operating-system/README.md) or on macOS [there](../how-to-create-debian-bootable-installer-on-macos/README.md))
+
+## Guide
+
+### Step 1: insert bootable installer
+
+### Step 2: disable [Compatibility Support Module (CSM)](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#CSM_booting) (also known as “Legacy Support”) and enable [Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot)
+
+> Heads-up: step is non-deterministic given manufacturers use different BIOS keys to boot to BIOS and menus to set [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) features.
+
+> Heads-up: on some computers, a “Fast Boot” feature is enabled making it hard to enter BIOS keys… disconnecting disk temporarily disables “Fast Boot”.
+
+On HP EliteDesk 800 G2 Mini, press <kbd>F10</kbd> when HP logo appears, go to “Advanced” tab, select “Secure Boot Configuration”, press <kbd>enter</kbd>, select “Legacy Support Disable and Secure Boot Enable” under “Configure Legacy Support and Secure Boot”, press <kbd>F10</kbd>, when asked to save changes, select “Yes” and, finally, press <kbd>enter</kbd>.
+
+### Step 3: boot to bootable installer
+
+> Heads-up: step is non-deterministic given manufacturers use different BIOS keys and default boot orders.
+
+On HP EliteDesk 800 G2 Mini, press <kbd>F9</kbd> when HP logo appears, select bootable installer device and, finally, press <kbd>enter</kbd>.
+
+### Step 4: start installation
+
+Select “Install” and press <kbd>enter</kbd>.
+
+### Step 5: select language
+
+Select language and press <kbd>enter</kbd>.
+
+### Step 6: select location
+
+Select country, territory or area and press <kbd>enter</kbd>.
+
+### Step 7: configure keyboard
+
+Select keymap and press <kbd>enter</kbd>.
+
+### Step 8: configure network
+
+#### Set hostname
+
+Enter hostname and press <kbd>enter</kbd>.
+
+#### Set domain
+
+Enter domain (typically left blank) and press <kbd>enter</kbd>.
+
+### Step 9: set up users and passwords
+
+#### Set root password
+
+> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended.
+
+Enter root password, press <kbd>enter</kbd>, re-enter password and, finally, press <kbd>enter</kbd>.
+
+#### Set full name of new user
+
+Enter full name of new user and press <kbd>enter</kbd>.
+
+#### Set username of new user
+
+Enter account username (typically left as-is) and press <kbd>enter</kbd>.
+
+#### Set password of new user
+
+> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended.
+
+Enter user password, press <kbd>enter</kbd>, re-enter password and, finally, press <kbd>enter</kbd>.
+
+### Step 10: configure clock
+
+Select time zone and press <kbd>enter</kbd>.
+
+### Step 11: partition disks
+
+#### Set partitioning method
+
+Select “Guided - use entire disk and set up encrypted LVM” and press <kbd>enter</kbd>.
+
+#### Set disk to partition
+
+> Heads-up: data on selected device will be permanently destroyed.
+
+Select device and press <kbd>enter</kbd>.
+
+#### Set partitioning scheme
+
+Select “All files in one partition (recommended for new users)” and press <kbd>enter</kbd>.
+
+When asked to write changes to disk, select “Yes” and, finally, press <kbd>enter</kbd>.
+
+#### Overwrite encrypted partition
+
+> Heads-up: can be cancelled at the expense of slightly weaker encryption.
+
+#### Set encryption passphrase
+
+> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended.
+
+> Heads-up: can be set to user password at the expense of reduction in security.
+
+Enter encryption passphrase, press <kbd>enter</kbd>, re-enter passphrase and, finally, press <kbd>enter</kbd>.
+
+#### Set volume group size
+
+Enter amount (typically left as-is) and press <kbd>enter</kbd>.
+
+#### Delete “swap” logical volume
+
+Select “Configure the Logical Volume Manager” and press <kbd>enter</kbd>.
+
+When asked to write changes to disk, select “Yes” and press <kbd>enter</kbd>.
+
+Select “Delete logical volume”, press <kbd>enter</kbd>, select “root” and, finally, press <kbd>enter</kbd>.
+
+Select “Delete logical volume”, press <kbd>enter</kbd>, select “swap_1” and, finally, press <kbd>enter</kbd>.
+
+Select “Create logical volume”, press <kbd>enter</kbd>, select volume group, press <kbd>enter</kbd>, enter “root” as “Logical volume name”, press <kbd>enter</kbd>, enter “Logical volume size” (typically left as-is) and, finally, press <kbd>enter</kbd>.
+
+Select “Finish” and press <kbd>enter</kbd>.
+
+Select “LVM” logical volume “#1”, press <kbd>enter</kbd>, select “Use as”, press <kbd>enter</kbd>, select “Ext4 journaling file system”, press <kbd>enter</kbd>, select “Mount point”, press <kbd>enter</kbd>, select “/ - the root file system”, press <kbd>enter</kbd>, select “Done setting up the partition” and, finally, press <kbd>enter</kbd>.
+
+![Partitions](./partitions.png)
+
+Select “Finish partitioning and write changes to disk” and press <kbd>enter</kbd>.
+
+When “Do you want to return to the partitioning menu?” warning is displayed, select “No” and, finally, press <kbd>enter</kbd>.
+
+When “Write the changes to disks” prompt is displayed, select “Yes” and, finally, press <kbd>enter</kbd>.
+
+### Step 12: configure package manager
+
+#### Set archive mirror country
+
+Select Debian archive mirror country and press <kbd>enter</kbd>.
+
+#### Set archive mirror
+
+Select Debian archive mirror and press <kbd>enter</kbd>.
+
+#### Set proxy
+
+Enter HTTP proxy (typically left blank) and press <kbd>enter</kbd>.
+
+### Step 13: configure popularity-contest
+
+Select “No” and press <kbd>enter</kbd>.
+
+### Step 14: select software
+
+![Software selection](./software-selection.png)
+
+Using <kbd>space bar</kbd>, disable everything except “SSH server”, select “SSH server” and, finally, press <kbd>enter</kbd>.
+
+### Step 15: finish installation
+
+Remove bootable installer from computer and press <kbd>enter</kbd>.
+
+👍