Post-install
Table of Contents
- Essential
- Recommended
Subscribe to secureblue release notifications
Subscribing to release notifications is documented here.
Enroll SecureBoot key
Note
GNOME users on Nvidia images may notice that Gnome Software prompts them to create a new secureboot key. This prompt can and should be ignored, and the command below used instead.
The secureblue Secure Boot key should automatically enroll after installation, with the MOK password “secureblue”. If this fails or doesn’t appear for whatever reason, you can manually enroll the key with the command below.
ujust enroll-secureblue-secure-boot-key
Validation
To validate your secureblue setup, run:
ujust audit-secureblue
Read the FAQ
A lot of technical issues are covered in the FAQ. For new users, the following topics are particularly important to read:
- Why is Bluetooth disabled? How do I enable it?
- Why doesn’t my Xwayland app work?
- An app I use won’t start due to a malloc issue. How do I fix it?
- Why don’t my appimages work?
- How do I install my VPN?
- Why am I unable to start containers?
Kernel argument tuning
A stable set of kernel arguments is preinstalled with secureblue. However, it is recommended that you consult our Kargs article for guidance on tuning Kargs based on your use case.
Flatpak Permissions Tuning
Consult our Flatpak article for guidance on tuning Flatpak permissions.
Setup USBGuard
This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.
ujust setup-usbguard
Create a separate wheel account for admin purposes
Caution
If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.
Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain privilege escalation attack vectors and password sniffing. We log in as admin to do the final step of removing the user account's wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.’ You don't need to log in using your wheel user to use it for privileged operations. When logged in as your non-wheel user, Polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0
.
run0
adduser admin
usermod -aG wheel admin
passwd admin
exit
reboot
- Log in as
admin
run0
gpasswd -d {your username here} wheel
reboot
Configure system DNS
The command below will interactively setup system DNS resolution for systemd-resolved (and optionally set the resolver for Trivalent via management policy). If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case.
ujust dns-selector
Toggle MAC address randomization
Toggle system-wide MAC address randomization in NetworkManager between random
and permanent
using the command below. Disabling MAC randomization can help with network compatibility issues, especially in enterprise or captive portal environments. Enabling it improves privacy by preventing tracking across networks.
ujust toggle-mac-randomization
Bash environment lockdown
To mitigate LD_PRELOAD attacks, run:
ujust toggle-bash-environment-lockdown
LUKS Hardware-Unlock
There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your LUKS volume. FIDO2 enrollment is preferable if you own a hardware security key. It's recommended that you choose only one of these, and not both at the same time.
LUKS FIDO2 Unlock
To enable FIDO2 LUKS unlocking with your FIDO2 security key, run:
ujust setup-luks-fido2-unlock
LUKS TPM2 Unlock
Warning
If you have an AMD CPU, check your firmware settings to make sure it is using a dedicated TPM device or a Pluton Chip. If not and it is using an fTPM (firmware TPM), skip this step. If you do not know what this means or are unsure, just skip this step.
To enable TPM2 LUKS unlocking, run:
ujust setup-luks-tpm-unlock
Type Y
when asked if you want to set a PIN.
Trivalent Flags
The included Trivalent browser has some additional settings in chrome://flags
you may want to set for additional hardening and convenience (can cause functionality issues in some cases).
You can read about these settings in the Trivalent post-install instructions.