Post-install

Table of Contents


Subscribe to secureblue release notifications

Subscribing to release notifications is documented here.

Enroll SecureBoot key

Note

GNOME users on Nvidia images may notice that Gnome Software prompts them to create a new secureboot key. This prompt can and should be ignored, and the command below used instead.

The secureblue Secure Boot key should automatically enroll after installation, with the MOK password “secureblue”. If this fails or doesn’t appear for whatever reason, you can manually enroll the key with the command below.

ujust enroll-secureblue-secure-boot-key

Validation

To validate your secureblue setup, run:

ujust audit-secureblue

Read the FAQ

A lot of technical issues are covered in the FAQ. For new users, the following topics are particularly important to read:

Kernel argument tuning

A stable set of kernel arguments is preinstalled with secureblue. However, it is recommended that you consult our Kargs article for guidance on tuning Kargs based on your use case.

Flatpak Permissions Tuning

Consult our Flatpak article for guidance on tuning Flatpak permissions.

Setup USBGuard

This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.

ujust setup-usbguard

Create a separate wheel account for admin purposes

Caution

If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.

Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain privilege escalation attack vectors and password sniffing. We log in as admin to do the final step of removing the user account's wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.’ You don't need to log in using your wheel user to use it for privileged operations. When logged in as your non-wheel user, Polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0.

  1. run0
  2. adduser admin
  3. usermod -aG wheel admin
  4. passwd admin
  5. exit
  6. reboot
  7. Log in as admin
  8. run0
  9. gpasswd -d {your username here} wheel
  10. reboot

Configure system DNS

The command below will interactively setup system DNS resolution for systemd-resolved (and optionally set the resolver for Trivalent via management policy). If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case.

ujust dns-selector

Toggle MAC address randomization

Toggle system-wide MAC address randomization in NetworkManager between random and permanent using the command below. Disabling MAC randomization can help with network compatibility issues, especially in enterprise or captive portal environments. Enabling it improves privacy by preventing tracking across networks.

ujust toggle-mac-randomization

Bash environment lockdown

To mitigate LD_PRELOAD attacks, run:

ujust toggle-bash-environment-lockdown

LUKS Hardware-Unlock

There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your LUKS volume. FIDO2 enrollment is preferable if you own a hardware security key. It's recommended that you choose only one of these, and not both at the same time.

LUKS FIDO2 Unlock

To enable FIDO2 LUKS unlocking with your FIDO2 security key, run:

ujust setup-luks-fido2-unlock

LUKS TPM2 Unlock

Warning

If you have an AMD CPU, check your firmware settings to make sure it is using a dedicated TPM device or a Pluton Chip. If not and it is using an fTPM (firmware TPM), skip this step. If you do not know what this means or are unsure, just skip this step.

To enable TPM2 LUKS unlocking, run:

ujust setup-luks-tpm-unlock

Type Y when asked if you want to set a PIN.

Trivalent Flags

The included Trivalent browser has some additional settings in chrome://flags you may want to set for additional hardening and convenience (can cause functionality issues in some cases).

You can read about these settings in the Trivalent post-install instructions.