This page describes the general usage scenarios, focusing mainly on security and anonymity features. Using Liberté Linux should be otherwise intuitive (more so if you are familiar with Linux, but not necessarily).
Booting and Shutting Down
Find out how to enable booting from USB, which may be as simple as pressing
Esc during POST, and choosing the corresponding option. Press
Tab in Liberté boot menu to change the kernel options. The settings may be made permanent in
syslinux/syslinux.cfg— for BIOS boot
grub/grub.cfg— for (U)EFI boot
Comments in these configuration files summarize the effects of various boot options, some of which are listed at the end of this section.
If it is the first time that you boot Liberté, you will be asked to provide a new password for encrypting the OTFE volume (located in the
otfe directory). You will need to enter that password upon each subsequent boot sequence.
During the first boot, cables communication certificates will be generated, too. It is a time-intensive operation due to the asymmetric key size, and typically takes a few minutes.
If possible, use proper shutdown procedures (via logout menu or short power-off button press) which ensure clean states for all writable filesystems (including the encrypted volume). It is, however, possible to just pull out the USB stick — the computer will immediately power off. In either case, RAM is cleared just prior to the actual shutdown / reboot.
Picking a secure password for the encrypted volume is extremely important, since all user's persistent data is kept on this virtual partition, accessible via
~/persist directory. Do not take the various security “experts” (typically, trained system administration monkeys) too seriously, and consider writing the (long) passphrase down on something that is secured and that you will not carry with the boot media.
You should make regular backups of the
.vol file in the
otfe directory (the volume header is already backed up in the same directory). Erasing the
.vol file is equivalent to making a fresh install of Liberté Linux. Alternatively, upgrading Liberté does not affect the encrypted volume, and is backward-compatible with the volume contents.
settings/config.tar.xz on the volume resets the user configuration in
~/config — remove the file and pull out the USB stick after pressing
Win-S to achieve that. Adding
nosettings to the boot options temporarily inhibits extraction and saving of user configuration. Note that important data such as cables identity and mailboxes / message queues, hashed passwords, encryption keys, etc. is stored directly in
~/persist, and should not be affected when user configuration is removed. Configuration exclusion patterns can be customized in
The volume can be transparently resized by running
sudo otfe-resize in a terminal.
If you only modify data on the encrypted volume, no traces will be left on the computer after shutdown. However, all accessible media (including removable disks) are available at
/media. Opening a subdirectory actually mounts the corresponding disk or partition. Each NTFS filesystem has two possible mount points: read-write and read-only. It is advised to use the read-only mount point in order to avoid leaving traces on the filesystem. Note that if the system has been hibernated in Windows, only the read-only mount point is accessible. Other journaling filesystems (
ext4) are always mounted read-only.
Whenever necessary, use secure file deletion (
srm -f) to erase files on unencrypted filesystems. Multiple rewrites are unnecessary and misguided due to on-controller write caching — just use the fast rewrite mode. Note that modern flash memory devices with wear leveling (as well as modern HDDs with automatic bad sectors remapping) cannot guarantee such secure file deletion.
Always synchronize pending writes (
Win-S) before extracting removable media.
Wireless MAC addresses are automatically changed during boot. If you are connecting via an Ethernet cable, and DHCP IP address assignment does not depend on MAC being left intact, you can change the latter by running
sudo mac-randomize in a terminal.
Some wireless networks (mainly unsecured hotspots, but sometimes secured networks with guest authentication) require web registration before full connectivity is available. Since all network traffic in Liberté is routed via Tor, which requires such connectivity to operate, this situation is problematic. The solution is to run the Unsafe Browser (which bypasses the firewall) in order to register. Some networks also require bringing the connection down and up after the registration. Needless to say, Unsafe Browser is unsafe, —K.O.
When setting up a VPN connection (including PPTP that is used by some ISPs), the server address must be given as a numeric IP address. Use
tor-resolve in console to resolve a hostname without leaking DNS requests. Note that unsafe browser's traffic goes through VPN circuit, if one has been set up (assuming default routes).
NOTE: I2P support is currently experimental and is disabled by default. To enable I2P (for both browsing and cables communication), add
i2p to the kernel parameters in the boot menu, or modify the relevant entry in
Browsing and Instant Messaging
Do not visit unfamiliar sites, since they expose the browser to local exploits. Enable scripting only for trusted sites. Connecting to non-
onion sites (i.e., most websites) exposes the traffic on Tor exit node. Same is true for non-SSL connections to IRC and IM servers.
https/SSL communication is only secure between you and the server. E.g., administrative access to an IRC server allows to record all private messages and channel communication where one of the participants is connected to that server.
The Language and Time Zone applet, accessible via Preferences in the start menu, provides a list of UI locales, timezones, and keyboard layouts (e.g., German qwertz or French azerty). Re-login into the X session to activate the changes.
Input languages can be selected by clicking on the uim icons near the tray. Note the difference between languages and keyboard layouts above.
Locking the System
In the X server environment, the system can be locked with
Win-L key sequence, by running
xlock via the menu, or by closing the laptop lid. During the first lock attempt, you will be prompted for a password to permanently store as a secure hash. To unlock, blindly type the password preceded and followed by the
Enter key. After successfully unlocking the system, all delayed tray notification events (if any) will be activated. To reset the password, remove
|Keybinding in Openbox||Action|
| ||File explorer, Terminal, Calculator|
| ||Lock screen, Show / restore desktop, Monitor(s) settings|
| ||Synchronize media, Logout|
| ||Show desktop №1, 2, …|
| ||Switch / send window to left / right desktop|
| ||Take desktop / window snapshot|
| ||Mail user agent, Internet browser|
| ||Toggle master audio output|
| ||Raise / lower master audio volume by 5%|
| ||Switch windows, Minimize window, Close window|
| ||Toggle selected language (uim keybinding)|
gentoo= prefix below is optional, and can combine several parameters (e.g.,
| ||Set read-only access for the relevant boot media partition (disabling persistence)|
| || Copy SquashFS image to RAM (on by default in |
| ||Comma-separated list of kernel modules to blacklist from autoloading|
| || Unlock root password (|
| ||Force VESA video driver in Xorg|
| ||Force framebuffer video driver in Xorg (useful for EFI when VESA is unavailable)|
| ||Enable I2P|
| || Do not save/restore user-level application settings in |
| || Disable X server configuration (manual |
| ||Disable desktop background logo (includes the lock screen)|
| ||Non-anonymous clearnet mode with separate user settings|
| || Comma-separated list of Tor bridges to use instead of direct connections to relays (default port is |
Root access is possible during the first 2 minutes after boot. Switching to the second terminal (logout to shell,
Alt-F2) and typing
okroot during that timeframe enables the root user's password:
liberte. After that, switch to the first terminal and launch X server (
Ctrl-D). You can now become root using
su - in a terminal. Same effect can be achieved by adding
root to the boot menu options (after pressing
The Administrator Console entry in Liberté boot menu does not configure or start the X server, and simplifies root access by making the procedure above unnecessary.
debug to the boot options runs the shell in initramfs script right after the modules loading phase, where you can check why the boot media cannot be mounted, for example.