DEₑSU Anonymouse

Liberté Linux Documentation


This page describes the general usage scenarios, focusing mainly on security and anonymity features. Using Liberté Linux should be otherwise intuitive (more so if you are familiar with Linux, but not necessarily).

Booting and Shutting Down

Find out how to enable booting from USB, which may be as simple as pressing Esc during POST, and choosing the corresponding option. Press Tab in Liberté boot menu to change the kernel options. The settings may be made permanent in liberte/boot/…:

  • syslinux/syslinux.cfg — for BIOS boot
  • grub/grub.cfg — for (U)EFI boot

Comments in these configuration files summarize the effects of various boot options, some of which are listed at the end of this section.

If it is the first time that you boot Liberté, you will be asked to provide a new password for encrypting the OTFE volume (located in the otfe directory). You will need to enter that password upon each subsequent boot sequence.

During the first boot, cables communication certificates will be generated, too. It is a time-intensive operation due to the asymmetric key size, and typically takes a few minutes.

If possible, use proper shutdown procedures (via logout menu or short power-off button press) which ensure clean states for all writable filesystems (including the encrypted volume). It is, however, possible to just pull out the USB stick — the computer will immediately power off. In either case, RAM is cleared just prior to the actual shutdown / reboot.

Encrypted Volume

Picking a secure password for the encrypted volume is extremely important, since all user’s persistent data is kept on this virtual partition, accessible via ~/persist directory. Do not take the various security “experts” (typically, trained system administration monkeys) too seriously, and consider writing the (long) passphrase down on something that is secured and that you will not carry with the boot media.

You should make regular backups of the .vol file in the otfe directory (the volume header is already backed up in the same directory). Erasing the .vol file is equivalent to making a fresh install of Liberté Linux. Alternatively, upgrading Liberté does not affect the encrypted volume, and is backward-compatible with the volume contents.

Removing settings/config.tar.xz on the volume resets the user configuration in ~/config — remove the file and pull out the USB stick after pressing Win-S to achieve that. Adding nosettings to the boot options temporarily inhibits extraction and saving of user configuration. Note that important data such as cables identity and mailboxes / message queues, hashed passwords, encryption keys, etc. is stored directly in ~/persist, and should not be affected when user configuration is removed. Configuration exclusion patterns can be customized in ~/config/persist.excludes.

The volume can be transparently resized by running sudo otfe-resize in a terminal.

Unencrypted Media

If you only modify data on the encrypted volume, no traces will be left on the computer after shutdown. However, all accessible media (including removable disks) are available at /media. Opening a subdirectory actually mounts the corresponding disk or partition. Each NTFS filesystem has two possible mount points: read-write and read-only. It is advised to use the read-only mount point in order to avoid leaving traces on the filesystem. Note that if the system has been hibernated in Windows, only the read-only mount point is accessible. Other journaling filesystems (ext3, ext4) are always mounted read-only.

Whenever necessary, use secure file deletion (srm -f) to erase files on unencrypted filesystems. Multiple rewrites are unnecessary and misguided due to on-controller write caching — just use the fast rewrite mode. Note that modern flash memory devices with wear leveling (as well as modern HDDs with automatic bad sectors remapping) cannot guarantee such secure file deletion.

Always synchronize pending writes (Win-S) before extracting removable media.

Network Connectivity

Wireless MAC addresses are automatically changed during boot. If you are connecting via an Ethernet cable, and DHCP IP address assignment does not depend on MAC being left intact, you can change the latter by running sudo mac-randomize in a terminal.

Some wireless networks (mainly unsecured hotspots, but sometimes secured networks with guest authentication) require web registration before full connectivity is available. Since all network traffic in Liberté is routed via Tor, which requires such connectivity to operate, this situation is problematic. The solution is to run the Unsafe Browser (which bypasses the firewall) in order to register. Some networks also require bringing the connection down and up after the registration. Needless to say, Unsafe Browser is unsafe, —K.O.

When setting up a VPN connection (including PPTP that is used by some ISPs), the server address must be given as a numeric IP address. Use tor-resolve in console to resolve a hostname without leaking DNS requests. Note that unsafe browser’s traffic goes through VPN circuit, if one has been set up (assuming default routes).

NOTE: I2P support is currently experimental and is disabled by default. To enable I2P (for both browsing and cables communication), add i2p to the kernel parameters in the boot menu, or modify the relevant entry in syslinux.cfg.

Browsing and Instant Messaging

Do not visit unfamiliar sites, since they expose the browser to local exploits. Enable scripting only for trusted sites. Connecting to non-https non-onion sites (i.e., most websites) exposes the traffic on Tor exit node. Same is true for non-SSL connections to IRC and IM servers.

Note that https/SSL communication is only secure between you and the server. E.g., administrative access to an IRC server allows to record all private messages and channel communication where one of the participants is connected to that server.


The Language and Time Zone applet, accessible via Preferences in the start menu, provides a list of UI locales, timezones, and keyboard layouts (e.g., German qwertz or French azerty). Re-login into the X session to activate the changes.

Input languages can be selected by clicking on the uim icons near the tray. Note the difference between languages and keyboard layouts above.

Locking the System

In the X server environment, the system can be locked with Win-L key sequence, by running xlock via the menu, or by closing the laptop lid. During the first lock attempt, you will be prompted for a password to permanently store as a secure hash. To unlock, blindly type the password preceded and followed by the Enter key. After successfully unlocking the system, all delayed tray notification events (if any) will be activated. To reset the password, remove ~/persist/security/lock/passwd.*.

Key Sequences

Keybinding in Openbox Action
Win-E, Win-T, Win-C File explorer, Terminal, Calculator
Win-L, Win-D, Display Lock screen, Show / restore desktop, Monitor(s) settings
Win-S, Win-Escape Synchronize media, Logout
Win-F1, -F2, … Show desktop №1, 2, …
Ctrl / Shift-Alt-Left / Right Switch / send window to left / right desktop
Print / Alt-Print Take desktop / window snapshot
Mail, WWW Mail user agent, Internet browser
AudioMute Toggle master audio output
AudioRaiseVolume / AudioLowerVolume Raise / lower master audio volume by 5%
Alt-Tab, Alt-Escape, Alt-F4 Switch windows, Minimize window, Close window
Ctrl-Space Toggle selected language (uim keybinding)

Boot Options

The gentoo= prefix below is optional, and can combine several parameters (e.g., gentoo=nox,root).

Boot option Effect
readonly Set read-only access for the relevant boot media partition (disabling persistence)
[no]toram Copy SquashFS image to RAM (on by default in .iso images)
blacklist=module,… Comma-separated list of kernel modules to blacklist from autoloading
gentoo=root Unlock root password (liberte) and disable root console timeout
gentoo=xvesa Force VESA video driver in Xorg
gentoo=xfb Force framebuffer video driver in Xorg (useful for EFI when VESA is unavailable)
gentoo=i2p Enable I2P
gentoo=nosettings Do not save/restore user-level application settings in ~/persist/settings/config.tar.xz
gentoo=nox Disable X server configuration (manual startx may still work)
gentoo=nologo Disable desktop background logo (includes the lock screen)
gentoo=noanon Non-anonymous clearnet mode with separate user settings
bridges=IP[:port],… Comma-separated list of Tor bridges to use instead of direct connections to relays (default port is 443)


Root access is possible during the first 2 minutes after boot. Switching to the second terminal (logout to shell, Alt-F2) and typing okroot during that timeframe enables the root user’s password: liberte. After that, switch to the first terminal and launch X server (Alt-F1, Ctrl-D). You can now become root using su - in a terminal. Same effect can be achieved by adding root to the boot menu options (after pressing Tab).

The Administrator Console entry in Liberté boot menu does not configure or start the X server, and simplifies root access by making the procedure above unnecessary.

Adding debug to the boot options runs the shell in initramfs script right after the modules loading phase, where you can check why the boot media cannot be mounted, for example.