If you paid by credit card, you are going to receive a “processing order” e-mail, thanking you for having ordered from us and stating that your order is now processing. This means that funds have been sent, not received. It is also pointing to this post to help you understand the process of owning your PrivacyBeast X230.

• If paid by Credit Card (Elavon), the funds will be released to Insurgo within 2 working days.

In all case, the process starts when the funds are received and your hardware is consequently ordered. Thank you for your understanding.

1. Choose an encrypted communication channel using one of the supported methods stated under the contact section of the site.
2. Initiate contact with Insurgo by STATING YOUR ORDER NUMBER and Timezone (UTC +/- X) after having verified that the chosen encrypted communication channel is verified, following the “How to use” links found on the contact section of the site.
3. Prior of shipping your unit, you will receive through that established communication channel:
   • A OEM TPMTOTP QR Code which needs to be scanned with an OTP application of your choice (such as freeotp) on your smartphone.
     • Search your smartphone’s application store for OTP to install such compatible application, prioritizing open source software options.
     • That scanned QR code can be used as an optional (recommended) second factor authentication seed to get a 6 digits 2FA that changes every 30 seconds.
     • The QR code is a secret.
     • OTP requires both phone and computer to have their internal clock synchronized, while Heads (Real Time Clock) needs to stay in UTC timezone for both OTP codes to be in sync on both devices.
     • A new QR code will be generated at re-ownership, replacing this one.
   • Main screws tamper evident seals pictures to enable you to visually verify that the device was not opened in transit.
     • The Blink Comparison application (Android) is recommended to be used upon reception of the device so that you are guided into re-inspecting your device when needed, between uses.
4. Upon reception of the hardware:
   • Recontact Insurgo through established secure communication channel.
   • You will then receive a transitional and unique OEM Disk Recovery Key passphrase needed to re-encrypt your installation.
     

Insurgo will now:

• Order your hardware (~5 working days to be refurbished and received),
• Prepare it (~1 working day)
• Get it shipped to you (pickup and shipping ~5 days).

If you haven’t reviewed seperation of duties, now would be a good time to read it.

You will then receive an additional e-mail stating that your order is complete.

At that point, you and Insurgo should have already established contact through encrypted communication channel. Main screws tamper evident seals pictures and TPMTOTP Qr Code should have been shared with you at this point.

You will then receive an additional e-mail containing shipping tracking information.The shipping should start moving the following day.

You are responsible to track the shipment and make sure to pay relevant import fees ASAP for it to cross borders. You can re-schedule the shipment to your convenience so the recipient is available to sign the reception of the package after having validated the box is undamaged.

At that point, once you accepted the package, plug the USA power adapter and make sure the laptop boots into Heads without going any further.

At this point, communicate through established secured communication channel to receive your OEM current Disk Recovery Key passphrase and to schedule a support session if needed.

Preparation steps

1. Note down the following on a piece of paper, which you will feed as you go in the Re-Ownership wizard:
   • Chosen LUKS Disk Recovery Key passphrase:
   • TPM Ownership passphrase:
   • USB Security dongle’s GPG Admin PIN:
   • USB Security dongle’s GPG User PIN:
   • Chosen Disk Unlock Key passphrase (TPM Disk encryption key passphrase):
   • Qubes user’s login passphrase:
2. Gather the following :
   • US AC Power adapter
   • Your laptop
   • International Power adapter
   • USB Security dongle (Librem Key / Nitrokey Pro)
   • OEM current Disk Recovery Key Passphrase
3. Open installed OTP app on your smartphone and have TOTP code showed for quick verification.
4. Boot your newly received PrivacyBeast X230:
   1. Plug AC Adapter to both laptop and electricity source. Power it on.
   2. Plug in USB Security dongle when prompted. Beware of its LED flashing behaviors:
      • Each time an operation is happening on the USB Security dongle,  its LED will be red.
      • After validating USB Security dongle insertion prompt, the LED will again flash red shortly (an operation occurs), but should be followed by the LED flashing green, visually attesting of the integrity of the measured state from the USB Security dongle itself.
      • The measured state will also be confirmed on screen with HOTP:Success, confirming that measured states were successful through HOTP challenge reported to Heads.
   3. On Heads main screen, you should notice HOTP:Success and TOTP: XXXXXX where X are 6 digits which should match the ones under your smartphone’s OTP application (if time is not skewed).
      • TOTP, as opposed to HOTP, requires time and date to be consistent between devices.
        • If HOTP is valid, you can continue safely.
        • If TOTP mismatch is a concern to you, please reach out through established secured communication channel so we can fix your clock prior of going forward.

Re-Ownership

A complete, uncut video, showing you the exact same steps below is available here.

1. You are now ready to launch the Re-Ownership wizard. Select Options–> OEM Factory Reset / Re-Ownership option.
   1. The wizard will guide you through the process, first warning you of what the process will do. Basically, replacing all provisioned secrets with your own. Select Continue.
   2. A Measured Integrity Report will provide a TOTP/HOTP/BOOT INTEGRITY Report. Select OK to continue only if report is good.
   3. Would you like to change the current LUKS Disk Recovery Key passphrase? Type Y
   4. Would you like to re-encrypt LUKS encrypted container and generate a new Disk Recovery key? Type Y
      1. Enter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM): Provide OEM Disk Recovery Key passphrase that was shared with you upon reception of your order.
   5. The wizard gives the list of security components that needs to be provisioned following previous choices:
      • LUKS Disk Recovery Key passphrase
      • TPM Ownership password
      • GPG Admin PIN
      • GPG User PIN
   6. Would you like to set a single custom password that will be provisioned to previously stated security components? Type N
   7. Would you like to set distinct PINs/passwords to be provisioned to previously stated security components? Type Y
      1. Choose strong passwords/passphrases to meet minimal passphrase length requirements. Diceware method with EFF dictionary is strongly advised. Click here to understand why.
         1. Enter desired TPM Ownership password:
            • This passphrase is used once to take ownership of the TPM and is never asked again unless you reinstall the OS (if /boot partition is wiped or /boot/kexec_rollback.txt is wiped). You can safely select a two words Diceware passphrase.
              • Example: Hanky Parachute
         2. Enter Desired GPG Admin PIN:
            • This passphrase is required for:
              • Administering the USB Security dongle: When sealing remote attestation through HOTP into the GPG smartcard
              • When GPG User PIN is locked: you will need to unlock it with the GPG Admin PIN
            • This PIN will lock yourself out after entering 3 subsequent bad PIN in a row.
              • Consequently, it is strongly advised to pick a 2 words Diceware passphrase you won’t have difficulties remembering and typing in, kept safe so you can get to it when needed, since you won’t need it really often.
                
                • Example: Blooming Outfit
         3. Enter Desired GPG User PIN:
            • This passphrase is used when conducting User operations on the USB Security dongle:
              • When signing /boot content after a Qubes dom0 upgrade having modified /boot
              • When extending your public key expiration date
              • When encrypting/signing/authenticating content etc
            • This PIN will lock yourself out after entering 3 subsequent bad PIN.
              • Consequently, it is strongly advised to pick a 2 words Diceware passphrase which you won’t have difficulties typing in and remembering. This passphrase will be requested of you at least every month to daily if you use it to encrypt/sign content.
                
                • Example: Recreate Anything
   8. Enter desired replacement for current Disk Recovery Key passphrase:
      • This passphrase is probably the most sensitive of all passphrases and should be protected accordingly. An adversary knowing/bruteforcing this passphrase would be able to decrypt this drive/clone at leisure.
        • This passphrase is required to be typed only rarely:
          • When setting a TPM Disk Encryption key (Disk Unlock Key) and associated passphrase or when you desire to manually change your Disk Unlock Key passphrase (which is the one asked to boot configured Default boot option)
            • To Setup a new boot default option and associated TPM Disk Unlock Key, navigate to: Options-> Boot Options-> Show OS boot menu.
          • When an “Unsafe boot” is desired, in the case you lost your USB Security dongle and updated dom0 and now cannot sign /boot changes.
          • When selecting Unsafe boot option, /boot is not verified, the Disk Unlock Key passphrase is not prompted: you are booting a system without it’s pre-boot security measured. Consequently the Disk Recovery Key passphrase is asked to be typed instead of the Disk Unlock Key passphrase, which should be typed only in trusted physical location without prying eyes.
        • Consequently, the Disk Recovery Key passphrase should be a Diceware passphrase of at least 6 words, easy to type and remember. Generate one that you can easily create a story in your heads with.
          
          • Example: Exorcism Riverbank Dealmaker Citric Cannabis Tricky Liquid
   9. Would you like to set custom user information for the GnuPG key?:
      1. The proper answer here depends of your projected use case.
         • If you intend to use your USB Security dongle to use GPG to encrypt e-mails and other contents: you should say Y here.
           • The idea about setting custom user information here is that the final public key generated could be published to GPG search engines to ease  people finding your public key. They will search your public key with either your known Real Name or the e-mail address you will provide here. Those custom user information are used to create such searchable identity:
             1. Enter your “Real Name”:
                • This is the public identity to which the generated public key will be bound to.
                  • Example: John Smith
             2. Enter your email@address.org:
                • This is the public e-mail address (valid, already owned) to which the generated public key will be bound to.
                  • Example: john_smith@nowhere.com
             3. Enter Comment (Optional):
                • This is to distinguish from other public keys created with the same previous attributes, so that someone searching for that public key will find it easily and be able to differentiate them to select the proper public key that works best for their use case.
                • Goal is for third party to understand the risks associated with encrypting content to you through this public key.
                  • Where is the private key kept? Where are the GPG operations happening (SmartCard based vs private key being on the filesystem of a device, and risks associated with that device).
                    • A third party may decide to download a public key that is identified as smartphone if it decides that the message is urgent, but might decide that using the public key identified as SmartCard is more secure and worth waiting that the decryption/encryption occurs in your SmartCard instead of in an untrusted smartphone’s CPU/memory.
                      
                  • Examples:
                    • Good Comment: USB Security dongle secured private key or SmartCard
                    • Other use cases possible distinctive Comment: split-gpg-qube, smartphone, air-gapped machine, shared private key across many devices, etc.
         • Otherwise, if you intend to solely use your USB Security dongle to attest integrity of /boot content and use HOTP features of the smartcard to verify firmware integrity of your computer : you can say N here
           • You can always re-launch the Re-Ownership wizard later on without re-encrypting disk nor changing it Disk Recovery Key passphrase to re-provision your USB Security dongle.
   10. Would you like to export your public key to an USB drive? You should answer Y here (unless you answered N in step 9)
       
       • This requires you to have a USB drive already prepared to receive your public key. This will make it easier to use that public key later on.
       • If its not the case, you can export your public key later from Options->GPG menu.
   11. The Re-Ownership wizard re-owns the Security Components defined earlier:
       1. Scanning for USB storage devices…
          • Copies your public key here
       2. Detecting and setting boot device…
          • Boot device set to /dev/sda1
       3. Re-encrypting /dev/sda2 LUKS encrypted content with current Recovery Key Passphrase…
          • This should take less then 30 minutes.
          • The ETA might fluctuate a bit at the beginning, but should stabilize fast. If you haven’t plugged your laptop with AC adaptor, do it now….
            • The encrypted LUKS container is now re-encrypted (content and Disk Recovery Key changed)
       4. Changing /dev/sda2 LUKS encrypted disk passphrase with new Disk Recovery Key passphrase…
          • The encrypted LUKS container Disk Recovery Key passphrase changed to your chosen one.
       5. Resetting TPM…
       6. Resetting GPG Key…
          • This will take less then 3 minutes, 1 minutes per subkey (authentication, signing and encryption subkeys are being created)
            • LED of your USB Security Dongle will be a steady red; this is because key generation is happening inside of the device: the subkeys will never leave it.
   12. The Re-Ownership wizard finishes by showing your selected Provisioned Secrets. Make sure you noted down all of those secrets.
       • uppercase/lowercase/spaces are important!
   13. The last screen of the Re-Ownership wizard confirms success.
       • It also states clearly that “After rebooting, you will need to generate new TOTP/HOTP secrets when prompted in order to complete the setup process“. Type Enter.
   14. Device reboots
   15. Error: Heads couldn’t generate the TOTP code. Select Generate new HOTP/TOTP secret
       1. This will erase your old secret and replace it with a new one! Do you want to proceed? Select Yes
       2. Open your smartphone’s TOTP application.
          1. Remove old TOTP entree
          2. Scan QR Code with TOTP application, type Enter when done as prompted on screen.
       3. Enter you Nitrokey/Librem Key Admin PIN: Refer to your chosen PINs. As asked, you need to enter your GPG Admin PIN here to seal HOTP secret inside of your USB Security dongle.
          1. Notes: Passphrases typed in the Re-Ownership Wizard where echoed back to you on the screen to lower user errors.
          2. Under Heads daily operations, passphrases are never echoed back to you.
          3. You will type your passphrases blindly. Remember that you only have 3 attempts before being locked out of GPG PINs.
             
   16. You are back on main Heads screen.
       1. Select Default boot
          1. There is no default boot option configured yet. Would you like to load a menu of boot options? Select Yes
             1. Select the first option: Qubes,_with_Xen_hypervisor. This is the dynamic option from Qubes OS grub configuration.
             2. Confirm the boot details for Qubes, with Xen hypervisor: Select Make default
             3. Do you wish to add a disk encryption to the TPM? Answer y
             4. Encrypted LVM group? Type Enter keyboard’s key
             5. Encrypted devices? Type: /dev/sda2 then Enter keyboard’s key
             6. Enter disk recovery key: Type your chosen Disk Recovery Key passphrase
             7. New disk unlock password for booting: Choose the passphrase you want to type at each boot. A Diceware passphrase of 3 words is recommended.
          2. Please confirm that your GPG card is inserted: type y
             1. Please unlock the card
                1. This is GPG verbiage, asking you to type your GPG User PIN
   17. Device rebooted. Select Default boot
       • This passphrase rate limits input and will fail after 3 attempts, asking you to boot and be prompted by Qubes to enter Disk Recovery Key passphrase instead.
         • The TPM will fall into Guard lock mode after too many attempts, in which case you will have to power off and back (cold reboot) your computer to try again. If TOTP unsealing fails, power off and wait another 10 minutes.
       • When you will select Default boot at each boot, this passphrase:
         • Will only boot if /boot integrity validation is successful (Detached signed integrity digests are validated against your public key)
         • Will release Disk Unlock Key only if the following measurements are as when they were sealed inside of the TPM when you setuped your Disk Unlock Key passphrase
           • The same Heads kernel modules are currently loaded
           • Nothing rogue went to Recovery Shell and back as part of the boot process (No rubber ducky attack)
           • LUKS container headers are the same as when the TPM Disk Unlock Key passphrase was setuped
           • Your Disk Unlock Key passphrase is valid
       • If at any time, you feel like changing your Disk Unlock Key, just go to Options-> Boot Options -> Show OS boot options and redo the above steps to change your Disk Unlock Key passphrase from somewhere safe. Doing so will require you to type your Disk Recovery Key passphrase to set a new Disk Unlock Key, while your GPG User PIN will be asked to sign your new boot options.
   18. If typing the Disk Unlock Key passphrase doesn’t work:
       • Error Authentication failed (Incorrect Password): You have typed it wrong.
   19. Otherwise Qubes is booting!
       • You can type Esc keyboard’s key to see the boot process logs on screen.
   20. Once inside of QubesOS, the OEM disk image user’s password is Insurgo. Log in.
       • The Qubes user’s account passphrase will be asked of you to log in, and to get out of screensaver.
       • To change it: click on the blue Q menu on top left corner of the screen, and select Terminal Emulator
         1. Type: passwd
            1. Type old passphrase: Insurgo
            2. Type desired passphrase twice. And note it down. A 2 words diceware passsphrase should be good enough.

Enjoy the most reasonably-secured, user-owned computer in the world !
Insurgo Open Technologies / Technologies Libres