Installing the LineageOS distribution on a Nexus 6 as a base for hardening has become very easy and takes only a few minutes w/ adb and fastboot (part of the android-sdk) already installed on your POSIX machine.
- Enable USB Debugging in the phone settings
- Connect device and check by running adb devices -l
- Reboot into bootloader: adb reboot bootloader
- Again, check connectivity: fastboot devices -l
- Unlock the bootloader:
fastboot oem unlock (bootloader) slot-count: not found (bootloader) slot-suffixes: not found (bootloader) slot-suffixes: not found ... (bootloader) Please select 'YES' on screen if you want to continue... (bootloader) Unlocking bootloader... (bootloader) Unlock completed! Wait to reboot
- Flash recovery:
fastboot flash recovery twrp-3.3.1-0-shamu.img (bootloader) slot-count: not found (bootloader) slot-suffixes: not found (bootloader) slot-suffixes: not found (bootloader) has-slot:recovery: not found target reported max download size of 536870912 bytes sending 'recovery' (11887 KB)… OKAY [ 0.393s] writing 'recovery'… OKAY [ 0.171s] finished. total time: 0.564s
- Select Recovery Mode and reboot into TWRP
- Backup existing ROM (system partition) onto USB-OTG
- Install LOS: Wipe/Factory Reset, then install – e.g. using adb sideload – a) LOS b) OpenGapps c) addonsu
Note about encryption: When running LOS 15.1 and TWRP 3.2.3, encrypting the device results in a completely unstable O/S. When running LOS 16.0 and TWRP 3.3.1, encrypting the device works, resulting in a usable O/S. However, TWRP is still not accepting the FDE password thus unable to mount /data.
So, after having flashed the device, now is the time for further hardening of the device by installing a local firewall ruleset like AFWall+, VPN software like WireGuard, Firefox Klar/Focus, K-9 Mail, OpenKeychain, SnoopSnitch etc. and creating a backup using TWRP.
Also, sort of circumventing the previously mentioned encryption problem would be easily possible and can be achieved by first creating a fresh TWRP backup and subsequentially encrypting the device. Think of this becoming handy right before travelling abroad, but remember that afterwards you should a) WIPE the device using TWRP (w/o unlocking data) and then b) reflash the last backup to be able to create fresh backups from time to time.