Towards a moderately paranoid Debian laptop setup [Update]

I was planning to set up my laptop from scratch for a while now... so I did.

Preparation

  • First, go home. No, really! Do all of this at home in a non-hostile, firewalled network. You don't want to be in a crowded place such as a conference where people can shoulder-surf your passwords, nor do you want your network traffic sniffed or MITM'd in a hostile network.
  • Backup all your data! You'll be wiping your whole drive soon, so make sure you have recent, tested backups.
  • Get the most recent Debian-installer ISO image (currently etch-beta3), as well as the MD5SUMS and MD5SUMS.sign files:
    wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/debian-testing-i386-binary-1.iso
    wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/MD5SUMS
    wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/MD5SUMS.sign
  • Run gpg --verify MD5SUMS.sign, which will fail but tell you the signing key ID (88C7C1F7 in this case). Get the key and re-run the verification: gpg --recv-key --keyserver subkeys.pgp.net 88C7C1F7 && gpg --verify MD5SUMS.sign. The output should now say "Good signature from [...]".
  • Now check the MD5 checksums via md5sum -c MD5SUMS. The output should contain debian-testing-i386-binary-1.iso: OK.
  • As you now have (somewhat) verified the integrity of the ISO image, burn it on a CD-R: wodim debian-testing-i386-binary-1.iso.
  • Put trusted versions of some files on a USB thumb drive (or CD-ROM); at least a firewall script, but maybe also your bashrc, bash_logout, inputrc, vimrc, muttrc.
  • Disconnect your laptop from any kinds of networks. Pull all ethernet cables. Disable WLAN (via hardware killswitch). Disable Bluetooth. Disable/remove Firewire, USB, serial, whatever.
  • Put on your tin-foil hat (optional).

BIOS

  • Set a good BIOS boot password (which you need to boot any OS). Set a (different) good BIOS boot setup password (which you need to enter the BIOS).
  • Disable all boot possibilities in the BIOS, except for CD-ROM. This means it should not be possible to boot via USB, hard drive, network, PXE, Firewire, floppy, whatever. The BIOS setup password helps to prevent tampering with this setting.
  • Finally, never rely on BIOS passwords alone for security! They can often be circumvented very easily.

Installation / Setting up full-disk encryption using dm-crypt

  • Insert the installer CD and boot in expert-mode (don't hit ENTER when you boot, but rather type "expert").
  • As for networking: select "Do not configure the network at this time". We'll fix and enable networking later.
  • Partitioning:

    • Select manual partitioning. Remove all partitions (if any). Create a 100 MB /boot (ext3) as primary partition, and make the rest of the hard drive one huge partition which has "Use as:" set to "physical volume for encryption".
    • The standard options for cipher, key size, IV mode etc. should be fine (AES, 256 bit, CBC-ESSIV-SHA256, dm-crypt).
    • After the erasing is done (this is important!), use the whole encrypted space as "physical volume for LVM". Then select "Configure the Logical Volume Manager". Create one big volume group and a bunch of logical volumes for the various partitions we'll use (lv-root, lv-usr, lv-var, lv-tmp, lv-swap, lv-home).
    • It is extremely important that your swap space is encrypted (in this case it is, as all partitions except for /boot reside on a dm-crypt device)! Never set up unencrypted swap!
  • Enable shadow passwords. Allow login as root (I feel confident that I won't do stupid things as root).
  • Choose a good root password, and a (different) good user password. Don't enter a full name for the user.
  • Choose the latest kernel (old kernels might have security issues). Do not participate in popcon.
  • Do not install any tasks (no "desktop", no "base system"). We want the smallest installation possible, and add only the packages we really need. Fewer packages means fewer security issues (statistically).
  • That's it. Eject the CD-ROM, reboot, change the BIOS to only allow booting from hard drive.

Post-installation tasks

  • Enter the USB thumb drive, copy all config-files to /root and /home/uwe. Log out and log in again to make ~/.bashrc and ~/.inputrc take effect.
  • Enable the firewall: mkdir /etc/rc.boot && cp fw_laptop /etc/rc.boot && chmod 700 /etc/rc.boot/fw_laptop && sh /etc/rc.boot/fw_laptop
  • Shut down all networked daemons (if any): /etc/init.d/foo stop.
  • Tighten home-directory permissions: chmod 700 /root /home/uwe.
  • Edit /etc/passwd: give all users except for root, sync, uucp and your user account /usr/sbin/nologin as login shell. None of these accounts really needs a valid login shell (nologin will log any login attempts for those accounts).
  • Edit /etc/group: remove your user account from the dialout, cdrom, and floppy group. The groups audio, video, and plugdev can stay.
  • Edit /etc/fstab: add some mount options such as ro, nosuid, noexec, or nodev as you see fit. Example:
    /dev/mapper/vg--whole-lv--root /     ext3 defaults,errors=remount-ro      0 0
    /dev/sda2                      /boot ext3 defaults,nodev,nosuid,noexec,ro 0 0
    /dev/mapper/vg--whole-lv--home /home ext3 defaults,nodev,nosuid           0 0
    /dev/mapper/vg--whole-lv--tmp  /tmp  ext3 defaults,nodev,nosuid           0 0
    /dev/mapper/vg--whole-lv--usr  /usr  ext3 defaults,nodev,ro               0 0
    /dev/mapper/vg--whole-lv--var  /var  ext3 defaults,nodev                  0 0
    /dev/mapper/vg--whole-lv--swap none  swap sw                              0 0
    /dev/scd0 /media/cdrom iso9660 noauto,nodev,nosuid,noexec,uid=uwe,gid=uwe 0 0
    
  • If you have read-only (ro) file systems, configure Apt so that it can remount them read-write when installing/removing packages. Add this to /etc/apt/apt.conf:
    DPkg
    {
      Pre-Invoke { "mount -o remount,rw /usr; mount -o remount,rw /boot"; }
      Post-Invoke { "mount -o remount,ro /usr; mount -o remount,ro /boot"; }
    }
    
  • Fix the GRUB configuration. Replace the "password foo" line (which contains the GRUB password in plain-text) from your /boot/grub/menu.lst with a "password --md5 $1$1234567890..." line, where the MD5 hash ($1$1234567890...) can be generated with grub-md5-crypt. Additionally, add such a password line after each "title" line in the GRUB config-file, so that nobody can boot any OS installed on the laptop without a password!

Networking, Upgrading and Apt-secure

  • Now that we have a small, hardened system, it should be reasonably safe to enable networking. Add this to /etc/network/interfaces:
    auto eth0
    iface eth0 inet dhcp
      pre-up /etc/rc.boot/fw_laptop
    

    Run /etc/init.d/networking restart. The firewall script will run every time the network is started.

  • Now add this (tweak as you see fit) to /etc/apt/sources.list:
    deb http://ftp.de.debian.org/debian unstable main
    deb-src http://ftp.de.debian.org/debian unstable main
  • Time for upgrading: apt-get update && apt-get dist-upgrade. All packages are GnuPG-signed and will be verified by Apt. The installer already ships the required key (for 2006), so everything should just work. Still, you should read about SecureApt.
  • Install the rest of your system now, and restore your data from backups.
  • Use sysv-rc-conf to disable all daemons you don't want to start per default: sysv-rc-conf foo off.
  • Install and set up Samhain (or any other file integrity checker): apt-get install samhain. You want to be notified if your system files are being tampered with (e.g. replaced by a rootkit).
  • Install and configure Tor for anonymous browsing. More details here.
  • Install and configure more security-related programs, e.g. logcheck, snort, rkhunter, chkrootkit, tiger, sxid, etc.

SELinux

Now install and set up SELinux. This section is based on notes from Erich Schubert (thanks!), and will soon appear in the SELinuxSetup wiki page, too.

  • Install the base packages and an SELinux policy: apt-get install selinux-basics selinux-policy-refpolicy-targeted.
  • Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line to enable SELinux upon booting.
  • In /etc/pam.d/login uncomment the "session required pam_selinux.so multiple" line. Do the same in /etc/pam.d/ssh if you have ssh installed.
  • In /etc/default/rcS set FSCKFIX=yes.
  • In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then rm /var/run/motd.
  • If you have exim installed, you must either install postfix or write an exim policy, as none currently exists. But even postfix needs some fixing (no pun intended ;-). Disable chroot-support (change all "chroot" fields to "n" in /etc/postfix/master.cf and execute echo 'SYNC_CHROOT="n" >> /etc/default/postfix').
  • Use check-selinux-installation to check for common SELinux problems on Debian (such as the above mentioned).
  • touch /.autorelabel. Reboot. touch /.autorelabel (again). Reboot (again).
  • Done. You should now have a working SELinux system. If no critical audit errors appear and you feel comfortable with SELinux, enable enforcing mode via setenforce 1 or by adding enforcing=1 to the kernel command line in /boot/grub/menu.lst.

Behaviour

  • Never leave your laptop unattended!
  • Always lock your terminal (using vlock) when you move more than 30 cm away from the laptop!
  • Don't run insecure and/or closed-source software (which you can never trust!). No NVIDIA/ATI drivers, no VMware, no Google Earth, no Flash Plugin (except for Gnash maybe), no Adobe Acrobat. You get the idea.
  • Keep the number of installed packages small and try to configure each of them as secure as possible.
  • Never enable networking or WLAN or Bluetooth if you don't absolutely have to.
  • Trust no one. Don't let other people use you laptop, don't give out shell accounts.

Further ideas

  • The /boot partition is still unencrypted, so an attacker can tamper with it. Boot from a CD-R, forbid booting from hard drive (BIOS). Sign/mark the CD-R physically, so you'll know when someone replaced your CD-R with his own, back-doored one.
  • Another idea is to use an additionaly USB thumb drive or CD-ROM or smartcard for two-factor authentication.
  • Install another Debian into a QEMU image. Use it as a sandbox for stuff you don't trust: qemu -snapshot -net none foo.img.
  • At all costs, disable Firewire! If possible via hardware or BIOS, or at least don't load the drivers and/or fix them (page 19).
  • Replace the proprietary, closed-source BIOS with LinuxBIOS, if possible.

That's it. You can take off that stupid tin-foil hat now.

Update 2006-09-29: Fixed typos. Mentioned sxid. Added two-factor authentication.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Uwe: Don't you think it's

Uwe:

Don't you think it's time to an not-so-moderated paranoid Debian 5.x laptop setup?

I've my tin foil hat ready!

HOWTO

Maybe I'll update the HOWTO a bit, but there's no need to write a new one, the instructions are pretty much the same for newer Debian versions.

Enable password in the menu.list

Hi. I got a question. I tried following what you said about putting a password under every title in the menu.list then upon reboot it does seems to put security having to type the password first before you can login to whatever OS installed in your box. But how come I can edit the menu list and delete the line with the password and successfully boot the box before typing the password? Does it suppose to do that? Isn't the password suppose to prevent access to your box? Or, did I miss something?

Nice

Now I know what "sightly paranoid" is meaning :-)

Consider filling your laptop with epoxy for a more difficult physical access (but I guess this would result in overheating problems)
For me, encrypting home + swap is enough. I just came to your site to figure out how I can block the firewire DMA access.

But if I ever need a PC for developing my world dominion plans, I will come back to your HOWTO.

Coldbooting will crack HD encryption

It should be noted that, unless the machine has been powered OFF (or hibernated, not suspended) for at least several minutes, it is possible for a determined attacker to overcome any disk encryption by cooling/freezing the RAM modules, transferring them to a different machine and looking for the disk encryption (session) key.

This will obviously render all the nice paranoid tactics void. So make sure you don't leave your machine unattended in a hostile environment unless it has been powered down for at least a few minutes (a few more in winter :-).

PDF of a research article demonstrating the technique

Another ways to get a encrypted filesystem

First of all, very good and complete tutorial! Congratulations.

Now if you want to encrypt only a partition or make a encrypted filesystem over a file you can read this:

How to create a LVM encrypted partition

How to create a portable encrypted file system on a loop file

Further ideas - Boot from CD-R

"The /boot partition is still unencrypted, so an attacker can tamper with it. Boot from a CD-R, forbid booting from hard drive (BIOS)."

Do you know a detailed instruction, how to boot a LUKS-encrypted system (even /boot partition is encrypted!) from CD-R?
Thank you.

I was able to get my boot

I was able to get my boot partition on cdrom by loosely following the instructions found at http://pusling.com/blog/?p=25

Now I'd just like to figure out how to have the Passphrase read from the cdrom so I don't have to enter it during startup. Does anyone know how to accomplish this?

Passphrase from CDROM

No, but I don't think you want that, it'll make the whole procedure less secure. Anybody who gets that CDROM in his fingers has access to your encrypted files!

Uwe.

luks passphrase

hmmm... putting the partition and passphrase on a cdrom is probably a bad idea. But is it much different than having the passphrase on a usb stick? I think having some kind of way to read a passphrase from somewhere besides the keyboard would be a good thing. Entering a 20 character passphrase on a laptop seems a bit impractical but automatically reading it from somewhere does not. Do you know if there are any plans to support this sort of thing in the future. If it's not a horrible idea (or a less than good one), it would nice to see in the debian installer.

Installed it, but get Boot Error on boot, though the stick is bo

Hi:

I did something akin to this, though the easier way I think. Installed debian from a netinst CD to a USB stick. Made an unencrypted boot partition and an encrypted partition, using LVM. Installed the system to it.

Then ran:
install-grub --recheck /dev/sda
ran fine...
then in grub ran:
root (hd0,0)
setup (hd0)
ran fine...
Then ran update-grub.
Checked the /boot/grub/menu.lst on the stick, is fine.

But upon boot with the USB inserted, the system halts with a Boot Error.

The USB is bootable though, since I checked prior to install by putting a DebianLive image on it, and it would get me to the Grub menu. But here I don't get to the Grub menu.

The system is there, I can mount the lv's by hand etc.

So how can I make the USB bootable properly and get to the Grub menu upon boot?

check-selinux-installation on current debian sid

Tanks for the vital info about selinux installation.
But on the current debian sid I got a little problem with the motd check of the check-selinux-installation script. Now it checks /etc/default/rcS for the variable EDITMOTD=no.
I added this line in addition to the recommended steps in your tutorial.
So it passes the test and avoids a misleading error message.
Maybe this will be helpful for other selinux users.

The Tin Foil Hat

Er... thanks, I think I'll keep the hat on,
these days you never know!!

Citizen Jimserac

Hello, It is a nice tutorial

Hello,

Nice tutorial (and a interesting blog I read frequently).

I have just try it when reinstalling my workstation, but I got a problem in the first steps.

I created a big partition on my disk for use as "physical volume for encryption" then in the same menu I did an erase of the data.
The problem is to create an LVM physical volume: I need to change my partition from "physical volume for encryption" to "lvm physical volume"... I can't do an LVM VG on an encrypted volume... or at least I don't understand how to.

To be sure, I reboot on a SystemRescue CD and checked that I can mount my LVs and read its contents.

What did I miss?

eric

I got it!

Okay, I finally found how to do the setup. After creating a partition for encryption, you must go on 'configuration for encryption devices' (or something similar), there you format the partition and define your LUKS passphrase, and finally you can create physical device for LVM on top of this encrypted device.

Now, one remark, it's not possible to create a key for this encrypted partition and to store it on a usb key for example?

encryption keys

Hm, good question. It's possible with plain cryptsetup I think, not sure if the Debian installer has an interface for this, though...

Uwe.

For sure, it's possible to

For sure, it's possible to store encryption keys on an usb key. I use it on my ubuntu laptop with a /home encrypted and an automatic decryption/encryption when inserting/retrieving my key (udev rule). But i'm using dm-crypt without Luks...
For the Debian installer, it seems to not be possible (only passphrase and random key which I don't understand how it works (where is it stored?)), I'll fill a bug/wish :)

eric:

dm-crypt without LUKS

I would not recommend using dm-crypt without LUKS, that has some considerable cryptographical weaknesses compared to dm-crypt+LUKS (don't remember the details right now)...

Smart (card) acces.

did you read this[1]?
it seems funny, and also enough parano... ops, virtuos

[1] http://www.pumuki.org/?p=23

an already working system

is it possible to encrypt all partition in a already working system? i mean without formatting all (expecially /home/myuser) partition

an already working system

Not easily, I guess.

And to be honest I wouldn't attempt it, even if it was possible somehow. This is a major undertaking so you definately want a full backup of all your data on some external medium. Otherwise, if something goes wrong you're in big trouble...

Uwe.

But you dont use suspend?

I would like to have a encrypted root - currently having only a encrypted /home because (read: I am lazy) it is not that simple to get a encrypted / with suspend2. Any hints especially with SUSE?

Reg. BIOS password - May be I am happy in my pavilion HP laptop the bios password is erased (reset) if I remove the RTC battery.

suspend + encryption

Actually, no. I've never used suspend. I'm not sure if it's possible to use it with disk encryption.

Anyways, if you just encrypt your /home you still leak a lot of information you probably don't want to. At a minimum, I'd also encrypt swap. You can find GPG keys, ssh keys, root passwords and all kinds of other stuff in swap space, so this is an absolute must!

Uwe.

loop-aes?

Uwe, it's great :), but why haven't you used loop-aes instead of dm-crypt, when it's supposed to be more secure?

loop-aes vs. dm-crypt

Well, I don't know whether loop-aes is more secure than dm-crypt (and this depends on your definition of "more secure" anyways).

Who said loop-aes is supposed to be more secure? What are the reasons?

Uwe.

You said it once, for

You said it once, for example (last comment). :)

http://www.hermann-uwe.de/blog/howto-encrypted-usb-thumb-drives-and-usb-hard-disks-using-loop-aes

But here's a better page for the issues in dm-crypt:

https://docs.indymedia.org/view/Local/UkCrypto

Loop-AES vs. dm-crypt

Ah, well, I'm talking crap :) But seriously, I said "is said to be more secure", probably because I read/heard that somewhere at that time, but that may have been crap.

As for the best solution, I cannot tell. I know for sure that the old cryptoloop is broken and insecure. Don't use it. Don't use dm-crypt without LUKS either, that has some known problems.

Whether loop-AES (used correctly), or dm-crypt+LUKS is better or more secure I cannot tell.

Uwe.

suggestions

Regarding BIOS passwords, they aren't much use. I prefer to have machines boot without a BIOS password to prevent them from locking me out. A password for BIOS setup is useful.

I prefer to encrypt on a per-partition basis. I encrypt swap with a random key which is discarded. Some partitions don't have secret data and don't need encryption (mount with noexec,nodev).

I don't think that read-only filesystems provide any security benefits. As a general rule the access level required to write to the files in question is the same as that required to remount the filesystem.

USB devices work well for booting laptops and will fit into your pocket much more easily than CD-ROMs. Laptops from the Pentium2-600 days claimed to support booting from USB but unfortunately it seems that laptops with USB-2.0 support are needed for this.

Disabling USB drivers is a good idea. Is there a convenient way of disabling all USB drivers other than the mass-storage driver which is needed for updating the boot device?

As has been suggested a USB device for logging in is a good idea.

Finally I think that Xen is a good option for sand boxes, maybe not as secure as QEMU though. If you want a really secure sandbox then a S/390 installation running under Hercules will work well (I know someone who does this).

suggestions

I personally like BIOS passwords. They add another barrier. A rather weak one, but it's better than nothing.

As for read-only file systems, you're probably right. SELinux should provide most (probably even more) "features" you gain from read-only file systems.

USB thumb drives are nice if you can boot from USB, but my main problem with them is that they're not read-only. As for CD-ROMs I plan to use the small ones which only hold 200 MB or so (not sure what they're called). They should be small enough to be carried in your pocket.

Disabling USB drivers is probably not easily possible with the stock Debian kernel. I'd compile a custom kernel (or re-compile the Debian kernel) which doesn't have any USB modules, and only USB mass storage compiled in.

A USB thumb drive with (parts of) a key file would be a nice addition. Something like that could enable you to use two-factor authentication (password + key on USB thumb drive; neither one is sufficient, both are required).

I didn't know about Hercules, but it sounds pretty interesting so I'll check it out (but more for esoterical reasons :) How or why is Hercules more secure than Xen or QEMU for sandboxing?

Cheers, Uwe.

Nice tutorial! A bit

Nice tutorial! A bit over-cautious for me, though:)

Paranoia

Paranoia is a virtue :)

gnunet

Lot's of those should be Debian defaults... Anyway, you might want to also consider to user gnunet, besides tor, for things that need a system that is anonymous, secure and censorship-resistent.

GNUnet

Yep, definately, GNUnet may be worth checking out. I usually don't need censorship-resistance on a daily basis, though :) However, I do want to retain my privacy at all times, that's why I use Tor.