Re: [Trisquel-users] How simple/complex is your installation process?
Sounds great, count me as a Stable user! Apparmor demands some more education than Firejail (which can be applied system-wide, it seems). Grsecurity even more (even if I don't compile it, but it seems the version in the repo is buggy, according to root_vegetable). And it seems I'm barely scratching the surface here (see post #5): https://ubuntuforums.org/showthread.php?t=2338868 and from the same post: https://www.debian.org/doc/manuals/securing-debian-howto/ I don't really care that much about security, but this is helping me understand computers a bit more. Most likely I'll start with Firejail, then keep on learning bit by bit. But not everything is worth setting up, I'm sure. For example, setting a GRUB password, or preventing hardware flashing of Libreboot is a bit extreme.
Re: [Trisquel-users] How simple/complex is your installation process?
I have been using stable ever since the first day it came out, I used briefly testing but I like more stable for you set it and forget it, never an issue, crash or bug :) With the combo firejail/apparmor I think it would be extremely difficult for anyone to exploit your browser, even with js turned on, but I may be wrong. Anyway security (lack of) is just one of many reasons I don't like js and so I don't really have the dilemma, I keep it off.
Re: [Trisquel-users] How simple/complex is your installation process?
One more reason to try the backports, plus I'm not sure I'm ready for Sid (or that I need it). Thanks for this! Well, with firejail/apparmor/grsec, or firejail only, is it really needed to disable Javascript? I mean sure, some data can still be stolen (still in a limited way), and it would allow some pages to work better.
Re: [Trisquel-users] How simple/complex is your installation process?
>Firejail not being even in Debian's repo, I'll pass for now. Firejail is in: sid, testing and **jessie-backports** I installed it from backports, it's great, the thing can sandbox anything and it couldn't be easier to use. >Do you have better ideas for this? Specially for sandboxing the browser With the firefox profile already tuned very well in /etc/firejail it is as simple as: firejail firefox >malicios script https://noscript.net >have access to more than the browser Here is what my firejailed seamonkey has access to in /home: /home/.config/dconf /home/.config/gtk-2.0 /home/Downloads/ /home/.mozilla /home/.cache/mozilla/
Re: [Trisquel-users] How simple/complex is your installation process?
Ok, So here's my list again: - full disk encryption is a bit advanced (partitionning, LVM, switching to a tty to modify GRUB), but accessible to me (minus the keyfile to avoid typing the passphrase twice). Otherwise, encrypting home and swap should be a relative breeze for a beginner. - Sandboxing programs from the web: Firejail not being even in Debian's repo, I'll pass for now. Apparmor seems rather complicated. Same for a virtual machine, or Wine if it can work that way for native programs. Grsecurity is clearly overkill (might be worth it for a server though). - kernel update is only needed if some hardware is not supported bu the current one. - re-installing programs: exporting a list from Synaptic looks like the easiest way. but before that, I needed to install with apt-get, and the option --no install recommends (after getting my ethernet interface running in DHCP): - Wicd for wifi (less headaches with a GUI sometimes) - Synaptic - xorg of course - some window manager/desktop environment - Backup: DéjàDup or Back in Time are most likely the easiest programs. I guess I'll partition a huge external drive so I can have a backup partition, and a storage partition for personal data I don't access every day (and ecrypt the whole thing of course). - Config files: It's OK to just keep the Home folder with all these, but there are also tons of weird text files that accumulate which I most likely don't need. So with this one, I do it by hand for now. Do you have better ideas for this? Specially for sandboxing the browser (I might need JavaScript on occasionally, but I don't want a malicios script to have access to more than the browser (not even the bookmarks actually). The rest is pretty much aesthetics/workflow preferences, which is personal to each user. For example, I like my display to be minimal, and I want to use the keyboard instead of the mouse whenever possible, and that's what I did. It implies learning a few shortcuts per program, but it's an investment. Plus there's always the man command.
Re: [Trisquel-users] How simple/complex is your installation process?
I found this to be interesting: https://ubuntuforums.org/showthread.php?t=1712826 That means all packages are minimal. But let's say that for some reason, I nstall a package with apt-get, will it appear in the exported list?
Re: [Trisquel-users] How simple/complex is your installation process?
> However, I am not quite sure how! Something I did was to only have that line in /etc/crypttab: cryptswap1 /dev/sda1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256 Yeah, the line is here too.
Re: [Trisquel-users] How simple/complex is your installation process?
Why do you make a /home partition by hand since one is automatically made when only setting root and swap? So right after you get a failure message, you switch to a tty? I'll try that. If I can make this work, it's a huge time saver, thanks for the tip! The Pavel Kogan link still gives me a headache though, but it's non-vital stuff, I'll take my time and try to make it work.
Re: [Trisquel-users] How simple/complex is your installation process?
That's a fast and easy way to transfer a favorite list of programs, which I've already tried thanks to you. But now I'm willing to make an effort to write a small install script with --no-install-recommends as an option, and thus not having to install Synaptic. So you did grep yourpassphrase ? Or are there more parameters to put in ?
Re: [Trisquel-users] How simple/complex is your installation process?
Thanks SuperTramp, it indeed does look like the full disk encryption covers everything but /boot (by default).
Re: [Trisquel-users] How simple/complex is your installation process?
>Well, hard to be easier Yeah :) to check do a lsblk, the swap partition should display something along the lines: ├─sda5 8:50 1.9G 0 part │ └─cryptswap1 254:00 1.9G 0 crypt [SWAP] cheers
Re: [Trisquel-users] How simple/complex is your installation process?
Sorry I didn't make time to answer to all yet, but quickly this: https://wiki.archlinux.org/index.php/disk_encryption#Data_encryption_vs_system_encryption It suggest to (at least) take care of /tmp and /var, and all this is only for online tampering.
Re: [Trisquel-users] How simple/complex is your installation process?
Sure :)
Re: [Trisquel-users] How simple/complex is your installation process?
A few months ago I encrypted /home and /swap. You can very easily encrypt your swap partition, Magique. The performance hit (due to encryption) on my 2004 potato is barely noticeable. Hack: FDE means the swap partition will be included (encrypted) AFAIK.
Re: [Trisquel-users] How simple/complex is your installation process?
I don't make a separate boot partition while installing. Instead, I make a root partition, home partition, and swap partition on an encrypted LVM. When the installer tries to install GRUB, it fails. Then I switch to a tty to add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub, after which the GRUB installation can be tried again and should succeed. The Pavel Kogan link just puts a keyfile in your initramfs so that after GRUB loads the kernel, the kernel will use the keyfile so that you don't have to enter your password twice.
[Trisquel-users] How simple/complex is your installation process?
Mine is (to me) complicated, and takes a lot of time. Ideally, I want to automate as much as I can to make it simpler at least. I choose full disk encryption (I don't know if swap is covered, so I might need dmdecrypt or something. Yet another thing to check). Because other partial encryptions are just that, partial. Might as well not other with those. This in itself is long and complicated. I need an additional unencrypted /boot folder, and make GRUB point at it. For the rest, I use Libreboot's guide (which includes swap, so I shouldn't need dm-decrypt in theory). I also need to not make a root user, create a username+passphrase, an encryption passphrase, and maybe I forget one. Then I choose to encrypt /boot, because either I encrypt everything, or I don't. I want to try this, but that's another set of complex manipulations: http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/ But that would be fine without taking backups into account, like here and here (rather hard to understand): http://linuxgazette.net/140/kapil.html https://debian-administration.org/article/692/Look_before_you_leap_into_Disk_Encryption Then I might want to update the kernel, which seems straightforward. But that's yet another step. Not vital, but not to long. The more extreme aspect would be to compile one with grsecurity. The less complicated aspect would be to set up apparmor and firejail foor every app. I could try an additional bit for not having to type the decryption passphrase twice (again, not easy even to understand): http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/ And then there is the easier/fun part about installing software, which might need a couple of tweaking. Maybe after a month I can finish my install... Else I can encrypt nor backup nothing and live dangerously, but have my system running in half an hour. I might want to setup a VM, just to run a browser with javascript when needed (maybe Firejail/apparmor is enough for this). So grsecurity aside, full disk encryption including /boot+backups seems essential to me, yet very hard and long to do. How do you do it (if you do it), and is there another way (scripts maybe)? It's really a lot of hard work and time, but maybe I'm doing something wrong.
