[lug] Installfest next Saturday.

bgiles at coyotesong.com bgiles at coyotesong.com
Mon Aug 21 14:13:51 MDT 2006

I've been checking out the Debian 'etch' installer recently after
accidently frying my hard disk.  There's some very interesting stuff that
the installer barely touches -- stuff that should be kept in mind next

1) Debian now supports encrypted swap with an ephemeral key.  ("ephemeral"
since a random key is selected every time you reboot the system.)  This
should be a no-brainer -- there's a modest performance hit but it ensures
that otherwise encrypted information and keys won't be leaked through the
swap partition.

2) The debian installer now supports LVM (iirc).  This makes it easy to
create the partitions that you know you need to create for security
reasons but haven't since it's a hassle.

Why, again?  So you can mount /home (and everything else but /) as
"nodev,nosuid,noexec" and eliminate a whole slew of attacks.  So you can
keep /var/log in a separate partition so an attacker can't (easily) hide
what he's done by temporarily filling the disk so logging is disabled. 
/tmp should already use tmpfs and "nodev,nosuid" of course. 
(Unfortunately some apps are "clever" and handle some tasks by writing
scripts to /tmp and then executing them.)

3) Debian now supports encrypted filesystems.  It supports encrypted ROOT
filesystems.  There's a performance hit, but that's a tradeoff against the
privacy hit if the disk is stolen.

I think an encrypted root partition is overkill on a home system, but a
lot of people use it on their laptops.  You would definitely want /home
encrypted, or anywhere you work at home.

Most people keep their encryption keys on USB disks.  They just need to
have it plugged in when the boot the system.

You'll still need a separate, unencrypted /boot partition.

4) Which brings us to this one guy....

Basically he was tired of getting hassled at the airport.  The screeners
would let the guys running windows through without a second glance, but
gave him grief since his desktop didn't look right and they had never
heard of Linux.

So he created a disk that would normally boot to a small Windows
partition.  But he also had a USB disk containing a boot image that would
launch an encrypted root partition on the laptop.  The USB disk
undoubtably lived on his keyring, or someplace similarly secure.  It would
take a very knowledgeable attacker to realize that there was anything on
the system other than Windows, and even then they couldn't do anything
with that knowledge.

It probably isn't wise to set up newcomers with encrypted filesystems --
how long will it take them to lose the key?  But everyone should know it's
possible, esp. for laptops, and it probably isn't unreasonable to set up
encrypted swap space by default.

The instructions are in the cryptsetup package documentation.  Basically
just need to change the 'swap' entry in /etc/fstab to refer to 'cswap'
instead of a physical device, then define 'cswap' in the /etc/crypttab
file.  (Or is it the /etc/encryptdisks file?).  Only takes a few minutes.

More information about the LUG mailing list