No subject
Sat Mar 8 23:45:06 PST 2008
and set it to always boot off of the USB. Have a script setup such that your
/boot partition is unmounted after the rest of the system is loaded, and
have it teathered to your keychain or whatever mechanism works to keep you
from leaving it in your machine (or anywhere else for that matter).
To take it to the next level, I recommend using an OpenPGP card for the
generation and storage of your private keys rather than keeping them on your
unencrypted USB stick. (Requires a smartcard reader and pcsc or ctapi in
your kernel)
To take it to the *next next* level, get one of those cheezy "Wireless PC
Lock" toys and use it to trigger a script that locks your gnome/kde session
as soon as it loses sense of the fob.
On another note: due to a known root level exploit, I also recommend
disabling firewire altogether.
Gotchas:
1) The kernel image stored on your USB stick is now your weak link. Guard it
carefully.
2) Once the system is first setup, unmount your boot partition and mount it
as something else...copy the entire contents to the /boot directory in the /
partition...whenever you upgrade anything that affects your kernel, be sure
to copy it over to your USB stick...messing up your kernel image could make
for an unpleasant surprise.
3) Keep a Truecrypt backup of all of your data on another drive or on the
cloud somewhere...just in case.
4) I have not thought of a useful way to auto-lock or log you out of any
ttys that you may have open, so keep that in mind. (Suggestions here are
welcome/requested)
5) I'm sure this still leaves you vulnerable to the "spray the ram with
freon and put it in another laptop" attack...the only recommendation I have
for this is to strip out the heads to the access plates for your laptop RAM.
(If you simply lift the keyboard up to get at it then you're SOL.
Share and Enjoy.
- Erich
--
"A man is defined by the questions that he asks; and the way he goes about
finding the answers to those questions is the way he goes through life."
------=_Part_6298_24559680.1206345942240
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Depending how paranoid you are, there are multiple approaches to this.
Since you seem to be about as paranoid as I am, I will share with you
my ultimate setup.<br><br>Use the Gutsy alternative disc for
installation. With this, you can set up encryption. Have the /boot as
ext3, which is a usb thumb drive. Partition the entire disk for
encryption. Use LVM to break the partition into your various working
partitions (swap, / , /var, /home etc.) <br>
<br>From there, install normally. Use the BIOS locking trick as Tom
recommended and set it to always boot off of the USB. Have a script
setup such that your /boot partition is unmounted after the rest of the
system is loaded, and have it teathered to your keychain or whatever
mechanism works to keep you from leaving it in your machine (or
anywhere else for that matter).<br>
<br>To take it to the next level, I recommend using an OpenPGP card for
the generation and storage of your private keys rather than keeping
them on your unencrypted USB stick. (Requires a smartcard reader and
pcsc or ctapi in your kernel)<br>
<br>To take it to the *next next* level, get one of those cheezy
"Wireless PC Lock" toys and use it to trigger a script that locks your
gnome/kde session as soon as it loses sense of the fob.<br><br>On another note: due to a known root level exploit, I also recommend disabling firewire altogether.<br>
<br>Gotchas:<br><br>1) The kernel image stored on your USB stick is now your weak link. Guard it carefully.<br>2)
Once the system is first setup, unmount your boot partition and mount
it as something else...copy the entire contents to the /boot directory
in the / partition...whenever you upgrade anything that affects your
kernel, be sure to copy it over to your USB stick...messing up your
kernel image could make for an unpleasant surprise.<br>
3) Keep a Truecrypt backup of all of your data on another drive or on the cloud somewhere...just in case.<br>4)
I have not thought of a useful way to auto-lock or log you out of any
ttys that you may have open, so keep that in mind. (Suggestions here
are welcome/requested)<br>
5) I'm sure this still leaves you vulnerable to the "spray the ram with
freon and put it in another laptop" attack...the only recommendation I
have for this is to strip out the heads to the access plates for your
laptop RAM. (If you simply lift the keyboard up to get at it then
you're SOL.<br>
<br>Share and Enjoy.<br><br>- Erich<br><br>-- <br>"A man is defined by the questions that he asks; and the way he goes about finding the answers to those questions is the way he goes through life."<br>
------=_Part_6298_24559680.1206345942240--
More information about the sf-lug
mailing list