blog/content/posts/secure-linux-setup.md

130 lines
6.3 KiB
Markdown

---
title: "Secure Linux Setup"
date: 2023-04-12T11:53:13+02:00
---
This post is dedicated to the ones that have been in the Linux game for years
now or have just started experimenting, but do not have a very secure system.
But wait, what do I mean by secure? Well, a lot of factors come down to how
secure your system is. And by no means I am claiming that this will be a guide
to perfect security. Let alone perfect anonymity. That is simply because you
cannot be a hundred percent secure and anonymous online. It is a fact. What I
want to teach you with this post, is how to increase your anonymity. How to
increase your security. How to make your life easier in case something bad
happens to your data.
Throughout the post you may notice how nicely all the security practices
connect. One being dependent of the other. Creating a nice security framework
for your computer.
First off, you have to understand how important data is. You need to have a
reason to hide or protect it. The reason usually comes after some time when you
realize how much surveillance is happening on a tick-per-tick basis. The
possibility of you giving a shit about your data can go even lower if you are
still a teenager. After you get a job, mature, realize how cruel the world is,
you will start caring much more about freedom in general. And so should you
about Internet freedom, privacy, security, etc.
## 1 Passwords
Let's talk ~~basics~~ passwords. They are not that simple to deal with. I know
that. We all do. And so, let's facilitate it to a concept that you are already
familiar with - Password Managers. No, I am not going to be selling you a
Password Manager, or telling you about this awesome service that helped me stay
secure for the past X years. Keeping your credentials on a third-party service
is not even a good option - as you can see
[here](https://www.youtube.com/watch?v=cRsn0PlnuvM). I am going to give you an
open-source tool that has made my life eaiser when dealing with passwords. You
are free to find alternatives, but for me, this was the best I was able to
find.
It is called [KeePassXC](https://keepassxc.org/). It is cross-platform and you
can run it on Linux - which is exactly what we needed. Passwords are stored in
a file called a Database which contains groups. A group can either contain more
groups, or simply passwords. The whole database is by default encrypted with
the industry-standard AES256 and a key provided by the user (make sure it is a
long one that you can remember).
For more security, the user is advised to distribute passwords across multiple
databases. For example:
- VMs database: passwords regarding all VMs on the user's computer (VM's
encrypted disk, users, etc.)
- Hardware database: passwords regarding user's hardware (encrypted USB keys,
hard drives, etc.)
- Social database: passwords regarding social media
- Finance database: passwords regarding finance (bank accounts, crypto
accounts, etc.)
- Work database: passwords regarding your work
## 2 VMs (Virtual Machines)
Virtual machines are so underrated for desktop usage. And that is sad because
they are so flexible and useful when it comes to security! Example of a VM
security framework:
- Gaming VM: strictly use for gaming
([#moreinfo](https://www.youtube.com/watch?v=BNLnTCqUMyY))
- Work VM: strictly use for work stuff
- Social VM: strictly use for social media
- ...
> Hint: notice how password databases can now be isolated across your VMs. So
> each VM has only the passwords it needs.
## 3 Backups
Backing up important information is very important. Especially if your income
depends on it. This might include the password databases I have mentioned
earlier, high importance VMs, pictures, projects, work, presentations, plans,
goals, etc. First, if you have some money to spare, invest 100-200 dollars into
backup disks because you are gonna need them. Else you can simply try to get
them over a longer period of time, or backup your things to USB sticks. After
that, you have two options:
- Find some backup tool that does all the hard work
- Script your own tool - giving you more freedom to customize the backup
system
In my case specifically, I like designing the structure of my computer. And so,
I created [my own
script](https://gist.github.com/0xdeadbeer/1393329c9d08b858befe384cbf1e2142).
You can use it if you want. With that step done, you have to automate the
process of calling this tool X times per day. X may depend on how you design
your backup system, but for me 3 to 2 times each day is more than enough.
> Hint: such automation is usually achieved with
> [cronjobs](https://victoria.dev/blog/a-cron-job-that-could-save-you-from-a-ransomware-attack/).
Another cool thing you can do is self-host a server and send backups over
there. Or even better, agree with more people to host a server somewhere and
each have your own copies over there. Of course, do not forget about encryption
and access permissions ;)
> Hint: backups over network can be achieved with
> [rsync](https://linux.die.net/man/1/rsync) or [rclone](https://rclone.org/)
> as far as I know.
## 4 File Recovery
Be careful how you delete files. Especially if you are going to be selling your
disk or something. Data may not be 100% deleted like you think it might be.
That is why I never buy/sell used disks. Because it is just not worth it. For
the sake of security, whenever you delete a file, it usually just gets flagged
as "NEW DATA, OVERWRITE ME PLEASE". And so you have not actually deleted the
contents, you have just removed it from the filesystem's structure and told it
that what was once a file is now usable space waiting to be overwritten.
And guess what, that data which has not been yet overwritten can be read. And
pretty easily I might add.
[#moreinfo1](https://www.youtube.com/watch?v=0WcrgvhO_mw)
[#moreinfo2](https://wiki.archlinux.org/title/file_recovery)
But how do you make sure it is actually deleted? Well, a good tool to look into
is [shred](https://wiki.archlinux.org/title/Securely_wipe_disk) (Securely Wipe
Disk)
> Hint: a cool one-liner I have learned recently from [Luke
> Smith](https://www.youtube.com/channel/UC2eYFnH61tmytImy1mTYvhA) is ```dd
> if=/dev/random of=/tmp/erase_secrets; rm -rf /tmp/erase_secrets```. The
> command fills the disk with random data (overwriting all the
> not-fully-deleted-data and then deallocates the file from the file-system).