this post was submitted on 06 Nov 2023
117 points (96.1% liked)

Linux

48397 readers
1069 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
117
submitted 1 year ago* (last edited 1 year ago) by wolf to c/[email protected]
 

What are your 'defaults' for your desktop Linux installations, especially when they deviate from your distros defaults? What are your reasons for this deviations?

To give you an example what I am asking for, here is my list with reasons (funnily enough, using these settings on Debian, which are AFAIK the defaults for Fedora):

  • Btrfs: I use Btrfs for transparent compression which is a game changer for my use cases and using it w/o Raid I had never trouble with corrupt data on power failures, compared to ext4.

  • ZRAM: I wrote about it somewhere else, but ZRAM transformed even my totally under-powered HP Stream 11" with 4GB Ram into a usable machine. Nowadays I don't have swap partitions anymore and use ZRAM everywhere and it just works (TM).

  • ufw: I cannot fathom why firewalls with all ports but ssh closed by default are not the default. Especially on Debian, where unconfigured services are started by default after installation, it does not make sense to me.

My next project is to slim down my Gnome desktop installation, but I guess this is quite common in the Debian community.

Before you ask: Why not Fedora? - I love Fedora, but I need something stable for work, and Fedoras recent kernels brake virtual machines for me.

Edit: Forgot to mention ufw

you are viewing a single comment's thread
view the rest of the comments
[–] wolf 1 points 1 year ago (1 children)

Impressive list! What is the benefit of using Opal compared to LUKS?

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

Opal drives are self-encrypting, so they're done by the disk's own controller transparently. The main advantage is that there's almost no performance overhead because the encryption is fully hardware backed. The second advantage is that the encryption is transparent to the OS - so you could have a multi-boot OS setup (Windows and FreeBSD etc) all on the same encrypted drive, so there's no need to bother with Bitlocker, Veracrypt etc to secure your other OSes. This also means you no longer have a the bootloader limitation of not being able to boot from an encrypted boot partition, like in the case of certain filesystems. And because your entire disk is encrypted (including the ESP), it's more secure.

[–] wolf 1 points 1 year ago (1 children)

Thank you very much for your explanation.

I still feel skeptical about using a chips controller for encryption. AFAIK there have been multiple problems in the past:

  • Errors in the implementation which weaken the encryption considerably
  • I think I even read about ways to extract the key from the hardware (TPM based encryption)

Do you provide a password and there are 'hooks' which the boot process uses for you to enter the password on boot?

I think it is nice to have full disk encryption, but usually we are speaking about evil-maid attacks (?), and IMHO it is mostly game over when an attacker has physical access to your device.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Yes, I do provide a password on boot, as you said, keys can be extracted from the hardware so that's not secure, which is why I don't use the TPM to store the keys.

There are no hooks necessary in the bootloader, as it's the BIOS which prompts you for the password and unlocks the drive.

And yes, there have been implementation problems in the past, but that's why the Opal 2.0 standard exists - don't just buy any random self-encrypting drive, do your research on past vulnerabilities for that manufacturer, and check if there are any firmware updates for the drive (don't just rely on LVFS).

Also, the common hardware attacks rely on either a SATA interface (to unplug the drive while it still has power) or older external ports vulnerable to DMA attacks such as PCMCIA or Thunderbolt 3.x or below; so those attacks only affects older laptops. Of course, someone could theoretically install a hardware keylogger or something, but this is also why you have chassis intrusion detection, and why you should secure and check any external ports and peripherals connected to your machine. Overall physical security is just as important these days.

But ultimately, as always, it comes down to your personal threat model and inconvenience tolerance levels. In my case, I think the measures I've taken are reasonably secure, but mostly, I've chosen Opal for performance and convenience reasons.

[–] wolf 1 points 1 year ago

Thank you very much for elaborating. :-)