Increasing my security
Previously, I’ve been very lax with security. But as I go into the world, and will be leaving my devices unattended, and as what is on my computers becomes more valuable than game site logins, I now need to put actual effort into securing my devices.
The laptops
In a previous blogpost, I detailed how I set up my laptop with secure boot and disk encryption.
The perfomance impact from disk encyrption is very minimal. This means that if I lose my laptop, then other people won’t get access to my data.
Secure boot protects against evil maid attacks. For example, someone could physical access to my machine to replace the kernel with a malicious one, but they can’t with secure boot enabled since it only allows for booting of a validated kernel.
And finally, I set a bios password. This prevents people from disabling secure boot.
The USB’s.
Previously, I just carried my USB’s, and my hard drive arround, with all the data on them unencrypted. That won’t do, because if I lose a USB, it means that people can look at the saved logins, or even get access to my logged in session
I first attempted to use the transparent encryption feature of the f2fs filesystem. Transparent encryption makes it so that you can use the filesystem normally, but data is encrypted on the drive. However, opensuse seems to have lacking f2fs support, so this didn’t work.
I then attempted to use LUKS to encrypt a spare USB I had, so I could move data over. However, for some reason, the LUKS USB wouldn’t mount. I experimented with LUKS encryption in other places, but trying to encrypt something in place resulted in data loss, so I ended up giving up.
In addition to this, I began to experience the frustrations with trying to encrypt every single thing on a device. So I decided to only encrypt sensitive data.
I decided to use the gocryptfs tool to create encrypted folders on USB’s and hard drive’s. It stores the config file in the directory to be encrypted, enabling portability to any device that has gocrypt.
In addition to this, it might be possible to use access the USB’s, encrypted folder and all, by either using gocryptfs via termux, an app to give you a linux terminal on android, or via DroidFS. However, I haven’t tested them, and these tools may not be able to access the USB devices.
Cleaning
I needed to clean the data off of the USB’s. However due to USB’s unique method of data storage, simply deleting the data isn’t enough. I decided to overwrite the data once for a more secure erase. However, it wasn’t practical to overwrite whole files, so I have to find the sensitive data, so that I can delete it. This is much faster than overwriting everything.
find . -type f -regex '.*mozilla.*\.\(json\|db\|sqlite\)$'
This uses a regex to find anything ending in .json, .db, or .sqlite, that is also has a parent or grandfather directory with the name mozilla in it.
find . -type f -regex ''.*mozilla.*\.\(json\|db\|sqlite\)$' -exec <securedeletecommand> {} \;
With this, I can run my secure delete command on my USB’s. I think I am going to use srm a command line tool that is compatible with the rm file remover standard util.
srm -rfsv is the command I will use.
find . -type f -regex '.*mozilla.*\.\(json\|db\|sqlite\)$' -exec srm -rfsv {} \;
And this will clean my external storage quite nicely, while not touching other databases or json files that don’t have sensitive data.
Yubikey’s
My father had a few spare yubikey’s he could lend to me. Yubikey’s are a hardware authentication device, used for things like two factor authentication (2FA). Many services, like my college, support this as an alternative method of 2FA. Because I didn’t have them set up yet, I was forced to install yet another app for 2FA on my phone. I don’t have these things set up, but I will soon. I probably won’t use the Yubikey as a method of unlocking encrypted drives, as it is somewhat redudant.
Virtual FIDO Device
I may also consider a virtual Fido2 device, to emulate a yubikey, if I don’t really want to keep them plugged in. Here are a few projects I found:
https://github.com/bulwarkid/virtual-fido