Client Devices‎ > ‎Linux PC‎ > ‎Security Laptop‎ > ‎

The Host Laptop

Host is the physical laptop it will be called HOST in all documentation
  1. Hardware Specs
    1. It should be 64bit
    2. I have 16GB and the fastest processor I can afford
      1. Needed to run lots of VMs
    3. Read Write DVD
    4. Lots of USB ports
      1. Minimum of 3 prefer 4
      2. Minimum of 2 USB 3 ports
      3. I have 3, 2 USB v2
    5. Webcam
    6. 500GB Hard Drive or greater
    7. Wireless and ethernet
    8. Should support Secure Boot
      1. Virtualbox, a core component doesn't support Secure Boot so I disable until it does
    9. HDMI or DVI or DisplayPort out for presentations
    10. Bluetooth
      1. I don't have this so I lose a USB port for my mouse
  2. Operating System
    1. Fedora 64 bit 19
      1. Pro
        1. Only mainstream Linux that supports LVM full disk encryption with custom partitioning
        2. Frequently updated
        3. Open source makes it more difficult (but not impossible) for sophisticated hostiles to coerce a backdoor
        4. Microsoft has been compromised and is terrible about security
      2. Con
        1. I stopped using Fedora many years ago because of RPM hell
          1. I'm pleasantly surprised that this seems to be a problem of the past
        2. I dislike Gnome 3 as much as I dislike Unity
        3. If Mint would support LVM full disk encryption with custom partitioning I would switch to Cinnamon Mint 15 
  3. Install Procedure
    1. Many great guides to install Fedora on the Internet
      1. I will not try to top them
      2. I will only mention my important decisions
      3. Here is Fedora's Installation Guide for your review
    2. BIOS
      1. Update your BIOS
        1. A note on HP laptops
          1. Modern HP Pavilion Laptops must update their BIOS from a running Microsoft Windows system
          2. This makes it very difficult to maintain
          3. Do NOT buy a HP laptop. I did :-(
      2. UEFI Secure boot
        1. VirtualBox does not support secure boot in Linux Guests so I allow legacy boot
      3. Disable netboot
      4. Boot Order
        1. CD/DVD (Temporary until after install)
        2. Hard Drive 
        3. USB (Disable if possible)
        4. Netboot 
      5. Intel Active Management Technology (AMT)
        1. I have not reviewed its security
        2. Does it have NSA backdoor?
        3. It can do firmware updates (keyloggers?)
        4. You can use a separate firewall to create a trusted network
          1. Its difficult to do this at an airport
          2. If your network is compromised then the device is exposed
          3. If your devices is stolen it won't be put on a network you trust
        5. Might be useful for server farms
        6. I mostly buy AMD laptops that don't have this
        7. Disable this for now if possible
      6. Trusted Platform Module (TPM) maybe a NSA backdoor 
        1. Linux does not use this
        2. Disable if possible
    3. Hard drive partitioning
      1. LVM partitioning scheme
      2. Encrypt my data checked
      3. reclaim entire drive
      4. Set passphrase now.... make it very long, very good 
      5. Check, I want to review/modify my partitions
        1. Let the installer automatically suggest a layout
        2. Shrink /home so we have some free space to play with
        3. /boot can not be encrypted.
          1. Min is 500 MB which appears to be the maximum
          2. /boot fills up a lot because thats where new kernels are loaded during updates
        4. /boot/efi probably can't be encrypted. Mine is 200 MB
          1. Put this on the USB Drive
        5. SWAP = 16GB Encrypted
          1. I might need a lot because of running VMs
        6. /var 8GB Encrypted
          1. I like a separate var because things grow here
            1. Logs
            2. RPM updates
        7. /tmp 4GB Encrypted
          1. I like a separate tmp because users can dump big stuff here
        8. / 75GB Encrypted
          1. This is where all the applications are
          2. It grows as applications become bigger
          3. It grows as you install applications
        9. /home Biggest possible Encrypted
    4. User Accounts
      1. Set Root password
        1. Don't log in and use this account, it's for maintenance
      2. Set up a user with a nondescript user name
        1. Make this user an administrator
    5. After the system Reboots
      1. Fix Bios
        1. I can disable CD boot
          1. If you can't then change the order so that the USB drive boots before everything
      2. Boot the operating system
        1. Do not let clipit save your clipboard history (for Fedora LXDE)
        2. Use the operating system patching facility to patch everything
        3. Boot again
        4. Don't save clipboard history
    6. Configuration and Apps
      1.  See the After Fedora 19 Guide
    7. Stop and Discuss
      1. We have built a Fedora Linux Laptop 
      2. The Hard Drive is encrypted
      3. At this point there is nothing to backup or archive
      4. If you stop here you would have some pretty good privacy and security but we can go on
      5. Why go on
        1. We can
      6. A weakness of this setup is that it has one layer of encryption
        1. You can be forced to start your system by the courts, by border agents, by an employer, or at gunpoint
        2. Law enforcement or criminals can coerce you to start "something" You can start the host system without revealing your sensitive data if we move on
        3. Multiple layers of encryption and multiple virtual machines can make this more difficult for them
        4. If you lose physical possession of the laptop, a hardware or software  key logger could be installed
          1. Presumably if a hostile burns a new bios your bios password would be gone or changed, an indication of shenanigans
          2.  If you lose possession of the laptop in suspicious circumstances do not use it or even start it
            1. Destroy the laptop and start from scratch