Security on travel computer

[Vincent17]

I have a 10 year old MSI Wind netbook which has been passed around to nearly everyone in the family: everyone hated the small keyboard and screen and sooner or later passed it on until it came back around to me. I have made it my travel computer with antiX-17.3.1_386-base.

I'm not a spy, but I try to take reasonable precautions with a computer that could be lost and that uses public wifi, while keeping it comfortable for everyday use. Customizations include:

• ecryptfs (encrypted home folder)
• xprintidle + script to shut down after timeout
• gufw (public setting)
• sylpheed
• text2pdf (Only 21k! http://www.eprg.org/pdfcorner/text2pdf )
• qpdf to encrypt pdf files for email. (No one else in the family has learned to love gpg )
• vpn just in case--normally I just check https certificates at grc.com
• firejail: firefox and sylpheed run in firejail

What do you do for security on a laptop? No doubt I have overlooked something obvious or made stupid mistakes, so I'll appreciate any suggestions.
Cheers

EDIT 3/9/2019 (no bump)
@xali thanks for the idea. I'm afraid I wouldn't know how or when to use macchanger, though.
In the very active security section of PuppyLinux forum, there was a suggestion to add a virtual keyboard (xvkbd or florence) to defeat any keylogger when entering passwords. Or a password manager.
Puppylinux is usually a frugal install, so there's the option for no changes go to disk; therefore no malware can survive reboot. A frugal install of antiX could be done for the same reason.

[xali]

could macchanger be useful in such a case?

[gbhollr]

It's not something I've actually done but I would consider doing...

My laptop's got Windows 10 which I plan to encrypt with Veracrypt, using an AES(Twofish(Serpent)) cascade with default PIM value and maximum cryptographic strength.
I am planning to also install MX Linux together with it as a dual-boot machine so I'm putting Veracrypt on hold until I can get everything right while testing it on VirtualBox.

For Linux, I'd install the GRUB bootloader into an external USB drive.
I also have a dead SSD so whenever I go on a trip, I'd replace my real hard drive with the dead one in case my laptop gets stolen or it gets taken in for inspection and customs decides to, for any reason, crack into and install some kind of malware. At my destination, I'd swap again and fit in my real hard drive which would be kept in an enclosure in my hand luggage.

But I'm interested in the applications you mentioned such as firejail and sylpheed.
Like I said, I'm looking to install MX Linux so I wonder if those packages are already included, what I could use them for and such.

[Jerry3904]

Both in the repos, not installed by default:

Code: Select all

jb@xps13mx:~
$ apt policy firejail
firejail:
  Installed: (none)
  Candidate: 0.9.50-0mx17+1
  Version table:
     0.9.50-0mx17+1 500
        500 http://ftp.osuosl.org/pub/mxlinux/mx/repo stretch/main amd64 Packages
     0.9.44.8-2 500
        500 http://debian.mirror.constant.com/debian stretch/main amd64 Packages
jb@xps13mx:~
$ apt policy sylpheed
sylpheed:
  Installed: (none)
  Candidate: 3.5.1-2+b1
  Version table:
     3.5.1-2+b1 500
        500 http://debian.mirror.constant.com/debian stretch/main amd64 Packages

[BitJam]

Puppylinux is usually a frugal install, so there's the option for no changes go to disk; therefore no malware can survive reboot. A frugal install of antiX could be done for the same reason.

Another option is an encrypted live-usb with home persistence. Likewise, home persistence could be used on a frugal install to store changes under /home and nowhere else. In either case, you could do a live-remaster when you do want to install/update software. If your RAM is limited then you may not have enough space to do a dist-upgrade. For a live-usb the solution is to do the dist-upgrade and live-remaster on a more powerful machine that has ample RAM. Another option that works for live-usb and frugal is to enable static root persistence with a large rootfs file. This will let you do the upgrade and remaster but on usb-2 it will be a little slow so only enable it for the upgrade and remaster.

One benefit of the live-usb is that if you keep it safe then you don't lose any of your information if the laptop is stolen. OTOH, if you only have usb-2 ports then the live-usb won't be magically fast like it is with usb-3.

You could also create an encrypted "frugal" install on your hard drive using live-usb-maker with the --force=usb option and the --size=XX% option so it does not gobble up the entire drive. It will want to re-partition the entire drive but there are simple ways around this. When it is time to do a big upgrade, you could clone the frugal install to a usb, do the upgrade and remaster on another system and then manually copy back the linuxfs file.

I'm not suggesting these are your best options, just letting you know what is available.

[jonnken]

i like the idea of having a live USB boot...then protect like it's your wallet or keys to your house.

[tadream]

Live USB boot and VPN to start with. All the above security measures of course will raise the security level. But what if that USB device is lost or stolen? A perverted way to circumvent that is to boot with the remastered secure USB device TO RAM and use suspend/hibernate when not in use. Leave the USB device in a safe place or format it.
If the laptop (with no internal storage) is lost or stolen, the unathorized user will have small chance to actually get anything out of it.

[gbhollr]

Puppylinux is usually a frugal install, so there's the option for no changes go to disk; therefore no malware can survive reboot. A frugal install of antiX could be done for the same reason.

Another option is an encrypted live-usb with home persistence. Likewise, home persistence could be used on a frugal install to store changes under /home and nowhere else. In either case, you could do a live-remaster when you do want to install/update software. If your RAM is limited then you may not have enough space to do a dist-upgrade. For a live-usb the solution is to do the dist-upgrade and live-remaster on a more powerful machine that has ample RAM. Another option that works for live-usb and frugal is to enable static root persistence with a large rootfs file. This will let you do the upgrade and remaster but on usb-2 it will be a little slow so only enable it for the upgrade and remaster.

One benefit of the live-usb is that if you keep it safe then you don't lose any of your information if the laptop is stolen. OTOH, if you only have usb-2 ports then the live-usb won't be magically fast like it is with usb-3.

You could also create an encrypted "frugal" install on your hard drive using live-usb-maker with the --force=usb option and the --size=XX% option so it does not gobble up the entire drive. It will want to re-partition the entire drive but there are simple ways around this. When it is time to do a big upgrade, you could clone the frugal install to a usb, do the upgrade and remaster on another system and then manually copy back the linuxfs file.

I'm not suggesting these are your best options, just letting you know what is available.

Okay, all that is getting way over my head.
I mean I've begun learning about Linux about a year so I'm unfamiliar with what a "frugal" install and "home persistence" is and whether or not they can be done on MX Linux or how I can do whatever you described here.

Thanks though.

[BitJam]

Okay, all that is getting way over my head.
I mean I've begun learning about Linux about a year so I'm unfamiliar with what a "frugal" install and "home persistence" is and whether or not they can be done on MX Linux or how I can do whatever you described here.

A frugal install works like a live-usb but it is installed to an existing internal hard drive partition. With home persistence on the live system we save files under the /home directory across reboots but nowhere else. Either one is very easy to enable from the live bootloader using the "F5 Persist" menu. Some of this is explained here:

The Most Extensive Live-usb on the Planet!

The pictures there are for the antiX live bootloader but the MX live bootloader uses the same system and has the same options.

It is very easy to customize our live system with whatever software or other things you want to add. Just add them and then do a live-remaster. After that you can "lock down" the system to various degrees including a total lockdown so any changes made to the system are not saved across reboots. Or you can enable home persistence so changes in your home directory are saved across reboots but nothing else is.

You can easily create an encrypted live-usb with any one of our live-usb-maker tools. If you use a good passphrase then this will ensure that no one can read your data in the case when the live-usb is lost or stolen. Also, since the entire system is saved on the usb stick, when you get home, you can boot your travel system on any of your home computers. You can use the more powerful machine to do system upgrades are large installs or to make any other tweaks you like.

[gbhollr]

Very fascinating. I'll be sure to try this all out when I have the time.
I'm learning something new about Linux every day here.