[ home / bans / all ] [ amv / jp / sum ] [ maho ] [ cry ] [ f / ec ] [ qa / b / poll ] [ tv / bann ] [ toggle-new ]

/maho/ - Magical Circuitboards

Advanced technology is indistinguishable from magic

New Reply

Options
Comment
File
Whitelist Token
Spoiler
Password (For file deletion.)
Markup tags exist for bold, itallics, header, spoiler etc. as listed in " [options] > View Formatting "



[Return] [Bottom] [Catalog]

File:EeetQd0XkAAG1ON.jpg (825.03 KB,2857x4096)

 No.1722

How do you manage computer security in your devices?

I feel that just common sense isn't enough nowadays, because of several reasons:

- Browsers especially (even if you disable JavaScript, which is often not feasible in many sites), but also email clients, torrent clients... can all be exploited somewhat easily.
- Some games require kernel-level anti-cheats, which have complete access to your computer. Even if you trust the developer, these kernel drivers are often buggy and can be leveraged by malware.
- Legitimate programs or Steam games might receive malicious updates if the developer or their supply chain is compromised.
- If you use third-party dependencies for development, you might also be compromised if any of them (or their recursive dependencies) are malicious, not uncommon in ecosystems like npm.
- If you play doujin games or eroge, you often have to download them from random untrusted sources.

I've concluded that it's not really possible to trust a computer if you use it for activities like these.

I'm thinking about getting a second device only for sensitive stuff, like banking, shopping and managing passwords. It seems a bit of a hassle, but I can't think of any other way.

 No.1723

File:9c8751f015b3706bbd03a7bf93….jpg (1.4 MB,1792x1275)

>It seems a bit of a hassle
Is it? Just get a cheap used laptop for sensitive stuffs, it won't take much space. I have like 4 of them.

 No.1724

>>1722
i think you're being overly paranoid
also, dunno what your bank is like but it has been i think a industry norm for like 15 years to require MFA for basically every action you take
anyway, if you really that concerned you could look into getting a hardware token instead of a brand new device, or virtualization/sandboxing

 No.1725

Even if you use trusted and expensive services you can still get super fucked if the someone up the chain pushed out a bad update, such as what happened to microsoft a few months ago with their security provider.
The only way to be completely safe is to physically isolate your hardware. Cant get a virus if it cant connect to you. Doujin and ero games are stuff I put onto my old laptop which is more convenient to sit in bed and play, and if something goes wrong with my dolphin porn I'm not losing much. It's also a good idea to get your "illicit goods" from trusted sources. A lot of this can be avoided with just paying attention to where the link goes.

 No.1726

File:1673314875896105.gif (3.58 MB,1644x1080)

>>1722
99% of the stuff you listed is not realistic and only works in theory. In reality all you have to do is not download random shit on the internet and not fall for phishing scams.

 No.1727

>>1726
This,
OP and anyone who is interested in securing their electronic devices should define their own threat model before implementing solutions.
Anyway, most people only want to be safe from cybercriminals and this advice is probably the most important. If I wanted to add one more specific, I'd recommend to create a separate account for administration tasks (done by default on most Linux distributions but not on Windows).

 No.1729

File:R-1725842433966.gif (823.86 KB,498x280)

have some fun playing with Qubes OS which isolates every application into its own virtual machine

 No.1730

>>1722
Backup your files in case of ransomware.
Don't reuse passwords.

Having a USB containing a small OS that loads into RAM and doesn't touch your HDD could work, like Puppy Linux or Slax.

There are small things you can do that don't necessarily fall under "don't click on weird stuff".

 No.1731

I don't keep any passwords on my device, after I got a virus that pulled all mine from Firefox's password cache.

Don't let your browser remember passwords, it's stored basically in plaintext as far as viruses are concerned.

 No.3663

File:4021525_p0.jpg (1.14 MB,1100x1550)

Recently I've taken to using KeePass since managing my passwords in an encrypted excel file was becoming a hassle. And now that I'm finally using it I have to say that I feel like a big retard for having waited so long to pick it up. It's so much more convenient than the excel file in terms of organization and copying the login details (copying is just CTRL+B for username/email and CTRL+C for the password) and because it's stored locally I don't have to worry as much about some sort of cloud breach exposing all my passwords. Only thing I need to worry about is someone getting onto my PC and finding it but I have it set to auto-away after like 5 minutes and need the password again so that's also an extra security step over excel, and probably more secure than storing my logins in my ff cache.

Best part is since I can also use it for generating a new secure password each time I just created a default generation setting I like and now whenever I create a new account since I have to use KeePass to generate the password I always remember to store the login credentials on it. I don't know why I took so long to make the move.

Only issue I would have would be if my PC corrupted or the drive it's on failed so I'm going to backup the database on multiple flash drives and keep them regularly updated so that doesn't happen.

 No.3664

>>3663
Oh shit I was actually looking at Bitwarden the other day. Might stop being a retard as well, I see there's also a KeePassXC.

 No.3667

>>3664
I've seen people recommend Bitwarden as well, but it looks like it costs money? I'm not too sure on the fine details of if it's actually better than KeePass or not.

 No.3668

Oh, Bitwarden is cloud-based. Thought I saw some people saying they ran self-hosted versions.

 No.3669

>>3663
>encrypted excel file
I used to store all my logins on my phone as plain text notes before I switched to KeePass...

 No.3670

File:1456884678455.jpg (34.17 KB,342x329)


 No.3672

File:sample_2fc021a75aed6769690….jpg (266.05 KB,850x1468)

>>1722
>If you play doujin games or eroge, you often have to download them from random untrusted sources.
I got a ransomware from a game I downloaded on recommendation by an anon from 4jp. God knows why the malware didn't execute it's payload. I was running it on a Windows 7 machine and I think I even had Windows Defender disabled.
The game was really good though. I wish RPG maker games ran well in Virtualbox. They do not.
>I'm thinking about getting a second device only for sensitive stuff, like banking, shopping and managing passwords. It seems a bit of a hassle, but I can't think of any other way.
2 of any device is a miserable existence in my opinion. If you really care so much, buy another hard drive/ssd and install it into your computer (but leave it disabled) and boot into it for shopping and banking.

 No.3673

are there actual good antivirus tools what are they

 No.3681

>>3672
>I wish RPG maker games ran well in Virtualbox. They do not.
Do Linux virtual machines have better options? Was thinking about finally working up the motivation to rearrange all my shit for a dual boot linux. Bazzite looks cool for a g a m e r like me

 No.3761

>>3664
Actually was thinking about this for a while and was wondering what kissu’s actual computer experts think about this one. Like what does Vermin think

 No.3762

File:KotokotoSu_Megane.gif (4.67 MB,480x270)

>>3761
Certified kissu computer expert™ here, KeePassXC is indeed better than an encrypted excel file.

 No.3763

>>3761
keepass is nice, i've gotten used to autofilling credentials with the browser addon and it's pretty handy
i also have the vault in a syncthing folder so i can access it through my phone as well

 No.3765

>>3763
>keepass
>syncthing
Oh hey wait, that's pretty much my setup as well! And i think it works great. Having keepass so i only need to remember a single good password, and syncthing so that i can access keepass from my phone, or laptop, is a great combination.

 No.3766

File:1731828622389.jpg (94.87 KB,960x540)

I use security through obscurity!

 No.3768

>>3766
It only works as long as the thing you're "securing" is something no one cares about

 No.3770

File:Cool Sanae.jpg (346.51 KB,2048x2048)

I keep all my usernames and passwords unencrypted and in plain text on a piece of paper!

 No.3771

>>3770
I keep mine inside Sanae's panties!

 No.3772

>>3771
anonymous got subsequently hacked now that everyone knew his credentials

 No.4157

File:1498248514883.jpg (66.94 KB,1000x1000)

https://www.yahoo.com/news/16-billion-passwords-apple-facebook-203204594.html

I fucking hate having to change my password, but at least I started using keepass.

 No.4160

>>1722
I uhhh.....installed malwarebytes and paid for it
that's enough, anon?

 No.4162

>>4160
¥I uhhh.....installed cryptolocker and paid for it
¥that's enough, anon?

 No.4163

>>4162
>cryptolocker

haven't been ransomed yet, can't wait for it! sounds exciting!
but jokes aside, what alternative antivirus would you recommend? I'd like it to have vpn feature too.

 No.4164

File:1476055745001.jpg (10.48 KB,472x472)

>>4163
antivirus increases the attack surface!!!

 No.4165

>>4164
ok, so what, am I supposed to just use windows firewall?

 No.4166

File:angepc.png (54.99 KB,369x327)

>>4164
I once had Norton antivirus on an old PC of mine and it ironically acted like a malware by giving me pop ups every other minute and refusing to stop even if I clicked on "Don't remind me again".

 No.4199

File:comfysmugs.webm (7.66 MB,1024x576)

How I keep my precious computers safe:

First thing first; You need a real firewall between you and the internet. Do not trust your ISP router/modem to do this for you. The sad truth is most people are only not exposed due to being behind a NAT.

On my LAN I have an old PC with two 10Gbps PCI ethernet cards in it. One goes out to the ONT/Modem and the other to my LAN's router. I'm simplifying here a bit because I have two ISPs with automatic fall over. But the basic idea is I have a machine between the hostile unfiltered internet and everything else. On this machine I run OpenBSD stable with pf firewall. In pf I have various rules set up to make sure nothing can come in that I don't want getting in. Same for outgoing packets.

My router is used one that goes in server rack that I picked up cheap. Needs to be replaced with something that can do 1Gbps soon. Basic idea here is to get anything that allows you to reflash the firmware. I flashed mine with what amounts to a Linux distro. Here I do my routing, set static IPs for each of my devices which are whitelisted. No random device can join my network. Basic networking stuff here.

From the router we go to an AP for wireless devices and my unmanaged switched. Both were bought used from ebay like the router. They don't do anything but move packets around. Just get something decent.

From the switch I have 16 CAT6 drops to wall sockets in the house. In those my computers and stuff are plugged in. I ran the cables myself and they are somewhat secure. You'd have to enter my home and crawl up into the attic to access them. I check them now and again to make sure they haven't been tampered with.

On my workstations/desktops I have different levels of paranoia. I have Windows PC that just serves for gaming/fuck around shit. A dump for warez and legacy stuff. I don't really do anything on it that needs security and I don't care if malware slips through on it from time to time. I just scan it now and again and manually look at what's running from time to time. Basic rule of thumb here is little if anything gets on it in the first place because I don't do dumb stuff like install untrusted software. Get warez from trusted sources. Web browser on it is Firefox, we ublock+noscript/script blocking. I don't save cookies. I don't auto-login to websites. I don't log-in to stuff I care about being lost.

I personally store all my passwords in my head since I can remember strings of long numbers+letters+characters because I'm autistic like that. Don't trust storing them in "encrypted" files because then you'd just need to beat one password out of me to access them all. Don't trust the software for that sort of stuff.

I run full disk encryption on the above system with a decoy install of Windows that is unencrypted. If you don't plug in the right flash drive at boot+enter password you get the decoy install. I boot into it from time to time to make it look used. If the system is stolen that should be all they get. If I know a raid is coming I have a thumb drive with an OS+tools+my own script to nuke the data on the drives quickly. Basically dd /dev/urandom to write random data over what's already there and encrypted. But without power they shouldn't be able to see the data anyway. At least not state level actors.

(cont.)

 No.4200

File:We Don't Talk About The W….webm (3.11 MB,1268x720)

>>4199
For more sensitive stuff I have other computers. I really have multiple for various things. But let's stick to just two examples for now.

I have an old thinkpad laptop that allows you to re-flash the BIOS. Which I have done. I run OpenBSD on this machine. It has full disk encryption. It has pretty strict pf rules so I can use it away from my own network without worrying too much. Locked down browser like the desktop machine (pretty much same config). The main difference is I don't do multimedia/run warez/that kind of stuff on it. I stick to the base system tools that come with OpenBSD and my own scripts. Since they're audited.

This is the machine I write my super sekrit documents on (magical girl porn mostly) and do banking, log-in to accounts, pay bills, high profile shitposting, read fap matieral and things of that nature. Basically, anything I don't want the general public finding out about (yet).

You would think this machine would be limited but it can do most everything I want. I wrote my own window manager based on dwm for it. It can run full blown web browser. It can run most modern UNIX applications I need. It just can't do stuff like play video games through steam/proton even though the machine is more that able to handle them with another OS. You learn to make do with less.

The main point is I can personally audit all the code on that machine or rely on a community helping me. Since the kernel is simple compared to other UNIX OSs, the base system is well audited and it has a track record for good security. I can also operate it without an internet connection. Since everything is well documented through man pages.

I basically don't trust any device on my own network unless I can do the above. So all the other crap I have like set-top boxes (Apple TV, Rokus things of that nature) are given strict rules at the network's firewall about what they can and can't do. All devices are given static IP addresses. No device can join the network unless it's on the whitelist. So random people can't do stuff like join my wifi network than snoop upon all the devices on it.

I have my own media server on this same network. I try not to watch media unless it's from that server. It fetches stuff automatically from the internet. It can talk to devices on the wider internet to stream media to them (so I can watch away from home). But again, it's under strict rules and even if you do manage to talk to it somehow you can't see anything on it without an account+encryption keys. Which I manually create, hand out, update etc.

I find all the container+VPN nonsense to be over kill. It isn't really better than shoving stuff in a chroot. The important thing is a good firewall. Good habits and not doing anything dumb.

Main entrance into most machines is the browser. So if you block all javascript by default you basically eliminate 99% of ways in. Provided your network is set up correctly and you aren't being port scanned all day.

 No.4201

>>4199
>16 (sixteen) network drops
Ojou-sama... Do you live in a mansion?
>I run full disk encryption on the above system with a decoy install of Windows that is unencrypted. If you don't plug in the right flash drive at boot+enter password you get the decoy install. I boot into it from time to time to make it look used. If the system is stolen that should be all they get. If I know a raid is coming I have a thumb drive with an OS+tools+my own script to nuke the data on the drives quickly. Basically dd /dev/urandom to write random data over what's already there and encrypted. But without power they shouldn't be able to see the data anyway. At least not state level actors.
That's borderline paranoia. How'd you do the thing with the flash drive? And if someone did steal the system, they could see the partition table and see the encrypted drives, couldn't they? The decoy OS doesn't seem to serve much purpose, apart from acting as an extra step for the would-be data thieves to discover there are unencrypted partitions.

 No.4202

>>4200
Were/are you a CISO in some company? Or are you just that autistic? Writing your own DWM and stuff is really next level.

 No.4203

File:laininbearsuit.jpg (41.8 KB,400x400)

>>4200
Note I'm not opposed to VPNs in practice. I'm just opposed to buying a commercial one and thinking it equals safety. Most people buying VPNs have absolutely no need for them.

I set up my own using either cheap VPS servers. For example, the gateway into my media server is a VPS I pay like $3 a month for or something like that. It serves as the log-in portal for clients. Then it passes along the information to connect to the media server (the current IP address) and creds to the media server to allow the log-in. I'm not doing anything like operating a private VPN for my users to connect. Since it would require configuration on each and every device/network they might use. I just accept connections from the entire internet but only talk back if the right IP is calling as verified by the VPS.

In other words. I don't mind exposing one of my home machines/servers to the internet at large. I'm just careful about how I do it and who I let them talk to. I don't do things like use a VPN to download torrents for example.

The thing I'm seeing in the wild most often now with people getting auto-exploited is because of IPv6. Lots of people demand an IPv6 address these days because it's the only way they can get a public IP. Since so many new ISPs are CGNAT. What these people fail to realize is once they get their wish each and every device within their own LAN is not talking directly through the internet. As opposed to the typical IPv4 set-up where they're all behind a NAT serving as a poor man's firewall.

So what ends up happening is their devices constantly get port scanned and spammed with ssh log-in attempts. Many of which work because most people don't bother to secure anything. This is how all those Ring cameras and all the "smart" devices get pwned.

What you need to do is setup a firewall and grep through your log files out of habit. I've slipped up many times only to catch it a day or two later. But I only caught things because I bothered to read my log files or notice when something wasn't right. Like some process eating cpu/bandwidth that I know isn't supposed to be there. Generally, I've been okay though because I don't do stupid things.

In summary: The most important thing is a proper firewall. The second most important thing is properly configured web browser. The third is to not do stupid stuff. Like installing some warez copy of a game from some shady re-pack site you've never heard of or just blinding clicking "accept" to everything. Well that or running random scripts or unaudited packages if you're on UNIX/Linux. Lots of people on Linux running pwned machines without realizing it. I'd wager more Linux machines are pwned than anything else.

All that aside you need decent (what the kids now call) opsec. I don't have to worry about a lot of exploits because I simply don't have the hardware. I don't have a phone anymore so I don't have to worry about scams targeting cell phones. I pay in cash always so I don't have to worry about someone getting my debit card and draining my accounts. I don't have "smart" anything in my home. Well aside from a first-gen "smart tv". Which I've taken apart and ripped the wifi antenna out of and blocked at my firewall. So that it can't talk to the internet even if it wanted to. I don't have hot mics/cameras within my home. They're unplugged when not in use.

I also keep a gun handy in case someone tries to come in and rob me of my precious computers. Everyone has their own approach to security though. I prefer an old school one and I prefer not dealing with problems if there isn't a good return on investment. Hence the lack of cell phone and smart devices. I don't need to adjust my A/C and heat from a phone. I simply bought a split duct system with an IR remote so I can be lazy that way instead.

Getting back to Windows: I've never ran an "anti-virus" because they're worse than malware. At most you just need to run a good malware scan from time to time. I do not leave such applications installed when I'm not using them. I don't scan for stuff unless I think I might have done something retarded or I see the machine trying to send traffic I know it should be and/or otherwise acting strange.

I could go on about opsec and security all day and this is already getting long. If you spend long enough doing this stuff you'll discover the "experts" are usually the same kind of people normal people would call Luddites. They're opposed to allowing certain stuff on their systems/in their house/in their business because they know damn well they can't really secure them. Anything that needs to talk "to the cloud" to function would fall under that label.

 No.4204

>>4201
>Ojou-sama... Do you live in a mansion?
My house is small and comfy. When I ran the network I bought a lot of cable. Why do one drop when you can do 5? I made sure I had at least 4 ports anywhere I put them. I also did a bunch of direct runs so I could pipe usb and hdmi devices over ethernet. That way I could do things like play video games on the same system from any TV in my house. Living room+bedroom TV have usb hubs under them. I can pause a game. Walk into the other room. Plug a controller in and keep going. The gaming machine they're both connected to is back in the server rack with all the other stuff like the media server.
>How'd you do the thing with the flash drive?
I use OpenBSD but you can do it with any UNIX OS and the tools that come with it. shred/dd for example. You just write a small script so you can invoke them to wipe the drives with one command.
>And if someone did steal the system, they could see the partition table and see the encrypted drives, couldn't they?
It would depend on their level of skill. 99% of people that would break into my home to steal it are just going to assume it's the main installation and nuke the data on the HDDs to re-sell it. The point is they can't access the main install without the dongle+password. If a state level actor gets it I'm sure they have a way to get in. But they're really going to have to work for it. That or beat me with a pipe and/or lock me in solitary until I cough up the password. But if I destroy the thumb drive even I can't get back into it. Since the password is useless without that key.

>Were/are you a CISO in some company?
I went to school to learn CS+Networking. Although I was already pretty much self taught at that time. I've mostly worked freelance all my life because I hate having bosses. But I've been brought in as contractor more than once to supervise setup of a network or fixing someone else's mistake. I mostly do it because it's fun and I've been fascinated by it since I first helped a family friend set-up a network for our family business as a young child. To give you an idea of how long ago that was: We used vampire taps.

>Writing your own DWM and stuff is really next level.
Not really. dwm is pretty simple application. Writing a simple WM for Xorg/Xenocara isn't that hard. I mainly run it because it's comfy not because it's secure. Although it is more secure. Since I can audit it and the version of X mine is running on top of was audited/edited in an attempt to make it as secure as possible.

I'm in the process of getting rid of it though and writing something based on Arcan to replace it. But usual work load gets in the way.

There are a lot of us out here in the world that have simply done this stuff for fun for years. We're the old crabby people that hang on places like the OpenBSD and NetBSD mailing lists. We're all opinionated assholes because we're old and know better. You'll find heavy distrust of most modern stuff happening the tech sector in such places.

I'd really really like to write a kernel+userspace and sell hardware that was "secure out of the box" for "normal people" that would let them do stuff like play their video games in peace. But the state of things makes that basically impossible. Even if I put the effort in no one would fund it and most people wouldn't want it. There would be no meta data for a company to gather and sell and most users wouldn't follow the man pages anyway. That's just how things are now.

My greater point is you shouldn't expect anything you're putting on a basic Windows/Apple/Linux OS to remain "secure". They're basically configured not to be secure and even with effort you can't truly secure them. Most people aren't doing stuff like building their own firewall with hand picked hardware they can audit all the firmware of.

Even with everything I've rambled on about above I know my systems aren't truly secure. Since I can't audit things like the firmware controlling my HDDs. Or the blackbox that is the modern GPU. Or the entire OS running on my CPU at all times that I can't control. Or the firmware for the motherboard's chipset etc. etc. But all that stuff is mostly used by state level actors. Who have a good eye on the entire planet anyway. They'll also just make shit up if they really want you out of the way. The average user doesn't stand a chance against them (including me).

But the guy that might try to rob me or do basic level snooping through my open wifi network? That I can do something about.

Age old advice always applies: Don't put your real name on the internet. Don't share things you don't want shared forever. Don't put sensitive data on any device if you don't want it spreading. Aka don't take pictures of your penis then complain later if it leaks. Shouldn't have taken picture in the first place.

 No.4205

>>4204
Can I come over your house and get a tour and pat your cats?

 No.4206

>>4200
speaking about games, what do you personally use to play? i have pretty much the same setup (openbsd with base besides browser and stuff like ffmpeg for multimedia) and i was thinking about making a rig for playing emulators up to ryujinx/forks + proton, and my idea was to make a separate desktop with linux. do you think it makes sense to separate things?
i would like it to be openbsd still but i never ported anything on the system (still), but we do have DRI up to date with linux now theoretically. otherwise i thought about just buying consoles and mod them but some are still pretty expensive af.

also, what do you think about anonymizing networks? i had a pretty paranoid period where i exclusively run a tor transparent proxy for about a year but then i thought that running EVERYTHING through unknown computers 24/7 is pretty risky and just a massive red spot for LE. hell, i even tried using ftp(1) with a perl script to parse html as my only browser for a while, but now i use ungoogled chromium otherwise i can't post on IBs (unless you know how to do magic with nc(1) i guess)

 No.4207

>>4199
>>4200
>>4203
>>4204
This all sounds extremely paranoid but this is also exactly what I want to create... down the line. Saving this thread for future use. Thank you, anonymous.

 No.4208

>>4207
The old saying is true: Just because I'm paranoid doesn't mean they're not out to get me.

A good firewall between you and the internet isn't paranoia though. It's just common sense. You wouldn't leave the front door of your house wide open at all hours would you? Lettings every one that passes by have a peek inside. You wouldn't have spiders, snakes, bugs, mice and human thieves in. That's why you have a door and a lock on the door. The lock might be easy for a practiced thief to break. But it keeps honest people honest and if you're having break ins all of the time you can reinforce the lock or add bars to the windows or something like that.

Full disk encryption is just common sense. That way if your laptop/computer/HDDs are stolen the thief doesn't get easy access to everything contained on them. It should have been the default long ago in all OSs. It's terrible that so many OSs don't have an easy way to set up FDE. Some are getting there but they're usually easy to by-pass and people don't bother with them anyway. Or they only encrypt certain files on the disk. Which isn't the best idea because if everything around them aren't encrypted it makes it easier to break the (usually weak) encryption on those few files that are. Not to mention most easy-to-use encryption schemes are easily broken by their design. Since these companies work hand-in-hand with law enforcement.

The ideal set-up for encryption is two factor option. Where you need some kind of key and a password to unlock the storage devices. This is the hardest kind to setup and pretty much nothing ships with it on by default. No one is selling pre-installed OS+hardware with that type of set-up either. So you end up having to do it yourself and it's a huge pain in the ass. Only Linux really supports it as well. OpenBSD/FreeBSD is getting there. But you still can't run a set-up with private key+password to unlock+detached headers. Detached headers is really important. With headers on the storage device it's easy to tell that encrypted partitions exist. With them outside of the storage device (usually on a thumb drive) the internal storage device simply looks like truly random data. Which allows you to claim that you just wiped the disks and nothing still exists on them should you be forced to testify in a court of law.

Oh all the OSs I've tried lately OpenBSD has the more easy to setup encryption scheme for FDE. You get an option at install time to either use a password or store a private key on another device like a thumb drive. But it doesn't allow you to do both yet nor does its file system allow you to detach the headers. I think they're working towards improving it so maybe the situation will change soon.

Aside from OpenBSD the Gentoo distro has the most documentation for setting up what I consider good FDE. Many claim Arch is better in this respect. But the issue is it relies on certain tools I consider to be horrible (systemd and friends). Which I do not allow on my own devices for a lot of reasons I'm not going to rant about now. The short version of the rant is: You can't trust the developers of that software so you shouldn't trust the software itself. We're talking about an init system that was handing out root to any user with a number in their usernames after all. In addition to it being a ton of code running as PID1 for no reason with a horrible track record for bugs/bug fixes.

Anyway, if you want detached headers+key to unlock+password I suggest going to the Gentoo wiki and reading some of the guides for doing it without systemd+fedora tools. They've got their own software to handle things like initramfs. They're much better than what all the other distros are shipping.

I personally use chain unlocking and no kernel on the actual device. By that I mean my boot up looks something like this:

1) Insert thumb drive with copy of kernel+private encryption key
2) System boots from thumb drive
3) Kernel is loaded from thumb drive and unlocks primary system partition on SSD once password is input
4) Once kernel boots into console it searches now decrypted SSD for other private keys to unlock HDDs used for actual storage of non-system files
5) HDDs are unlocked automatically using those keys. Can have another password prompt here for each one if you really want

I've also done it another way. Where key on thumb drive unlocks SSD system drive. SSD system drive unlocks HDD1. HHD2 is unlocked by key stored on HDD1. Rinse and repeat for each and every disk until they're all unlocked and up and running. I don't do this anymore because now I have all the HDDs in a RAID pool. So they just function as one big disk.

Keys can be anything. You can generate random blocks of data with /dev/urandom to make keys. Or you can use other files like random images. You can also have multiple keys/passwords to unlock your encrypted devices. You can also store your keys encrypted on a disk with a password to decrypt them. Which is what I do on my thumb drive that holds the kernel+initial private key. Even if you stole the thumb drive and got a copy of the key it's useless unless you have the password.

Typically, I have at least two keys for each drive. The first key is a random block of data I've generated with /dev/urandom. The second key is something like an image of my favorite SHABs. Typically slightly modified with something injected into the file to make it unique from the one being circulated on the wider internet.

This way unlocking is mostly automatic with the first set of keys. But if I lose the thumb drive I can still access the data on the disks using the other keys. Which I've backed up in several places. I have those keys (images) shoved in a massive folder with thousands of other images. So they don't look like they're important to anyone that might get access to them. Just looks like I scraped the local booru and have a local copy of it for my own fapping purposes.




[Return] [Top] [Catalog] [Post a Reply]
Delete Post [ ]

[ home / bans / all ] [ amv / jp / sum ] [ maho ] [ cry ] [ f / ec ] [ qa / b / poll ] [ tv / bann ] [ toggle-new ]