Sort of new to Linux - want an easy to use, but 'very secure' OS with full OS encryption - advice on which OS>?

1bit

Member
Joined
May 10, 2019
Messages
30
Reaction score
9
Credits
111
hi all

Im sick to death of Microsoft backdoors, telemetry and even IME hardware built into Intel motherboards since 2007 that "phone home to NSA" and in AMD CPUs since 2013

moral of the story - buy an old AMD machine from 2012 and beyond and run Kodachi on it? lol

im using a very old Intel PC, but from 2009
(Sandy Bridge @ 4Ghz (OC) - P67 mobo -14Gb RAM 1600MHZ DDR3 (OC) - Giigabyte GTX 650 GPU - Samsung 860 SSD and 3 x HDDs)

Im wanting a very secure (encrypted) Linux distro, that is also good for a 'semi' noob (tried a few on VM's installed not so good on Terminal but can follow intrusctions and understand its just like CMD in windows of sorts), but also has a store for easy access to all the apps you would get with the likes of Linux Mint and Ubuntu....which are probably just as unsafe as Windows given the user base count ...quiet, barely used FOSS is the way to go IMO - apps and OS that EVERYONE uses is where the "nasties" go...

I cant go off LIVE even though thats the most secure way to go, its not static, for me it has to be installed so I can save stuff.

I should be able to encrypt my SSD on a hardware level, and LINUX on a Software level (double encryption) - but I can NOT get a version of Samsung magician that will recognize my drives properly and give the options the drive IS capable of...

so software encryption will have to do

any ideas?

thanks in advance
 


Seems I saw a post similar to this not long ago.

I cant go off LIVE even though thats the most secure way to go, its not static, for me it has to be installed so I can save stuff.
If you have two USBs, you can boot from a live distro on one USB, and install a full distro on the other USB.

I should be able to encrypt my SSD on a hardware level, and LINUX on a Software level (double encryption) - but I can NOT get a version of Samsung magician that will recognize my drives properly and give the options the drive IS capable of...
Encryption requires processing. Double-encryption; doubly so. This is likely to be exacerbated on older equipment. You're also increasing potential for errors and possibly shooting yourself in the foot in the event an error did occur. Double-encryption ROI is probably not that great.
 
ive tried software encryption on HDD (and this will be on an SSD) and that was working fine for me

I dont understand the double use of two USBs though? or how it would work? do you mean to switch between the two?

what distro would you recommend?

thanks
 
I dont understand the double use of two USBs though? or how it would work? do you mean to switch between the two?
In the eyes of the computer, a USB stick is just another drive, like a HDD or a SSD. If you install a live distro onto a USB stick, then insert both USB sticks, and boot your computer to the live USB stick, you should then be able to partition the 2nd USB stick and install a fully functional OS on it.

what distro would you recommend?
I don't recommend any particular distro, because I believe that Linux is only as secure as you make it, and most mainstream distros pass the muster as far as I'm concerned.

I personally use Mint. I could encrypt my disks (mostly I don't, some I do). I could download one of many "private" browsers (I don't). I could use a VPN (I don't). But I do run firewalls. I do lock down my services. I do use fail2ban. I do use ad-blockers. I do keep backups. I don't visit questionable sites. I don't keep any private data on the laptop I travel with. I don't enable root login, keeping to sudo. Etc. etc.
 
Im wanting a very secure (encrypted) Linux distro, that is also good for a 'semi' noob (tried a few on VM's installed not so good on Terminal but can follow intrusctions and understand its just like CMD in windows of sorts), but also has a store for easy access to all the apps you would get with the likes of Linux Mint and Ubuntu....which are probably just as unsafe as Windows given the user base count ...quiet, barely used FOSS is the way to go IMO - apps and OS that EVERYONE uses is where the "nasties" go...

I cant go off LIVE even though thats the most secure way to go, its not static, for me it has to be installed so I can save stuff.

I should be able to encrypt my SSD on a hardware level, and LINUX on a Software level (double encryption) - but I can NOT get a version of Samsung magician that will recognize my drives properly and give the options the drive IS capable of...

so software encryption will have to do
What is your threat model?

Explain-explain: Depending on what do you want to protect your computer from, you may need to apply some level of security. For example, if what is worrying you is for a laptop or drive from being stolen, encryption is fine. If what is worrying you is someone sneaking in your house and doing a hardware attack to your computer, encryption is not enouch and you shall enable secure boot, and other security measures before the operating system boots at an UEFI level. For that threat model, you shall pick your hardware very carefully, indeed. If what is worrying you is to suffer a network attack while logged on, other measures must be applied. And so on.

So: what is your threat model and how do you define security on that context?
 
As @gvisoc pointed out, to get a better answer, you need to specify a threat model. If you are running any distro and have encrypted your data drive, it's gonna be hard for me to break into, even if I steal your laptop.
Most stable and vanilla distros are about as strong as you make them. Most distros (99%) will not use telemetry. Debian is probably the best compromise as the packages are very trustworthy and it's stable and user-friendly. However, if you want harder security by default settings, you want OpenBSD, not Linux. OpenBSD is as secure as you'll get preconfigured OOTB, in fact it prides itself on secure by default.
If you are worried about hardware exploits, well, situation depending, there's little an average user can do. I can elaborate if you like, but this post's already too long. When it comes to your level of paranoia, it is likely unwarranted -- and I speak from my own personal experience as having been to that dark place myself in another life.

Now, the bottom line is this:
1) Nothing is "secure", only "more secure".
2) Unfortunately, "user-friendly" and "enterprise-level above security" do not go hand in hand. There's always gonna be a compromise.
Sorry to be the bearer of bad news (I genuinely am).

Realistically, just use pure Debian. I promise you that the NSA does not care about your lolicon or shotacon manga collection or your furry pr0n. A normal encrypted disk will suffice to keep your friends, family, and/or partner out your spank bank.
If your device is stolen, the person stealing it will boot it, see it's not Windows, wipe it, and install a pirate copy of Windows, then sell it for drug money. Neither he, nor the person buying it is going to use forensic tools to find and go through the previous owner's stuff (which will be nigh-on impossible after formatting and installing Windows over your encrypted disk). He (the buyer) is more concerned with his own spank bank and does not have the time nor inclination to look for yours.

If this is some sort of school/college hypothetical, then we can delve deep. For now, you can trust that almost all open source stuff is trustworthy because it gets audited. If you are concerned about the source of apps, don't grab a precompiled binary, build it yourself in a "sterile" environment. This pertains to your system, too, in which case you'll have to read Linux From Scratch just for starters. Like I said, security and user-friendly are pretty mutually exclusive.

Hope this helps give a realistic picture.

Securing your system:
I have never caught any malware in the over 20 years of PC use and of those, maybe 2 years at most did I have any security installed. It all comes down to not doing stupid things and minimising attack vectors.
1) Do not install or enable any external server software (ssh-server, NFS-server, etc.)
2) Do not copy+past erroneous code from the internet into the terminal unless you have enough knowledge to understand at least most of it.
3) Only use official repositories that come default with your distro.
4) Use script blockers on your browser. A preconfigured secure browser is useful. TorBB, Brave, and Librewolf are reasonable, though they are not in the Debian repos (yet), so your next best bet is FireFox with uBlock plugin or a little trust in TorBB ar least. If you want ultimate security, only view sites in text mode with a text-only browser like links. Personally, this last part is OTT.
5) Obviously do not download an run random software. Especially do not install it. Do not make install source code from places you don't trust. You can build it and run it locally. Keep away from Flatpak and Snap and similar, too. Under certain circumstances, an Appimage can be reasonably secured, see below.
6) Install firejail and block network access to apps run inside if you're worried about spying/telemetry. You can run apps quite securely in a firejail and disable a lot of functionalities. Appimages are safer than flatpak et al. for this reason.
7) Do not install WINE.
8) Do not run stuff as root, use sudo, or use doas, unless you know what you are running.
9) Obvious, but still: use a strong password. It needn't be insane, just strong. Pen and paper backup advised nonetheless (you can hide it in a scribbled block of other text if you wanna go that far).
10) Do not let other people use your PC.
 
Last edited:
All good, James

Chris
 
In the eyes of the computer, a USB stick is just another drive, like a HDD or a SSD. If you install a live distro onto a USB stick, then insert both USB sticks, and boot your computer to the live USB stick, you should then be able to partition the 2nd USB stick and install a fully functional OS on it.


I don't recommend any particular distro, because I believe that Linux is only as secure as you make it, and most mainstream distros pass the muster as far as I'm concerned.

I personally use Mint. I could encrypt my disks (mostly I don't, some I do). I could download one of many "private" browsers (I don't). I could use a VPN (I don't). But I do run firewalls. I do lock down my services. I do use fail2ban. I do use ad-blockers. I do keep backups. I don't visit questionable sites. I don't keep any private data on the laptop I travel with. I don't enable root login, keeping to sudo. Etc. etc.
@1bit the double USB worked for me, although my server isn't a live server as of yet, the principle are exactly the same..

@SlowCoder talking of firewalls, I was considering IPFire on Unbuntu, can Fail2ban be used in conjunction or is this overkill for a basic webserver? Also whats your thoughts on two-factor authentication?
 
@SlowCoder talking of firewalls, I was considering IPFire on Unbuntu, can Fail2ban be used in conjunction or is this overkill for a basic webserver? Also whats your thoughts on two-factor authentication?
Fail2Ban isn't a firewall. Fail2Ban scans logs for apparent failed login attempts, e.g. SSH, and once configured thresholds are passed, will add banned IPs to the firewall. You'll need to research if it is compatible with IPFire.
 
@SlowCoder talking of firewalls, I was considering IPFire on Unbuntu, can Fail2ban be used in conjunction or is this overkill for a basic webserver? Also whats your thoughts on two-factor authentication?
I use two-factor authentication wherever it is supported whether on opensource software which I use myself or on websites where I have accounts. I use fail2ban on all of my internet facing services if there are filters available for it.
 
I use two-factor authentication wherever it is supported whether on opensource software which I use myself or on websites where I have accounts. I use fail2ban on all of my internet facing services if there are filters available for it.
Excellent, I thought I was being overly paranoid for a basic testing web server. What firewall are you using? As I noted above, I was intending to deploy IPFire, but from what I can determine, it doesn't appear to be compatible with fail2ban.
 
Excellent, I thought I was being overly paranoid for a basic testing web server. What firewall are you using? As I noted above, I was intending to deploy IPFire, but from what I can determine, it doesn't appear to be compatible with fail2ban.
I also use mod_security for my apache installation, it should be available in the default repos of your distribution.
 
I also use mod_security for my apache installation, it should be available in the default repos of your distribution.
Thanks @f33dm3bits
 

Members online


Latest posts

Top