Securing Arch Linux. + Optimizing and Reconfiguring and stuff.

[Absentinsomniac]

I'm trying to secure arch linux as much as possible. The first step, of course, is going to be to encrypt fucking everything. (Except the /boot partition, because the system needs access to that to boot, which is a slight security whole, but there's very few comfortable work arounds for this, so fuck it.)

I originally set out to re-configure arch to be as minimally setup and as conformable and clean to me as possible, which inevitably lead me to ask security questions, and read the arch security wiki article, which lead me to encryption. (After re-reading all of the basic's and shit to make sure I'm doing shit right.)

Anyway, this shit is fucking complicated, but doable. First I have to go create partitions. I WOULD HAVE done the following using cfdisk:

/ = Root = 20Gb
/boot = Boot partition = 100mb
/var = Logs and pacman shit = 10Gb
swap = Physical ram = 1Gb
/home = Home directory = All other space.

Except for this little tidbit:

Quote:Depending on the system demands, there may be additional partitions desired. These partitions can be individually created at this level by defining separate primary or extended/logical partitions. However, if LVM is to be used, the space unoccupied by /boot and swap should be defined as single large partition which will be divided up later at the LVM level.

So I guess I'll just make:

/ = Root = 20Gb
/boot = Boot partition = 100mb
swap = Physical ram = 1Gb

And which will be "divided up later at the LVM level" I guess lol. Following that, I'm going to encrypt everything manually before running the /setup program from the arch disk. Why? Because I can never find the right config during the installation program, so I'll just do it beforehand. It's the same anyway, and is probably, in my opinion, easier. So here's what I have to do:

Run this command so the mapper shit is loaded:

# modprobe dm_mod

Then execute:

cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/(stuff)

For each partition where (stuff) is replaced with the specific partition.

Then, of course, for some reason, I have to unlock them all using something like this:

# cryptsetup luksOpen /dev/<partition name> <device-mapper name>

Then I have to create a keyfile using this:

# dd if=/dev/urandom of=mykeyfile bs=512 count=4

And relate that to each encrypted thing using this:

# cryptsetup -c <desired cipher> -s <key size> luksFormat /dev/<volume to encrypt> /path/to/mykeyfile


I'm having trouble figuring out where the fuck to store the keyfile though. They keep saying shit about USB devices and shit. I don't want to have to use a USB to start my fucking computer lol. I'll update this more later.

[Absentinsomniac]

Herpderp, I did it differently and a lot easier than I explained in that post:

>> Insert Arch install disk.
>> Get to prompt.
>> Type in /arch/setup
>> Go through setup until you get to partitioning.
>> Parittion it manually.
>> Setup for 100mg /boot, select bootable and hit enter to make this bootable.
>> Setup for 1000mb for swap (depending on how much ram you have, this might not be necessary.)
>> The rest goes to your primary.
>> Go on and manually set up your blocks and shit.
>> For /boot do ext2 and don't name anything especially.
>> For swap just do swap and don't name anything.
>> For primary go down to the crypt option and select that.
>> Then for the new thing that comes up do ext4
>> I think you're supposed to select next.
>> It'll eventaully ask you for a key, type in your own key/password that's really long.
>> Type it in again exactly how you did it before.
>> Go through rest of setup.
>> You're good to go.

I'm not sure about getting a keyfile setup or w/e, but for now this is good enough. I'll work on a keyfile later.

[Lunatic]

Oh cool. I'd do that if I got a decent computer, because my laptop's slow as fuck already. Does it ask you for the really long password at each boot?

[Absentinsomniac]

Yeah. The smarter thing to do would be to set up a REALLY long keyfile that you can put on a CD and insert on boot each time, then type in a shorter but still secure password to run that. That way you need to the keyfile and the shorter password to get in. I just type in a really long password every time though. It's not that hard, imo. And now I'm pretty damn sure the gov isn't going to be getting into any of my not-so-sensitive-shit.

Also, when you're setting up your primary (if you were doing this) and you select the crypt option or w/e, I named it root when it asked me what I want to name it. You don't have to name anything with the swap or /boot, but you have to name the d-crypt thing or whatever. I'd advise you to watch a youtube video/read the arch wiki page on it. The arch wiki page is pretty damn confusing to me though. Especially when it starts talking about the keyfiles.

Also, I did the overwrite thing with dd after installation into a file instead of beforehand. It was easier that way. (If you read the arch page you'll know what I'm saying, if you don't already.)

[Lunatic]

BUT SHIT CAN GET WRITTEN TO SWAP AND THEN THE GUVMINT CAN READ YOUR SWAP BUT THEY'RE PROBABLY TOO STUPID TO DO THAT and I'm 99.9999%sure you don't have to reinstall anything to encrypt your swap if you're that paranoid.

[Absentinsomniac]

^ I remember reading something about that... I should probably encrypt it. My computer never uses swap, though, because it never really uses more than 2gb of ram. All the same, that's not a risk I'm willing to take. When I get some time, I'll encrypt it. It's a shame no one has come up with a way to encrypt the /boot partition and still have it work. Seems like all you would have to do is set it up so that you type in the keyfile before it has to access the /boot partition somehow. Like after grub but before the initial boot or something. Oh well, I don't think much gets stored in boot that can compromise you anyways.

[Lunatic]

You could use a bootdisk instead of /boot lool
But yeah, there really isn't anything on /boot that could compromise, but having a separate bootdisk would be slightly better although also straight out paranoid and OCD-like.

[Absentinsomniac]

Yeah, im not quite that paranoid. Im not hiding anything that would be worth cracking/trying to get around my encryption anyway.