Pages

Project: A trustworthy Ubuntu pen drive

vendredi 12 août 2016

Hi everyone,

I am working on an idea that I'd like to share with you and maybe optimise the details and missing elements of it.

The problem: You're often at different computers either at work, at school/university or at public places and you want to check your emails or log into banking accounts/online shops on the go from a safe, trustworthy system without having to worry about your confidential data being intercepted by a compromised OS and without altering the machine you're at in any way.

The concept: You could take along a small piece of hardware that contains a system that you have set up (e.g. with an encrypted partition, password manager, pre-configured VPN tunnel) and that boots from as many different machines as possible and runs reasonably stable and safe.

With the possibility to install Ubuntu on USB drives, I got the idea to buy a small pen drive for my keychain to always have a bootable system with me from which I can access my emails and online accounts securely. I have already tested this and it has worked well in many situations, but there is still room for improvement, so I would like to reach out to you and look for ways to improve this concept.

So far, my drive looks like this:

pendrive01.png

sdx = A generic, bootable 16GB USB pen drive

Code:

dev/sdx
   /sdx1   4GB fat32-partition (25% of drive space, for easy measurement. Used to easily share data between all most common systems. Since it is the first partition, it will be recognised automatically and all systems can read/write to it, handy to have. Should a computer-illiterate thief find the drive and plug it into their (most likely) Windows machine, they will only see this partition and may format/use it until the end of time without suspicion.)
   /sdx2   boot-partition (unencrypted, containing the boot information)
   /sdx3   ext4 Ubuntu system-partition (encrypted by LVM, containing all program and personal data including /home)
   /sdx4   swap-partition (reasonably sized, depending on the remaining space of the drive, for system stability)
I have had good experiences where the system to-go and the small USB memory have come in handy, but I have also noticed inconsistencies that I would like to work on.

1. Choice of derivative: On a first thought, the logical choice would be Lubuntu/Xubuntu, as they require less resources and the USB connection benefits from all performance gains that can be achieved (especially when on USB 2.0 speed). However, both Lu- and Xubuntu sometimes do not recognise the WiFi adapters of certain laptops while vanilla Ubuntu on the exact same version will, by default. This is a huge drawback, as internet connection is, of course, an essential benefit for this system. But are there maybe better options that could even enhance compatibility?

2. Choice of kernel: Another question regarding stability/compatibility. I have not yet changed the standard Ubuntu kernel in any way. Are there Linux kernels that could work with a greater amount of hardware than the stock kernel and could they easily be installed on the drive's system?

3. Set-up/initialisation problems: I noticed that Ubuntu 14.04 and 16.04 do not boot as reliably on all devices as 12.04. The exact issues I have not been able to define, yet. Much seems to be related to ACPI problems on certain Dell and Acer SoC-laptops or dw_dmac modules, on others the graphics are broken before or after grub. I've had success by removing the string "quiet splash" from the grub config file at /etc/default/grub and adding "acpi=off" to the grub parameters. Since the system is usually not in use for an extended period of time, this adds no problems and increases compatibility greatly. Can someone think of other changes that could benefit the potential to be able to boot reliably from as many devices as possible?

4. Concerning UEFI/Secure Boot: There are more and more new machines with UEFI and Secure Boot motherboards. I have no experience with this at all and was wondering how to ensure that the USB drive will be able to boot in UEFI/Secure Boot as well as a legacy device on older machines. Is this even possible?

5. The guest account: It would be great to be able to lend the drive to a person that is in need of a secure and trustworthy system without having to log into the main account, so an enabled guest session would be nice. However, although a system cracker finding the drive is unlikely to succeed in breaking and accessing the encrypted system partition before the owner is able to change all passwords, how secure is it to have a guest account that everyone finding the system has immediate access to? Could there be exploits that someone could use to quickly get access to personal data? Should the guest account rather be disabled in this scenario?

A small note on the remaining security issues: Having a trustworthy system is great, but there are still threats that can not be fixed on the software-side, such as malicious firmware or hardware keyloggers. Taking along a small keyboard and observing the hardware before use is an initial safety measure, but 100% security is difficult to achieve. Yet, this drive is still a better choice than a public system on which students and co-workers may browse unsafe sites and download all kinds of files when needing to quickly access online accounts or personal data.

As you are able to read, I am mainly concerned with the objective of improving the compatibility and stability of the system to make it useful in as many situations as possible and I am wondering what settings and configurations could improve the ability to boot and run from the largest amount of hardware possible out of the box.

I hope someone may benefit from my ideas and observations and I am looking forward to read your suggestions!

If you have any advice that could improve this concept, please feel free to criticise and comment.

Kind regards!

Let's block ads! (Why?)



Project: A trustworthy Ubuntu pen drive

Aucun commentaire:

Enregistrer un commentaire