# [SOLVED] Disk encryption and browsing the internet

## ElleStone

http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS says:

"Now let's talk about what encrypting your system won't protect you against: . . .

Someone breaking into your system from your network (internet)."

I don't know whether this question even makes sense, but is there any way in which disk encryption protects data from being accessed while the computer is being used to browse the internet? 

ElleLast edited by ElleStone on Tue Apr 02, 2013 4:42 pm; edited 1 time in total

----------

## eccerr0r

The problem is that in order for -you- or the hard drive to be accessed by daemons, etc., the disk has to be unlocked.  Intruders when they break in, well, their process is no different than being a daemon (since they tend to be commandeering one) or you accessing the disk.

You can try to mitigate the effects of being hacked by keeping the secure volumes unmounted and impossible to mount (i.e. you need to manually type or insert the key for it to be mounted.)  But this is only partial security.  You really have to segregate anything you don't want to be accessed on another machine that's not connected to the internet.  Sometimes a virtual machine can also help keep containment but the disk subsystems need to be kept separate.

There are some security features that could help by keeping containment, and there are even things that give a false sense of security if root is compromised but the end story is if root is compromised, all bets are off.

----------

## The Doctor

No, you have opened you encryption to use the computer. Of course, if you have sensitive files in an unmounted, encrypted partition they would be safe(r).

The warning here is that encryption is not the end of security. It is the beginning. You should look into iptables, Intrusion Detection, and safe browsing strategies if you have concerns. I would also recommend that you  may want to read the security handbook for advice on securing you system.

EDIT: I see I wasn't quick enough.

----------

## ElleStone

 *Quote:*   

> Sometimes a virtual machine can also help keep containment but the disk subsystems need to be kept separate.

 

What does "the disk subsystems need to be kept separate" mean?

 *Quote:*   

> There are some security features that could help by keeping containment, and there are even things that give a false sense of security if root is compromised but the end story is if root is compromised, all bets are off.

 

So one goal is to protect root from being compromised. Another goal is to protect the user's data from being compromised? Data usually being more important than the actual operating system?

I've read through the Gentoo security handbook several times. The handbook seems to be addressed primarily to people who are running a server and/or administering a network of computers with several or many users. This seems to be true of just about all documentation on the internet for securing Linux. 

I find it very difficult to "translate" the documentation for securing and administering a network to "ways to increase security when installing Linux for a single user", when the only "network" is the connection to the router that connects to the internet. Can anyone point to documentation aimed at such a user?

As an aside, I followed all the links in the Gentoo security handbook. These links are either dead or lead to resources that are possibly outdated:

ftp://ftp.isi.edu/in-notes/rfc2196.txt is a dead link (https://www.ietf.org/rfc/rfc2196.txt links to what appears to be the intended resource). Possibly outdated (written in 1997).

http://www.kerneli.org/ is a dead link.

http://www.lids.org/ hasn't been updated since 2010. Their user forum is being used for "other" purposes. Is the software still valid/maintained/useful?

http://www.rsbac.org/ hasn't been updated since 2011. Still valid?

http://www.nsa.gov/selinux leads to an error notice.

http://sourceforge.net/projects/wolk/ hasn't been updated since 2009 and applies to linux-2.4

http://www.djbdns.org/ redirects to things like ww 3.d jbd ns.o rg and domains. g oo gle syn dication. com (I put in spaces to hopefully keep these links from being actual links).

Elle

----------

## khayyam

 *ElleStone wrote:*   

>  *eccerr0r wrote:*   Sometimes a virtual machine can also help keep containment but the disk subsystems need to be kept separate. 
> 
> What does "the disk subsystems need to be kept separate" mean?

 

ElleStone ... what eccerr0r is saying is that with a virtual machine the "guest OS" can be separated from the "host OS" but to keep the two separate the "host OS" should not allow its disks to be accessed via the "guest OS". But anyhow, this is somewhat beyond the question as this is not likely the droid your looking for.

 *ElleStone wrote:*   

>  *eccerr0r wrote:*   There are some security features that could help by keeping containment, and there are even things that give a false sense of security if root is compromised but the end story is if root is compromised, all bets are off. 
> 
> So one goal is to protect root from being compromised. Another goal is to protect the user's data from being compromised? Data usually being more important than the actual operating system?

 

I'd see them as all part of the same goal, the only reason that root is mentioned is that root has greater privileges, and so someone gaining root access has (under normal circumstances) full access to the system/resource/data, whereas a standard user doesn't.

Going back to your original question, the reason for encrypting the HD is not to so that the data is protected from all possible access, but so that should the machine be stolen, or lost, then the data on disk is protected from those who might otherwise read off any sensitive information. Like any form of "security" its layered, preventing the theft, or loss, is equally part of the equation ... so security cables for laptops, not leaving your bag unattended, etc, etc. Other security measures are no different, they are one link in an often very long chain.    

 *ElleStone wrote:*   

> I've read through the Gentoo security handbook several times. The handbook seems to be addressed primarily to people who are running a server and/or administering a network of computers with several or many users. This seems to be true of just about all documentation on the internet for securing Linux.

 

This is true, but in part this is due to the fact that a sever, or network, is generally more exposed than a client machine. The more users there are, and the more accessible the machine/network, the more that the system admin needs to be concerned about it. This is whats commonly called 'vectors', the more users, services, and exposure to other machines, the higher the vector for possible intrusion and/or data exposure, etc, etc. So, in turn more links in the chain are required.

 *ElleStone wrote:*   

> I find it very difficult to "translate" the documentation for securing and administering a network to "ways to increase security when installing Linux for a single user", when the only "network" is the connection to the router that connects to the internet. Can anyone point to documentation aimed at such a user?

 

This is partly because the whole field is complex, its too often that people have a false sense of security if some 'wonder app' is installed, or they follow some instructions somewhere. Again, a number of layers, links in the chain so to speak, are required, and even with these in place there are no guarantees. Some solutions ... like gentoo-hardened ... have many complementary components, but they require the user to understand what, and how, it works in order to configure, use, and maintain, and for this reason they are mostly used in specialised environments.

Anyhow, enough of the abstract ... in order to know what security to implement you first need to answer what it is your protecting, and against what, because "ways to increase security when installing Linux for a single user" is just too wide a subject ... there are any number of things that might fit into that remit. If one looks at most of the vectors for virus infection, and/or trojans, etc, then the OS plays some part, with linux being fairly low on the table of risk, so you have some level of "security" provided by the fact that most viruses are not targeting your OS, and that the OS has some level of privilege separation in place. On top of this one could begin by looking at the widest entry points, which is probably the browser (java, javascript, and other interpreters/plugins, which run anything thrown at it from mostly untrusted sources) ... so, you could install and configure noscript, https-everywhere, disable, and/or limit, java, block ad-servers and/or known bad hosts, through various methods (firefox provides some google feature to do some of this, but I'm less likely to trust google and mozilla to do this and so that opens another area in which you'd have to do some research). While this offers some level of separation there is still the fact that firefox/chromium is running as your user, and some might suggest to separate the user from any possible ingress ... more possibilities, more work, and more research.

Next, protecting the machine from any number of network intrusions  ... a simple iptables firewall like net-firewall/firehol will probably suffice, but you could do far more complex ingress/egress filtering ... more possibilities, more work, and more research. You might be beginning to see a theme here, there are just too many factors to consider, and a lot of background knowledge required to make it comprehensible, but again, much of this depends on what it is your protecting, and against what ... and how much free time you have on your hands :)

As this knowledge is generally aquired over time then its just a matter of working from the point of your current understanding, and building on it. There isn't a bullet proof method of securing anything, but your probably in a better starting position than most ...

best ... khay

----------

## ElleStone

eccerr0r, Doctor, khayyam, thanks very much to all of you for clarifying that encryption and security while browsing the internet aren't really connected. Linux security is a topic I keep coming back to, each time trying to learn a little more. What you've said raises other questions, but I've marked this question as solved.

Elle

----------

