Hardening Linux desktop machine against people from my household

Question

I am looking to make a clean install of a Debian system on my home desktop. To clarify, I am switching from Windows and wish to use it as my day-to-day home OS - I'm not going to be running any servers or anything like that.

I also have reason to believe that some members of my household (who have physical access to my machine) would try to gain access to it, and look through my data or possibly even install a keylogger.

For the purpose of this question, please ignore the social aspects, except for the fact that I cannot act openly confrontational, so e.g. locking my room to prevent anyone accessing my PC is not an option.

The people I want to protect against are technologically literate; they know their way around linux even if they may lack much experience with it, and if something can be found with some googling and takes maybe an hour or two of messing around then it's most likely going to get attempted. That said, I am pretty certain that acquiring specialist equipment is not something they would bother with, which means that I don't have to worry about most hardware attacks, e.g. a keyboard keylogger or bug on my mobo / RAM sniffer / whatever.

One other thing is that I have a Windows 7 system to which they have admin access (so it can be considered compromised). This is one of the reasons I am switching to Linux; however, I'd like to keep a dual-boot system rather than removing Windows outright. I am aware that this would allow an attacker to outright nuke my Linux partition, and that is a risk I'm willing to take.

I am not concerned with securing my Windows system. I am aware it's compromised and don't really care what happens to it. As I mentioned, other people have accounts on my Windows system and occasionally use it (for legitimate reasons!). I am certainly looking to secure my Linux installation, but preventing access to Windows has no point unless it contributes to the security of the Linux part of my machine. In fact, I'd rather avoid limiting access to Windows if possible because I don't want to appear paranoid or create conflict in the household.

Full-disk encryption will prevent anyone from actually accessing my data from outside my Linux installation itself, which should then take care of both the Windows system and even make booting from a USB drive mostly useless (I am quite certain that the people in question do not have the resources or the motivation to decrypt a well-encrypted drive). I will also need to password-protect the single-user mode, of course.

What other things would I need to do to secure my system? I am handy with the command line and willing to get my hands dirty, but I have limited Linux experience and fragmentary knowledge of computer security. The choice of Debian is largely arbitrary and I would have no problem trying out a different distro if it would be better in my case. If there's anything I've missed, or if you have tips on things I mentioned (e.g. best practices for disk encryption?), then I would be glad to hear them.

I do not believe this question is a duplicate because all of the other questions I found on securing Linux on this site concern themselves with remote attackers and protection against viruses and exploits. They certainly have good answers but that is not the kind of information I am looking for here.
Another question has been brought to my attention when my post was flagged as duplicate. However, that one asks in general whether their machine is secure when others have physical access to it; the answers to it generally boil down to "Physical access = game over" and provide some tips to mitigate various attacks (including things such as rearview mirrors on your monitor). Many of those tips are not applicable here, since I am aware that unlimited physical access means the machine isn't mine anymore in theory, and hence I provide some limitations to the attackers in my threat model which fit my personal scenario.

Answer 1

1. Use a strong and difficult password for the root user. Secondly, always login and work from another user with no administrative rights (and also a strong password).

2. Enable the BIOS password option. Every time you power on your computer, the BIOS itself will ask you for a password before even booting on. It will also prevent everyone from applying changes to the BIOS setup.

3. Encrypt every partition of your hard drive (check cryptsetup for Debian - if it can't encrypt you Windows partition, too, use TrueCrypt (from Windows for your Windows))

4. Watch out for external hardware devices connected on your PC (like USB sticks or hubs) that you haven't used before. Someone might have plugged in a keylogger or something.

5. Always lock or power off the machine when you are away.

6. Software hardening:

   Install gufw (GUI for the iptables firewall which is pre-installed) and block incoming traffic. Also install rkhunter and check your system for known rootkits and other threats from time to time.

That's all I can think of right now. If you have any questions feel free to comment below.

Answer 2

I hate to be this guy, but

Law 3:

If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

You are asking how to best lock a plywood door. People are giving you very good suggestions for locks, but none of them matter since your system is physically vulnerable and your attackers are competent. They will just use an axe (or in your case, a screwdriver).

Answer 3

Depending on the performance you require and money you are willing to expend, a removable "Live USB" or completely bootable normal system on a USB "hard drive" (a small ssd would work great) might be an ideal solution considering your "unique" constraints of needing high security against local attackers. It would allow you to just leave the compromised windows system in place, and create a Linux system on a removable device that you can keep with your person. For lowest cost you can use a very cheap thumbdrive. Spend a little more on a fast thumbdrive or a more robust USB SSD and you can achieve reasonable performance for most applications. Encrypting it is a good idea in case you are separated from it, but given that it's always with you and it constitutes the entire OS it is safe from local attacks.

Answer 4

There's some things to consider that differ from all the answers previously given: what you're looking for is privacy, not security.

While they seem very similar, the goals of each are different, and the ways to implement each are different. If you were looking to implement security, you would remove other users' admin access, lock down each users' account, and put protections in place to prevent abuse. This, of course, comes at the cost of usability.

Now for the privacy solution. Since you're only looking at protecting your information while leaving everyone else intact, there are 3 major attack vectors to address (assuming you move to Linux as you planned):

1. Data at rest (on the hard drive)
2. Data in motion (on the network)
3. Protection while the device is on (firewall)

For data at rest: You will want to use some sort of encryption. This will prevent anyone who doesn't have the key/password from looking at any data that you are saving. There are plenty other answers that cover this topic, so please refer to them for specific implementation details.

For data in motion: I would recommend buying a VPN service (or setting one up externally if you have the resources). This will encrypt and protect all traffic coming to and from the box. Not only does it protect traffic, but it also protects traffic inference based on connection information. For example, SSL encrypts all traffic between you and the site you're visting; however, if someone sniffs your traffic and sees facebook.com in the initial request, while they don't know what you're sending to Facebook, they know you're doing something on Facebook. A VPN would tunnel all traffic through its server before sending to the internet, effectively removing this leakage.

For protection while the device is on: Assuming that all hardware attacks are out of the picture (such as keyloggers or cameras), the only area the machine is exposed is the Ethernet. If there is a service turned on that has a vulnerability, it would be possible to attack that service from the network and gain control of your machine (within that few hours of Googling you assumed). To protect against this, you'll want to set up a firewall. On Debian, iptables should do just fine. On any incoming traffic, you'll want to block everything that is not RELATED or ESTABLISHED. To even further restrictions, you could block all traffic that is not coming to or from your VPN. In this way, it almost completely removes any attack surface, and will take an attacker much more dedicated than your roomates to break.

Here's a sample of the options to use with iptables to set up the limitations:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
# iptables -A INPUT -s [VPN IP] -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -A OUTPUT -d [VPN IP] -j ACCEPT

And what each is doing:

1. Drop all packets coming into the machine
2. Drop all packets being routed through the machine
3. Drop all packates being sent from the machine
4. Allow packets from the VPN IP that were created from connections that already exist (ones you made to the VPN) to be processed
5. Allow any packet being sent to the VPN from your machine

You could also only allow the specific ports the VPN uses to even further limit the attack vector. It is important to note that you will be unable to access the internet except through your VPN, so make sure that is set up and working before you apply these changes.

Once all these are applied, the box should be nearly impossible to break into either while you're using it, or while you're away, by the people trying to look at your data.

Disclaimer: This assumes attacks on your infrastructure. Social engineering and alike attacks are much more difficult to prevent.

Answer 5

Here is an all inclusive solution since you stated you were not worried about hardware/USB/physical attacks. Install Virtualbox/VMWare/Other on your desktop. Go about creating your guest and put that guest on a removable USB key. When you're done with your work, power off the virtual machine, remove the key, and it's a wrap.

There are plenty of other methods you could go about this as well including creating a TrueCrypt hidden container, then installing your guest inside that container. That raises a red flag if someone is snooping: "Oh so he is hiding something now... Must find!" Versus taking your operating system with you. You could do this on a USB key, removable drive, or you could boot into a throwaway system (Kali, bootable Linux), save data to the cloud (Dropbox, etc), and worry little about the operating system since it will be booting off of a DVD, and be a fresh install every time.

As for services. Running 1000 services means nothing if all the services are free from vulnerabilities. What is there to access, and how? Strong passwords are always key but imagine the worse case scenario here. Keystroke logger on Windows... It will defeat your guest security since you are typing through the host. The best option would be to boot into a bootable distro, leveraging the cloud to save/store data, or removable disk.

Answer 6

I like the answers that suggest you run Linux from removable media. It hides the fact that you're taking precautions from your not-so-nice house mates. There's a few problems with it, though, from a practical standpoint. You're sacrificing drive speed and space, but what's more important is that carrying your whole operating system around with you is cumbersome. You'll forget the drive at school/work when you need it at home. You're prone to lose all your data if you misplace your removable OS disk or drop it one time too many.

If you don't mind tipping your house mates off with the presence of an encrypted partition on your computer, there's an easier way that gives you the same amount of security, without the problems.

If you install Linux on your internal hard drive, obviously you need to encrypt all your Linux partitions. However, you can't encrypt the boot partition which contains the kernel, so I'd suggest that you copy the boot partition to a removable (and, ideally, write-protectable) USB drive and always boot your system from the USB drive. So even if somebody messes with the (unencrypted) kernel, initial ram drive or even the boot loader to get a software key logger into your system, it won't matter because you're bypassing the messed-up boot process by booting from your (hopefully) clean USB drive.

You might want to take a hash of the two boot partitions (the one on the HDD and the one on your USB stick) and check now and then whether the partitions changed, just to know whether someone is in fact trying to mess with you. In fact, you could automate this, having an init script on your encrypted root partition check both the boot partitions and warn you if one of them changed. This way, you can be reasonably confident that your boot partitions are fine even if you don't always keep your boot USB drive under close surveillance.

Only having to keep the bootloader, kernel and initial ram disk on the USB drive makes this solution a bit more practical. Also, it's not immediately obvious that your USB stick contains a bootable kernel if you fill the drive with some harmless folders, though of course it won't pass anything but the most rudimentary inspection.

This all assumes your adversaries won't be able to infect your computer's BIOS with a key logger, in which case all bets are off, but if they knew how to do that and went to such lengths, you've lost anyway.

Having said all that, are you sure it wouldn't be simpler, more effective and especially better for your well-being to address the social issues that clearly exist in your household?

A few pointers as to how to implement this (in answer to Boris' comment):

I haven't done such a setup myself, so I can't give you step by step instructions. However, here's a few pointers:

1. Start by installing a normal Linux distribution on your hard drive with an encrypted root partition. If you need multiple partitions, use an underlying encrypted LVM so you only have to enter your password once, not once for every partition. You'll need to provide a small (say, 200 MB) unencrypted boot partition which will contain the boot loader, the kernel and the initial ram drive. The Ubuntu and Debian standard installers let you do all this quite easily.
2. Make sure the system boots and then encrypt your swap partition if the installer doesn't let you do that already (haven't tried any recent installers). There's various step-by-step instructions available on the internet, simply google for encrypted swap.

3. Now to getting your boot partition onto a USB stick. The difficult part is getting the kernel to boot from the USB flash drive (which I think doesn't boot like a regular external USB drive). Probably the easiest way would be to use the standard installer again to put another whole installation of the same distribution on the USB stick. I did something close to that before and it worked fine (though I seem to remember I had to jump through some hoops - I used an Ubuntu distribution and I'm not sure if I used the standard Ubuntu installer or a customized Ubuntu live system), and of course actually using the flash drive system is a bad idea, since it will
   constantly write to your USB disk (mostly /var/log/ messages) and ruin the stick in just a few weeks - happened to two of mine). Make sure you can boot that second purely-on-a-flash-drive system from the USB flash drive.

4. Now that you have a working, bootable kernel on the flash drive, all you need to do is change the flash-drive system's root partition. It's pointing to the root partition on the flash drive, but you want the flash drive kernel to use the root partition on your internal hard drive. To change this, you need to unpack the initial RAM drive on the USB flash drive, which should be sitting on the boot partition on the flash drive and be called something like initrd.img-xxxxx, copy over /etc/fstab from your internal hard drive's root partition to the extracted initrd, and repack the
   initrd. Again, modifying initial RAM drive images is covered by various tutorials on the net. Note that an easier way might be to simply replace the initrd.img file on your USB flash drive with the one sitting on the boot partition on your HDD. But I haven't ever tried this, so I don't know if it would work.

5. Once you've done this, you should end up with a flash drive which boots from the flash drive but uses your internal HD's root partition. You can then clean out your flash drive; the only stuff you need to keep on it is the boot loader, kernel and initial ram drive (basically, everything under /boot).

6. Alternatively, you can install a "live distribution", on the USB flash drive and tinker with it until you get it to use your internal HD's root partition. However, this is probably much more difficult, because live distributions are set up so they use overlay filesystems that write to RAM instead of the flash drive, to prolong the flash drive's lifetime. So you'd have to yank this out, too. Plus you'd have to ensure you use a live distribution with a kernel kernel version that's compatible with the system on your internal HD's root partition.

7. As to the building of hash checksums for your boot partitions, assuming you know your boot partition's device name and it's /dev/sda1 for the internal boot partition and /dev/sdb1 for the flash drive partition, building a hash can be as simple as

     $ sha256sum -b /dev/sda1 > hd-boot-fingerprint.sha256
     $ sha256sum -b /dev/sdb1 > usb-boot-fingerprint.sha256
   

   This will build a fingerprint of the whole partition and should therefore pick up changes to your boot loader. I'm not sure about the protocol used to boot USB flash drives; on internal hard disks, you should also build a fingerprint of the first megabyte of the disk because that's where the master boot record and the first stage of the grub boot loader is often kept:

     $ dd if=/dev/sda of=first-meg.dd bs=1M count=1
     $ sha256sum -b first-meg.dd > first-meg-fingerprint.sha256
   

   Once you have these fingerprints, you can periodically recalculate them and compare the calculated new fingerprints to the originals.

Answer 7

You can not secure the system under the conditions in your question.

No matter what, with physical access to your machine there is no security. With the exception of the bios password every counter measure on this page could be circumvented by booting into rescue mode (in one form or another).

The BIOS password is easy to reset. It's usually a jumper or battery removal.

The most likely answers involve removable media. If you run Linux off a USB hard drive, and always keep it with you, there's not much for them to break into. But again with physical access, they could adjust your boot order and your back to square one.

Your only real recourse is to address the underlining problem of trust and access control.

p.s. Disk encryption will help, but it won't be a 100 % solution, cause they have access.

Answer 8

Just buy a notebook and carry it around with you.

If you don't want other people to check your data, don't leave your data near them.

If any part of your machine is compromised, everything on your machine is compromised. Hacking hardware is not necessarily expensive and you don't really know how far would this person go to get access to your data. The best way to avoid leaks on this machine is to stop using it altogether.

As many people told you - physical access equals game over on the security world. Don't store sensitive or privative data on a machine you share with people you don't want accessing your data.

Answer 9

Not sure why nobody has mentioned this yet (maybe I don't understand the site that well).

Put a camera in your room (one WITHOUT wifi capabilities). Get your linux system set up, casually mention it to your housemates in passing conversation. Record them breaking into your personal computer and reading your information. Have them arrested and fined, use the compensation money (if there is any) to help move out. Or, get the housemate thrown out for A), a serious breach of the law, and B), not respecting your privacy. Breaking into someone's personal computer is tantamount to stealing.

This is the easiest solution to me. Set a trap. The best defence is a good offence.

Answer 10

I would get two USB sticks. The first would have the capability to be set as read-only at the hardware level with password protection, and the second would be either a normal stick or a PIN-enabled stick (but these tend to self-destruct if the wrong PIN is entered a few times, so beware...).

Install your operating system on to the first stick, and configure the second stick to use full disk encryption. Set up your partitions such that anything that requires write access can be stored on the second stick, such as /home. Once fully configured, and locked down with secure passwords, set the USB stick as read only.

This will protect you from everything except physical keyloggers or leaving your system powered on/unlocked while you walk away. The read-only OS means that single-user mode would be useless as a form of attack, as you can't write anything to the OS stick while it's locked, and the second stick can't be read without the decryption password, protecting all sensitive data.

Answer 11

This would be my plan of action:

1. Lock down the BIOS by adding a BIOS password to the setup. I would not add a startup password to allow users to use the computer without my supervision. Disable automatic booting from USB, CD and network.
2. Force boot from USB/CD and install Linux with an encrypted home folder and encrypted swap on the hard disk. If possible, I would attempt to keep the system partition on a very fast USB disk but if you still need performance, this is not possible. If you take this option, consider configuring Linux to load the entire system into RAM on boot.
3. Done!

Every time I wanted to use my computer, I would shut it down and check for hardware keyloggers. Then I would connect my USB disk (assuming the system was installed on a USB disk) and force boot from USB to boot the system. This reduces the attack vector signficantly:

• Nobody can view my personal files (they are encrypted).
• Nobody can modify the Linux OS to include a keylogger (the OS is on my USB disk or the BIOS is locked to make accesing the Linux partition more difficult)

Remember to always shut down the computer when you are away from it to prevent cold boot attacks.

It's also very difficult to notice that you are hiding something with this setup. The home partition is difficult to see and access from Windows. In the case that they gain access to the home partition, they see a bunch of random looking files with random filenames holding random information. Assuming Linux is installed on the USB disk, they don't even see another operating system!

Installing Linux with a seperate home and systemm partition is very simple but I will not cover it for now. Add a comment if you need this information.

Answer 12

Also, I forgot to mention. If you want to set a BIOS password, and depending on how much hassle you want to go through, you could invest in a case that has a lock for the side. While that wouldn't entirely prevent intrusion, it would prevent people from tampering with it if they didn't want to be detected. That way they can't just remove the CMOS or access the motherboard/jumper in order to reset the BIOS password.

You could also Kensington lock that thing to the desk if you don't want that disappearing out of your room when you're not around. Not sure what lengths these folks will go to in order to access your data.

Answer 13

I encountered the following ages ago from somebody who was excessively paranoid:

Full disk encryption where /boot was on removable media and the master password had to be entered from a grid display so that the keystrokes that corresponded to the letters of the master password changed every time the computer booted.

My personal recommendation involved here calls for the boot media to be a CD-R marked by hand with a sharpie so that you can tell if somebody tries to swap it. (You can store it just fine in its case right next to the computer this way.)

The original recommendation involved /boot being a floppy you took with you (it's that old).

Answer 14

I did some admin-work in the past in a company where past admins didn't leave many notes. But there was hardware that was vital, connected to the networks, and not trustworthy. From that experience I can tell you that the old saying is right: if you have physical access and are determined, game over is only a question of time investment. You can make it harder to compromise your data without you noticing, but that's just more time to spend for the attacker.

One attack vector you might not have thought about yet: Instead of a hardware keylogger, a determined attacker could install a tiny video camera to get your passwords. Or, depending on the keyboard, a cheap microphone recording your keypresses might be enough. One innocent call on your cellphone while you're typing the super-secret password...

So the only real solution is to limit physical access, and I can see only very few ways to achieve that in your scenario:

1. As mentioned in other answers, take the system with you, eg. on a usb stick. Encrypt it and wear it on your neck or lock it up when you sleep.
2. Encrypt your Linux partitions but use a script to change the password every time. Use a separate device (your phone?) to re-generate that password. It could either be synchronized or it could capture some image your pc generates and use that to synchronize and re-generate the password. That's how some banks protect their online banking. Protect this second device with the same rigor as you would a usb-based system.
3. Store your data on remote servers where you can see when files were accessed, and from which locations. Post-Monitor the accesses closely (from an independent, secure location). This will not give you protection, but it will give you proof. Access the data from a Live DVD only. Again: protect that Live DVD as if it were writeable.
4. Use a different PC in a different location altogether.
5. Only work on paper and burn that paper after you use it. Make sure it burns completely and doesn't leave indentations on the sheets below like in the movies.
6. Become a genius and run Linux in your head. But don't take drugs, don't let yourself be kidnapped, and make sure nobody slips something into your drinks.
7. Just use the PC, but relocate with it into a new household.

Also don't forget to protect your backups, your usb sticks, and anything else you plug into your PC. Especially when choosing option 6.

Answer 15

Other folks had some great ideas. I didn't read down to determine whether or not this was already mentioned, so I apologize if it has been. I know you mentioned you cannot physically lock the door to your room, but how about working solely off of an external hard drive, encrypting it, and locking that up elsewhere, in a lockbox or safe or something like that? Then hide the key or make sure it is on your person at all times.

You could even go as far as to put a small lockbox containing the external encrypted hard drive in the glove compartment of your car. Then lock up your car. Then that's up to 4 obstacles (decrypting data, key for lockbox, key for glove compartment, key for car) these hackers would have to go through to access your data (depending on if you have the same key for the compartment as for the door to your car).

As others mentioned, working entirely off of a live CD is a great idea.

Answer 16

I see lots of people mentioning that physical access is game over. While this is true given a well resourced attacker, there is a defence against less well resourced ones: Qubes OS and antievilmaid.

https://www.qubes-os.org/

Qubes is essentially Xen running Fedora VMs (you can have other VMs, including Debian and Windows).

antievilmaid is a program which uses the TPM (hardware security module) to encrypt a secret, then, on boot, decrypt it and present it to you. The key for this encryption is derived from hashes of ROM, boot loader, etc. If something in this list is changed, the hash changes, and your secret cannot be decrypted. So your computer identifies to you as you boot, telling you "I have not been changed since you encrypted your secret".

Qubes has the ability to map all USB controllers to a separate VM, so someone plugging in a USB keylogger would end up keylogging an inactive VM while you're happily tying away on dom0, which forwards to the active VM. The USB VM will never be active, as it role is to just sit there, and control the USB controllers. If you need a USB port, you can temporarily forward it to another VM.

Since the Qubes partition will be encrypted, you don't need to worry about Windows users dumping the partition. Attempts to modify the boot loader to log the disk passphrase will cause antievilmaid to fail to present your secret to you, since the bootloader will hash to a different key.

Answer 17

Apart from what others said (Live CD, full disk encryption etc), the following are some precautions.

(1) Download your Linux distro on a trusted computer. Don't do that on your Windows system because the ISO image may get replaced/infected/amended secretly. Don't just trust checksums (checksum utilities can be fake, too).

(2) Sign on your Live CD/DVD/USB stick. I mean, put a physical signature on it so that you can check whether you are having your data storage device. It is not hard to prepare a Live CD/DVD with a fake operating system. Using a write-once-read-many CD/DVD is the best option.

(3) Don't type on physical keyboards. If you know some programming you can write your own on-screen keyboard. Don't use qwerty layout. Instead, create a custom layout which only you know. Don't paint the characters on the keys. As long as there are no characters being shown on the keyboard, it is useless for your household members to record what you type by a hidden video camera. Remember use that custom keyboard only when you are typing in password fields (in which characters are replaced by other symbols such as dots) so as not to reveal your layout.

(4) Use a key obfuscator. A key obfuscator dispatches random key events in the background. If keyloggers are present, they will receive all the random keystrokes, which means it is much harder to recover your credentials.

Answer 18

Another idea:

You could buy a cheap single-board computer (think Raspberry Pi). The Pi 3 is fast enough to replace a desktop PC if you're only browsing the internet and watching movies etc and costs about $40.

It's powered by an usb phone charger cable (or another computer's usb port) and supports hdmi output. It's small enough that you can hide it in a sock :-) or carry it around in your jacket pocket. It's probably even safe from hardware keyloggers, because you can immediately see any manipulation, since it's just a single board. It boots from a micro sd card, which is so tiny that you can hide it basically everywhere (or put it in an old smartphone or camera). You can easily modify the initial ram disk on the sd card so that the system uses another root partition - e.g. one on an external usb drive (this is something you should seriously consider because sd cards aren't made for running write-intensive operating systems on them). Plus if you don't want to or can't hide the Pi, you can easily explain it's presence - and the fact that you're suddenly using Linux - by saying that you want to tinker with the Pi - buy some additional cheap connector cables, a breadboard and Leds for a dozen bucks or so and look at some cool easy projects you can do with the Pi that make Leds blink. You can then use two sdcards for booting; the secret one you use when you want privacy, and the public one you use as a decoy which only contains a standard raspbian image and some blinking-leds projects.

This solution doesn't even touch your Desktop system, gives you much better control over the hardware (the only remaining hardware danger is your keyboard) and is pretty much immune to any readily available software malware (because it's an uncommon hardware platform). Plus it is easily explainable because lots of people love to tinker with a Pi, so if you're even remotely the type who'd be interested in anything like that, here's your perfect explanation of why you're suddenly interested in owning a second computer running only Linux.

Answer 19

While it might be in theory impossible to prevent an attack given physical access, you can do a lot to limit the physical access to what matters, thus limiting the attack vectors.

I think your best option would be a custom Linux boot CD plus an encrypted USB stick for storage. Many distros make creating a custom CD fairly easy, including Arch and Gentoo. A security-focused distro might also be an option, like Kali or Ubuntu Privacy Remix. Even a normal boot CD like Knppoix is probably sufficient in many cases if you are not dealing with attackers with unlimited resources.

The primary benefit of a security-focused or custom CD is the ability to tweak how the drivers work, allowing you to prevent loading drivers to potentially compromised hardware. While there are still risks, the difficulty involved in, for example, hacking the BIOS is substantially greater than the vast majority of casual attackers are capable of.

Of course, you should always be aware of the hardware. Use a wired keyboard, never wireless; even better, use one you can prevent access to by unplugging it, like a portable tablet keyboard. Ensure no foreign peripherals are installed and that the internals of the system have not been tampered with before booting. Any USB or FireWire device, PCI card, and indeed any hardware you are not certain of is a potential attack vector.

Be careful of network and internet. You should assume you are subject to ARP poisoning and take measures such as blocking all non-encrypted traffic.

To a degree, this is a question of how committed and skilled the people you are trying to keep out are. If you're trying to keep out a nebby wife who Googled "keylogger", the measures you need to take are substantially different than if your roommate works for Chinese computer intelligence.

And of course, a benefit to the boot CD + tablet keyboard + USB stick approach is that, depending on the context, the attacker might not notice this is even being done. You could easily keep around dummy installs that you "use" occasionally to keep up appearances.

Answer 20

Use a hot-swap cage for you hard drive, and remove the hard drive when not in use. Take away with you or keep in a safe place.

Such drive can be connected to the usual SATA connection. Unlike with USB, you do not loose your speed and it can be any capacity. The OS can boot from this drive no problem - and they really cannot get anything from your computer when you take the drive away.

Answer 21

Most of the answers are over complicating this on the software aspect.

If you set the CMOS password to prevent BIOS changes and lock the boot drive, lock the bootloader, set a login password, do a little research on any commonly forgotten login screen bypass hacks, and you don't forget to lock your session when you walk away, then there is practially no way anyone can get in though software be it GNU/Linux or Windows.

I know you said you are not interested in protecting against attacks that require custom hardware or highly advanced attacks, but if you did, but you would want to disable any Firewire ports since those give DMA access, and possibly disable USB plug and play just to be safe from exploiting USB driver bugs.

So if they want to gain access to your computer they'll just get in to the hardware. So set it up for full disk encryption. Then you may want to have a lockable chassis and configure the chassis intruder switch to wipe the encryption key from memory and erase the rest of RAM.

If you think they may pick the chassis lock or modify your keyboard, then make your keyboard and chassis tamper evident by getting some good stickers with your signature or such on them that will rip apart if your keyboard or computer chassis is opened. Make sure they're good so that heating them up with a hair dryer won't defeat them. You could also use something like sealing wax and a custom stamp. Putting wax by the stickers would reveal if they've been heated. You'll have to get in the habit of checking the integrity of the tamper evident features each time you turn on your computer. Otherwise they could put some kind of cheap DMA hardware in there or some external PCIe attachment that lets someone retrieve your disk encryption password from memory. Or they could clear the CMOS password and reconfigure your BIOS to boot up a full disk encryption password stealing tool and wait for you to come enter it in.

Make sure that your screensaver unlock password is different from your full disk encryption password. Otherwise, if they image your encrypted hard drive, they could then get your password from you by presenting you with a fake unlock screen. By the time you enter you password and find that the unlock screen was a fake, it may have already sent your password to them over the network.

Make sure they don't monitor your keyboard by having a hidden camera pointing at it.

Verify everything you download in case they do something to the local network that adds malware to downloaded files.

Answer 22

My primary PC consists of a passwordless desktop PC, that anyone in the house can use. From this machine I connect to a Windows 10 machine running on Azure. I don't have an issue with anyone installing keyloggers etc (I don't think!) but there are a number of 2 factor authentication options freely available to home users that would make the password for that machine useless without the device you use to login.

With a clean up script to delete MSTSC saved settings and a VPN it would be impossible to know you were connecting to a VM.

The other suggestions here address the keylogging issues, and booting from a live CD etc would keep the underlying OS clean.

Obviously there is a cost issue here, but you could use AWS spot instances and only start one when you wish to do something that you want to keep private, this makes it a reasonably nominal cost.

It is an alternative approach, and perhaps doesn't completely address your needs, but it can provide a good solution to privacy (unless you're wanting to keep things private from governments and big corp of course)

Answer 23

Something that doesn't seem to have been mentioned in the other answers is the HDD password.

If you set a HDD password on your drive, it will refuse to talk to the computer until you gave it the password. The BIOS prompts for the pass at boot time. You also have to set the password in the BIOS setup.

The advantage is that it will be very difficult to read or alter the data on the drive when your computer is powered off, because the drive's controller won't work.

It doesn't replace encryption (because some companies still can read the platters directly), but it makes it impossible to mess with your system or read your data without being very motivated (and willing to pay).

Just notice that if you lose the HDD password, your drive will simply stop working, definitely (some manufacturers have "master keys" and some can be found on the Internet, but it depends on the model and I wouldn't count on it).

Finally, know that some drives (like Samsung's SSD 850 Evo) encrypt the data on them with the HDD password, providing real security).