I use MacOS with firewall enabled, encryption enabled, little snitch to block much of Apples telemetry (is set up to allow auto updates)

    I use Chimera Linux. There are a few things I've had to adapt to being that its MUSL, but flatpak is supported.
    I can't stand most package management systems, APK being one of very few exceptions.
    I have a basic firewall setup using netfilter.

    I use a Surface Laptop Studio 1, it receives firmware updates in addition to Windows updates, plus other things like MAC randomization, I don't do anything very sensitive with it.

    I initially hardened it with a script, but the rules were so strict that the device became almost unusable on my daily basis, and I don't use it in a corporate environment, so I stopped using it and prefer to refer to this guide.

    Fedora on desktop.

    I use Kinoite / Silverblue daily at home.

    Used Qubes OS for a long time, like 3 years, which is very flexible once you understand all the mechanisms but take ages to setup correctly.

    I have a Chromebook (Titan C is mandatory on all Chromebook since 2019 so basic security is ok) with tweaks, Kicksecure in VM, very reliable and efficient for trips

    TheGodfather Thanks for the AppArmour tip, looks like it makes more sense for Arch.

    Are there any advantages of using systemd-homed vs file system encryption like fscrypt?
    As I mentioned at the start, I'm kind of using single laptop, while best practice would be to use a couple of separate ones, or setup separate virtual machines. Definitely I should be able to put user's data at rest when I don't use them.

      dext can you elaborate on fscrypt?

      I just know that systemd-homed doesnt yet work on Fedora Atomic Desktops.

      But it would be a huge usability gain to have 2 passwords that actually decrypt 2 things. LUKS just being the system, and the user password being the user files.

      Otherwise, you could use things like usbkill

      Usbguard is also pretty easy to get used to.

      https://github.com/boredsquirrel/usbguard-tricks

      • dext replied to this.

        I am using QubesOS since a few years back. It provides the strong security domain isolation I need in a very convenient and streamlined way. It is a bit resource hungry and lack GPU acceleration, but very convenient while still secure. The only downside is that I cannot put files for certain security domains back at rest, as the LUKS2 encryption encompasses all security domains. But at least only the right security domain can access the right files, even if compromised. It also allows me to deny access to microphone and webcam even if a security domain is compromised.

        Before that I used to have a separate Linux installation for each security domain, in their own separate encrypted partition. The idea was that whenever I needed to switch security domain, I shut down the computer, plugged in a USB with an offline Linux distribution on, booted up from that only to verify the sha256 sums of the boot sector and all boot and kernel files, so none of them have been compromised, and then shut down the computer again and booted up the other Linux installation. But this was really cumbersome and time consuming, including keeping the Linux installations where I had removed the network drivers up-to-date with security updates, and relied on the proprietary BIOS for security. I basically simulated what QubesOS provides, except QubesOS allows running multiple security domains simultaneously in a secure way.

        I also used to use Tails heavily to avoid leaving traces on disk at all. QubesOS does not allow for that, but it is an often requested feature.

        Windows 11 IoT Enterprise LTSC

        I have done some privacy / security tweaks such as adjusting the Group Policy settings but I understand its a relatively non private OS. I try to make improvements where I can but, in terms of threat model, I have no real issue with daily driving it.

        I'm also on Fedora Silverblue, but I wish to find a good solution to replace everything with GrapheneOS. Unfortunately the Pixel Tablet with an external touchpad and keyboard didn't do it for due to the bad desktop experience. Now I'm waiting for Gogle to implement a proper Desktop mode, but they are very slow...

        Best vision I have is to use my Pixel 8 with a NexDock XL once the Desktop experience catches up

        privacysimp SELinux enabled by default.

        That won't help unless packages come with SELinux profiles or you make your own strict profiles.

        privacysimp Firewalld is enabled by default.

        Again, you would need strict firewall rules for it to be effective.

        privacysimp MAC randomization for networks is enabled by default.

        MAC randomization is a bad idea if it fully randomizes it as you may receive an OUI (identifies chipset manufacturer) that hasn't been used in decades or isn't used in your area, making your device stand out and is obvious the address is spoofed. I don't know how Fedora handles this but assuming it's fully randomized, a better option is to leave it off and install macchanger. Run macchanger -e $network_interface to only randomize the last part of the MAC address. Changes won't persist after a reboot so you can create an init script to handle this at every boot.

        privacysimp Fedora Linux is backed by Red Hat so it benefits from corporate security support.

        Fedora is Red Hat's upstream. Not quite sure what you mean here.

        privacysimp One great improvement is their usage of hardend-malloc which is developed by GrapheneOS.

        If that is the case, that's a huge step forward!

          Graphene1
          I onced loved MacOS and Mac. For years

          But anything not opensource make me nervous a bit.

          I do not have a blind faith in Apple not skeaking around in our Datas or web habbits....

          For me, openSource is my motto.... Waiting for an opensource TV now LOL

            missing-root can you elaborate on fscrypt?

            I just know that systemd-homed doesnt yet work on Fedora Atomic Desktops.

            fscrypt is in kernel function, which allows doing file-based encryption in ext4 and f2fs. But I've asked a wrong question. It turns out, that systemd-homed is just a frontend, and it can use fscrypt at the back end. This is what I would do.

            Planning on buying a Framework laptop and install Fedora...

              yoda68 me to. Open source has to win in the long run. At this moment in time though I can't see anything with equivalent security. Most of the privacy concerns are somewhat resolved with little snitch.

              I getting used to the fact, I'll have to do it myself. Here is a sketch of the plan:

              • Fedora sounds better, but I'll stick with what I know best: Arch
              • LUKS encrypt root partition with swap.
              • Put /home on separate unencrypted partition
              • Encrypt user homes with systemd-homed + f2fs/fscrypt
              • Start using Yubikey Smartcard with a PIN to unencrypt the passphrases instead of typing them
              • Start using hibernation a lot more frequently.
              • I'll setup AppArmour to lock the basic installation down
              • All user apps will come from Flatpak
              • Every user will get their own network namespace, routing table and VPN instance in a container

              It's far from perfect, but for my threat model with multiple users which I should separate as much as possible it's best I can do without making my life to difficult.

                yore

                yore That won't help unless packages come with SELinux profiles or you make your own strict profiles.
                yore Again, you would need strict firewall rules for it to be effective.

                I agree with you on both points; great observations.

                yore MAC randomization is a bad idea if it fully randomizes it as you may receive an OUI (identifies chipset manufacturer) that hasn't been used in decades or isn't used in your area, making your device stand out and is obvious the address is spoofed. I don't know how Fedora handles this but assuming it's fully randomized, a better option is to leave it off and install macchanger. Run macchanger -e $network_interface to only randomize the last part of the MAC address. Changes won't persist after a reboot so you can create an init script to handle this at every boot.

                That's an interesting perspective. Wouldn't fully randomizing the MAC address make it harder to track a device across different networks? Why is an unusual OUI a bigger privacy concern than being tracked across multiple networks? And why do you think partial MAC address changes are better?

                yore Fedora is Red Hat's upstream. Not quite sure what you mean here.

                Sorry for the confusion!
                Fedora Linux benefits from the security practices and expertise of Red Hat, which enhances its overall security.
                This is in contrast to distributions like Arch Linux, which are primarily community-driven.

                yore If that is the case, that's a huge step forward!

                It is true, you can find it on the first line here.

                • yore replied to this.
                • N1b likes this.

                  Clark I'm using Fedora Silverblue on the AMD Framework 13. It's great, I'm sure you'll enjoy it.

                  In case you plan to install multiple Fedora installations on different storage extensions so you can airgap them and swap them out whenever needed: It works. Only minor annoyance is you can't reboot the device as it won't find your system, you'll have to shut it down and boot it up manually. Not sure why that is, didn't find a solution yet.

                  Have tried numerous setups on different hardware.

                  My go-to computer for getting actual work done nowadays when on the move is a 12th gen Framework, dual booting to either an ameliorated version of Win10 for certain work that cannot be done except in a true windows environment, and EndeavorOS (Arch based linux distro) preferentially for everything else.

                  This covers everything I need to do from a practical standpoint, while minimizing risks & exposures to an acceptable (for me) point. This combo has so far covered 100% of everything I want to do for both work and light entertainment.