TheGodfather Thanks for the AppArmour tip, looks like it makes more sense for Arch.

Are there any advantages of using systemd-homed vs file system encryption like fscrypt?
As I mentioned at the start, I'm kind of using single laptop, while best practice would be to use a couple of separate ones, or setup separate virtual machines. Definitely I should be able to put user's data at rest when I don't use them.

    dext can you elaborate on fscrypt?

    I just know that systemd-homed doesnt yet work on Fedora Atomic Desktops.

    But it would be a huge usability gain to have 2 passwords that actually decrypt 2 things. LUKS just being the system, and the user password being the user files.

    Otherwise, you could use things like usbkill

    Usbguard is also pretty easy to get used to.

    https://github.com/boredsquirrel/usbguard-tricks

    • dext replied to this.

      I am using QubesOS since a few years back. It provides the strong security domain isolation I need in a very convenient and streamlined way. It is a bit resource hungry and lack GPU acceleration, but very convenient while still secure. The only downside is that I cannot put files for certain security domains back at rest, as the LUKS2 encryption encompasses all security domains. But at least only the right security domain can access the right files, even if compromised. It also allows me to deny access to microphone and webcam even if a security domain is compromised.

      Before that I used to have a separate Linux installation for each security domain, in their own separate encrypted partition. The idea was that whenever I needed to switch security domain, I shut down the computer, plugged in a USB with an offline Linux distribution on, booted up from that only to verify the sha256 sums of the boot sector and all boot and kernel files, so none of them have been compromised, and then shut down the computer again and booted up the other Linux installation. But this was really cumbersome and time consuming, including keeping the Linux installations where I had removed the network drivers up-to-date with security updates, and relied on the proprietary BIOS for security. I basically simulated what QubesOS provides, except QubesOS allows running multiple security domains simultaneously in a secure way.

      I also used to use Tails heavily to avoid leaving traces on disk at all. QubesOS does not allow for that, but it is an often requested feature.

      Windows 11 IoT Enterprise LTSC

      I have done some privacy / security tweaks such as adjusting the Group Policy settings but I understand its a relatively non private OS. I try to make improvements where I can but, in terms of threat model, I have no real issue with daily driving it.

      I'm also on Fedora Silverblue, but I wish to find a good solution to replace everything with GrapheneOS. Unfortunately the Pixel Tablet with an external touchpad and keyboard didn't do it for due to the bad desktop experience. Now I'm waiting for Gogle to implement a proper Desktop mode, but they are very slow...

      Best vision I have is to use my Pixel 8 with a NexDock XL once the Desktop experience catches up

      privacysimp SELinux enabled by default.

      That won't help unless packages come with SELinux profiles or you make your own strict profiles.

      privacysimp Firewalld is enabled by default.

      Again, you would need strict firewall rules for it to be effective.

      privacysimp MAC randomization for networks is enabled by default.

      MAC randomization is a bad idea if it fully randomizes it as you may receive an OUI (identifies chipset manufacturer) that hasn't been used in decades or isn't used in your area, making your device stand out and is obvious the address is spoofed. I don't know how Fedora handles this but assuming it's fully randomized, a better option is to leave it off and install macchanger. Run macchanger -e $network_interface to only randomize the last part of the MAC address. Changes won't persist after a reboot so you can create an init script to handle this at every boot.

      privacysimp Fedora Linux is backed by Red Hat so it benefits from corporate security support.

      Fedora is Red Hat's upstream. Not quite sure what you mean here.

      privacysimp One great improvement is their usage of hardend-malloc which is developed by GrapheneOS.

      If that is the case, that's a huge step forward!

        Graphene1
        I onced loved MacOS and Mac. For years

        But anything not opensource make me nervous a bit.

        I do not have a blind faith in Apple not skeaking around in our Datas or web habbits....

        For me, openSource is my motto.... Waiting for an opensource TV now LOL

          missing-root can you elaborate on fscrypt?

          I just know that systemd-homed doesnt yet work on Fedora Atomic Desktops.

          fscrypt is in kernel function, which allows doing file-based encryption in ext4 and f2fs. But I've asked a wrong question. It turns out, that systemd-homed is just a frontend, and it can use fscrypt at the back end. This is what I would do.

          Planning on buying a Framework laptop and install Fedora...

            yoda68 me to. Open source has to win in the long run. At this moment in time though I can't see anything with equivalent security. Most of the privacy concerns are somewhat resolved with little snitch.

            I getting used to the fact, I'll have to do it myself. Here is a sketch of the plan:

            • Fedora sounds better, but I'll stick with what I know best: Arch
            • LUKS encrypt root partition with swap.
            • Put /home on separate unencrypted partition
            • Encrypt user homes with systemd-homed + f2fs/fscrypt
            • Start using Yubikey Smartcard with a PIN to unencrypt the passphrases instead of typing them
            • Start using hibernation a lot more frequently.
            • I'll setup AppArmour to lock the basic installation down
            • All user apps will come from Flatpak
            • Every user will get their own network namespace, routing table and VPN instance in a container

            It's far from perfect, but for my threat model with multiple users which I should separate as much as possible it's best I can do without making my life to difficult.

              yore

              yore That won't help unless packages come with SELinux profiles or you make your own strict profiles.
              yore Again, you would need strict firewall rules for it to be effective.

              I agree with you on both points; great observations.

              yore MAC randomization is a bad idea if it fully randomizes it as you may receive an OUI (identifies chipset manufacturer) that hasn't been used in decades or isn't used in your area, making your device stand out and is obvious the address is spoofed. I don't know how Fedora handles this but assuming it's fully randomized, a better option is to leave it off and install macchanger. Run macchanger -e $network_interface to only randomize the last part of the MAC address. Changes won't persist after a reboot so you can create an init script to handle this at every boot.

              That's an interesting perspective. Wouldn't fully randomizing the MAC address make it harder to track a device across different networks? Why is an unusual OUI a bigger privacy concern than being tracked across multiple networks? And why do you think partial MAC address changes are better?

              yore Fedora is Red Hat's upstream. Not quite sure what you mean here.

              Sorry for the confusion!
              Fedora Linux benefits from the security practices and expertise of Red Hat, which enhances its overall security.
              This is in contrast to distributions like Arch Linux, which are primarily community-driven.

              yore If that is the case, that's a huge step forward!

              It is true, you can find it on the first line here.

              • yore replied to this.
              • N1b likes this.

                Clark I'm using Fedora Silverblue on the AMD Framework 13. It's great, I'm sure you'll enjoy it.

                In case you plan to install multiple Fedora installations on different storage extensions so you can airgap them and swap them out whenever needed: It works. Only minor annoyance is you can't reboot the device as it won't find your system, you'll have to shut it down and boot it up manually. Not sure why that is, didn't find a solution yet.

                Have tried numerous setups on different hardware.

                My go-to computer for getting actual work done nowadays when on the move is a 12th gen Framework, dual booting to either an ameliorated version of Win10 for certain work that cannot be done except in a true windows environment, and EndeavorOS (Arch based linux distro) preferentially for everything else.

                This covers everything I need to do from a practical standpoint, while minimizing risks & exposures to an acceptable (for me) point. This combo has so far covered 100% of everything I want to do for both work and light entertainment.

                privacysimp That's an interesting perspective. Wouldn't fully randomizing the MAC address make it harder to track a device across different networks? Why is an unusual OUI a bigger privacy concern than being tracked across multiple networks? And why do you think partial MAC address changes are better?

                A fully randomized MAC address doesn't guarantee that the OUI portion will be set to a value that has ever existed or is quite rare. If you were to connect to Network A with a fully randomized MAC address and later to Network B with another fully random address, or even reconnect to the same network, theoretically these activities could be linked as an observer could say "Aha, it's that user with a spoofed MAC address again." Linking activities aside, it still makes it obvious that the device is spoofing their MAC and we generally don't want networks to be clearly aware of that.

                To be clear, I am no expert and if anyone feels I am wrong I'm open to your thoughts 🙂

                privacysimp Sorry for the confusion!
                Fedora Linux benefits from the security practices and expertise of Red Hat, which enhances its overall security.
                This is in contrast to distributions like Arch Linux, which are primarily community-driven.

                No worries, just wasn't sure what you meant! I see what you mean here now. Do you know of any examples of this in practice? It's my first time hearing about it so I'd like to learn more.

                privacysimp It is true, you can find it on the first line here

                That's great to hear! Thanks for sharing.

                  MacOS. Never tried anything else (except a bit of Windows, horrible).

                  yore A fully randomized MAC address doesn't guarantee that the OUI portion will be set to a value that has ever existed or is quite rare.

                  So many devices nowadays have built in MAC randomization or even randomization by default that you don’t really need to worry about it.

                    I have a laptop with Debian and another with Windows for playing.
                    Should I replace Debian with Fedora ? Debian is more convenient since I have a server with Debian for my self-hosted apps, but at the reading of this thread it seems that Fedora might bring advantages ... What do you think ?
                    EDIT : I don't think about changing my server to Fedora since I believe that Debian has many advantages for a server.