The more I learn about how Pixel with GrapheneOS works, the more I'm uncomfortable with my Thinkpad with Arch. Especially, because I use multiple users (I have multiple private and work identities). I already have full-disk-encryption and Secure Boot set, but I've penciled in some improvements:

  • Encrypt user's homes independently with file-level encryption
  • Isolate user's networks with namespaces
  • Configure SELinux
  • Start using Flatpak (which has terrible defaults, to be manually fixed), or Firejail
  • Setup and test suspend-then-hibernate with timeout

Sounds like a lot of work - and maintenance later. In hope I could find something at least partially done:
What do you use? What kind of laptop/PC, and OS?

    Fedora Atomic (Silverblue) is my primary desktop OS. However, I use Windows for work and generally try to be agnostic in regards to the OS I'm using. I don't do anything sensitive on any of my devices other than my Pixel with GrapheneOS.

    • N1b likes this.

    Recently I switched from Arch Linux to Fedora Linux on my HP OMEN Laptop 15 2020 laptop.
    The reason is mostly for the better security and privacy by default:

    • SELinux enabled by default.
    • Firewalld is enabled by default.
    • MAC randomization for networks is enabled by default.
    • Fedora Linux is backed by Red Hat so it benefits from corporate security support.

    The project that steps it up even more security wise is SecureBlue.
    One great improvement is their usage of hardend-malloc which is developed by GrapheneOS.

    They also develop a hardend web browser which is inspired by Vanadium.
    This can be installed on Fedora Linux using COPR.
    Eventually I might switch towards using SecureBlue.

    QubesOS I gave a try on my laptop, but the battery life was quite bad at around 2 hours.
    For me it would be an interesting option on a PC, but not a laptop (unless always plugged in).

    My suggestion for security hardening would be to setup a administrator password for the BIOS.
    Also you should disable USB- and network-boot if you do not use them.
    This will reduce the attack surface.
    You can also look into more security suggestions using fwupd: fwupdmgr security.

      I used Secureblue, it is an interesting project. Most what they do is change some switches, set configs, disable stuff from loading etc.

      They also include bubblejail, a pre-release but very cool way to sandbox applications that need broader access, most importantly namespace creation for browsers and electron apps. Likely VPN clients too.

      They also make hardened_malloc work on desktop linux, which causes issues, the implementation is kinda hacky and incomplete, and there are simply a ton of UX issues with it, like excluding apps while still keeping security.

      Android uses a very slim Kernel, secureblue uses the Fedora kernel and just prevents stuff from loading. This will be less secure.

      Because they did some controversial things that are not reversible on Fedora Atomic Desktops (like Silverblue, Kinoite etc, which they are based on) I switched to vanilla Kinoite and harden it manually. It is kinda fine.

      Linux and Android are complex. I could write 1000 words here. Google has basically replaced everything from a regular Linux distro with different methods.

      • bionic vs glibc
      • dalvik vs native libraries
      • userspace filesystem drivers (fuse) instead of kernel drivers
      • the entire way you boot, have accounts and separate systems is custom
      • the way apps are sandboxed is custom, uses SELinux (like Fedora) but for every app, on Fedora all user apps run unconfined
      • the way updates work for apps and the system is custom and very secure
      • integration with the firmware is waaay more advanced, also because of hardware like the secure element. You may only get this on a recent Novacustom/Nitrokey Laptop with Heads Firmware, intel bootguard and a TPM, may still be less secure
      • protection of memory
      • protection of the USB port, and there are no other ports to use (unlike laptops with thunderbolt, SATA, PCIE and others with huge attack surface)
      • Core VPN functionality integrated into the OS, VPN apps dont need broad access (like blocking network, always on)
      • Captive portal and other systems being sandboxed to protect against insecure networks
      • 3 profiles easily accessible within the owner profile, allowing easy separation also including used VPNs/i2p/Tor and DNS
      • Android running entirely without root. We are trying to make this work on desktop Linux too, but there are always issues

      Desktop Linux is WAY more customizable though. Like, it is extreme. Backups, linking folders, accessing various external drives, encrypted external drives, virtual machines. And the app ecosystem is simply different, Android is still not suited for most production jobs (office, mail, content creation, data analysis, science, etc)

        dext Configure SELinux

        I wouldn't bother with it on Arch. Either use Apparmor, or, if you need Selinux, other distros are better suited.

        dext Encrypt user's homes independently with file-level encryption

        You can use systemd-homed to encrypt home folders, but it depends on your threat model, if it is even worth it.

        dext What do you use? What kind of laptop/PC, and OS?

        I use multiple OSes. My main laptop OS is EndeavourOS (Arch) with quite some hardening. If I had to start all over, I would probably go with Secureblue or Fedora with Brace.

          I use MacOS with firewall enabled, encryption enabled, little snitch to block much of Apples telemetry (is set up to allow auto updates)

            I use Chimera Linux. There are a few things I've had to adapt to being that its MUSL, but flatpak is supported.
            I can't stand most package management systems, APK being one of very few exceptions.
            I have a basic firewall setup using netfilter.

            I use a Surface Laptop Studio 1, it receives firmware updates in addition to Windows updates, plus other things like MAC randomization, I don't do anything very sensitive with it.

            I initially hardened it with a script, but the rules were so strict that the device became almost unusable on my daily basis, and I don't use it in a corporate environment, so I stopped using it and prefer to refer to this guide.

            Fedora on desktop.

            I use Kinoite / Silverblue daily at home.

            Used Qubes OS for a long time, like 3 years, which is very flexible once you understand all the mechanisms but take ages to setup correctly.

            I have a Chromebook (Titan C is mandatory on all Chromebook since 2019 so basic security is ok) with tweaks, Kicksecure in VM, very reliable and efficient for trips

            TheGodfather Thanks for the AppArmour tip, looks like it makes more sense for Arch.

            Are there any advantages of using systemd-homed vs file system encryption like fscrypt?
            As I mentioned at the start, I'm kind of using single laptop, while best practice would be to use a couple of separate ones, or setup separate virtual machines. Definitely I should be able to put user's data at rest when I don't use them.

              dext can you elaborate on fscrypt?

              I just know that systemd-homed doesnt yet work on Fedora Atomic Desktops.

              But it would be a huge usability gain to have 2 passwords that actually decrypt 2 things. LUKS just being the system, and the user password being the user files.

              Otherwise, you could use things like usbkill

              Usbguard is also pretty easy to get used to.

              https://github.com/boredsquirrel/usbguard-tricks

              • dext replied to this.

                I am using QubesOS since a few years back. It provides the strong security domain isolation I need in a very convenient and streamlined way. It is a bit resource hungry and lack GPU acceleration, but very convenient while still secure. The only downside is that I cannot put files for certain security domains back at rest, as the LUKS2 encryption encompasses all security domains. But at least only the right security domain can access the right files, even if compromised. It also allows me to deny access to microphone and webcam even if a security domain is compromised.

                Before that I used to have a separate Linux installation for each security domain, in their own separate encrypted partition. The idea was that whenever I needed to switch security domain, I shut down the computer, plugged in a USB with an offline Linux distribution on, booted up from that only to verify the sha256 sums of the boot sector and all boot and kernel files, so none of them have been compromised, and then shut down the computer again and booted up the other Linux installation. But this was really cumbersome and time consuming, including keeping the Linux installations where I had removed the network drivers up-to-date with security updates, and relied on the proprietary BIOS for security. I basically simulated what QubesOS provides, except QubesOS allows running multiple security domains simultaneously in a secure way.

                I also used to use Tails heavily to avoid leaving traces on disk at all. QubesOS does not allow for that, but it is an often requested feature.

                Windows 11 IoT Enterprise LTSC

                I have done some privacy / security tweaks such as adjusting the Group Policy settings but I understand its a relatively non private OS. I try to make improvements where I can but, in terms of threat model, I have no real issue with daily driving it.

                I'm also on Fedora Silverblue, but I wish to find a good solution to replace everything with GrapheneOS. Unfortunately the Pixel Tablet with an external touchpad and keyboard didn't do it for due to the bad desktop experience. Now I'm waiting for Gogle to implement a proper Desktop mode, but they are very slow...

                Best vision I have is to use my Pixel 8 with a NexDock XL once the Desktop experience catches up

                privacysimp SELinux enabled by default.

                That won't help unless packages come with SELinux profiles or you make your own strict profiles.

                privacysimp Firewalld is enabled by default.

                Again, you would need strict firewall rules for it to be effective.

                privacysimp MAC randomization for networks is enabled by default.

                MAC randomization is a bad idea if it fully randomizes it as you may receive an OUI (identifies chipset manufacturer) that hasn't been used in decades or isn't used in your area, making your device stand out and is obvious the address is spoofed. I don't know how Fedora handles this but assuming it's fully randomized, a better option is to leave it off and install macchanger. Run macchanger -e $network_interface to only randomize the last part of the MAC address. Changes won't persist after a reboot so you can create an init script to handle this at every boot.

                privacysimp Fedora Linux is backed by Red Hat so it benefits from corporate security support.

                Fedora is Red Hat's upstream. Not quite sure what you mean here.

                privacysimp One great improvement is their usage of hardend-malloc which is developed by GrapheneOS.

                If that is the case, that's a huge step forward!

                  Graphene1
                  I onced loved MacOS and Mac. For years

                  But anything not opensource make me nervous a bit.

                  I do not have a blind faith in Apple not skeaking around in our Datas or web habbits....

                  For me, openSource is my motto.... Waiting for an opensource TV now LOL

                    missing-root can you elaborate on fscrypt?

                    I just know that systemd-homed doesnt yet work on Fedora Atomic Desktops.

                    fscrypt is in kernel function, which allows doing file-based encryption in ext4 and f2fs. But I've asked a wrong question. It turns out, that systemd-homed is just a frontend, and it can use fscrypt at the back end. This is what I would do.