Hey, is there a Linux (+ packages?) which I could install on USB, and boot it up on computer and would serve as extremely safe "Sandbox"? I want to put there copy of contracts, important immensely long passwords et cetera. I'm not doing any of those, but, these are just the examples. I know about "Tails". But I think this OS is more about anonymousity rather than about hardened safety of user. <s>And no "Fort Knox Linux" is not what I look for.</s> Is Fort Knox Linux, such one?
mike_2000_17 2,669 21st Century Viking Team Colleague Featured Poster
There are several Linux distributions that focus on security of various kinds. I'm not sure exactly which would be the most appropriate for you. They take different focuses. Some aim at anonymity (e.g., via Tor or I2P, like in Tails Linux). Some aim at preserving the integrity of the system, like Immunix. Some aim at running secure servers, like Fedora, CentOS and RHEL.
And when it comes to securing a system, ironically, the NSA can be a useful source of information. Using SELinux-enabled systems is probably a good idea. You might be paranoid about NSA backdoors, maybe justifiably so, but I think SELinux largely predates the start of NSA's criminal activities, and it's mostly a "way to do things" (protocol) as opposed to an actual implementation (AFAIK), so, the implementations of it are probably trustworthy.
It sounds like what you want is mainly to be able to store important information. For that purpose, you need either full disk encryption (e.g., truecrypt or dm-crypt) or file-system encryption (e.g., EncFS or eCryptFS), or both. Personally, I'm not convinced that full disk encryption is really that good because if someone accesses your system (physically or remotely), then having user or root access to the system implies being able to read / write data on the encrypted drive, at least, that's how I understand it. I guess the point is that securely storing data, to me, implies that the data is never left unencrypted (or readable) for any period of time longer than necessary. I use EncFS for such files, and I will only decrypt the folder briefly when I access or write data from that folder, and immediately unmount it after I'm done. When you use things like encrypted home folders, I think it's pointless because as long as you are logged in, it's completely readable / writable (unencrypted), i.e., it only protects your data when you are not logged in and if nobody can log in to your account (doesn't have your user password and doesn't have root access, which is pretty much the first goal of a successful hack).
And the other thing you must worry about when storing secure information is that the system from which you are accessing it (the OS that you are running) is not compromised (e.g., like having a malicious key-logger installed). That is where things like SELinux comes into play. This is also where features like strong network security, amnesia and strong restrictions on browsing and installation of software becomes important. That's where a distro like Tails is strong. Anonymity does provide some level of security ("they" can't make a personal attack on you, if they can't locate or reach you). Amnesia and the general principle of having an immutable (read-only) operating system in a LiveUSB is a good guarantee that your system will not get compromised, because it would have to be compromised at some point since you just booted up, and it would have to be an in-memory (RAM) attack, which is really hard to pull off, especially on a bare-bone Linux system (AFAIK, all known in-memory hacks target .NET or JVM).
So, one solution can be to keep an encrypted folder (or disk partition) on your hard-drive, and only access it briefly by booting from a LiveUSB with an OS like Tails Linux on it. But this is very much on the paranoid side of things. There are also many distributions that are small enough to run entirely from RAM, which provides an additional level of security through amnesia.
A more reasonable everyday solution is to get a solid security-enhanced system, like Fedora (with all secure features enabled), set up a strong firewall (and block most ports from your router / home-network), and store any sensitive information in an encrypted folder that you only access briefly. And with the flexible nature of Linux, you can make almost any distribution into a secure system, but a robust distro like Fedora or CentOS is probably a better starting point if that is your goal.
Edited by mike_2000_17 because: added note
RikTelner 20 Posting Pro in Training
Ok. So Fedora Linux, encFS
, strong firewall. I don't need internet for it. I really want to make it as isolable from world as possible. So I think I'd just block every port.
Assembly Guy 72 Posting Whiz
So I think I'd just block every port.
If that's the case, why not just physically disconenct it from all networks?
RikTelner 20 Posting Pro in Training
I was just thinkin' about this. On how this works and could work and, all the other stuff, people like me do. We were talking about booting from USB drive, what if I took 60GB fastest SSD I can find and install it on it, would it have same/better effects if I installed Fedora, set up firewall, deleted wireless driver, set password on SSD, set password on account, set password on disk and set password on folder? yes I know, it sounds total paranoid, so am I
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.