Security Tips for Installing Linux on Your SysAdmin Workstation
Once you’ve chosen a Linux distro that meets all the security guidelines set out in our last article, you’ll need to install the distro on your workstation.
Linux installation security best practices vary, depending on the distribution. But, in general, there are some essential steps to take:
￼Use full disk encryption (LUKS) with a robust passphrase
Make sure swap is also encrypted
Require a password to edit bootloader (can be same as LUKS)
Set up a robust root password (can be same as LUKS)
Use an unprivileged account, part of administrators group
Set up a robust user-account password, different from root
These guidelines are intended for systems administrators who are remote workers. But they apply equally well if you work either from a portable laptop in a work environment, or set up a home system to access work infrastructure for after-hours/emergency support.
When combined with the other recommendations in this series, they will help reduce the risk that SysAdmins will become attack vectors against the rest of your IT infrastructure.
Full disk encryption
Unless you are using self-encrypting hard drives, it is important to configure your installer to fully encrypt all the disks that will be used for storing your data and your system files. It is not sufficient to simply encrypt the user directory via auto-mounting cryptfs loop files (I’m looking at you, older versions of Ubuntu), as this offers no protection for system binaries or swap, which is likely to contain a slew of sensitive data. The recommended encryption strategy is to encrypt the LVM device, so only one passphrase is required during the boot process.
The /boot partition will usually remain unencrypted, as the bootloader needs to be able to boot the kernel itself before invoking LUKS/dm-crypt. Some distributions support encrypting the /boot partition as well (e.g. Arch), and it is possible to do the same on other distros, but likely at the cost of complicating system updates. It is not critical to encrypt /boot if your distro of choice does not natively support it, as the kernel image itself leaks no private data and will be protected against tampering with a cryptographic signature checked by SecureBoot.
Choosing good passphrases
Modern Linux systems have no limitation of password/passphrase length, so the only real limitation is your level of paranoia and your stubbornness. If you boot your system a lot, you will probably have to type at least two different passwords: one to unlock LUKS, and another one to log in, so having long passphrases will probably get old really fast. Pick passphrases that are two to three words long, easy to type, and preferably from rich/mixed vocabularies.
Examples of good passphrases (yes, you can use spaces):
• nature abhors roombas
• 12 in-flight Jebediahs
• perdon, tengo flatulence
Weak passphrases are combinations of words you’re likely to see in published works or anywhere else in real life, and you should avoid using them, as attackers are starting to include such simple passphrases into their brute-force strategies.
Examples of passphrases to avoid:
• Mary had a little lamb
• you’re a wizard, Harry
• to infinity and beyond
You can also stick with non-vocabulary passwords that are at least 10-12 characters long, if you prefer that to typing passphrases.
Unless you have concerns about physical security, it is fine to write down your passphrases and keep them in a safe place away from your work desk.
Root, user passwords and the admin group
We recommend that you use the same passphrase for your root password as you use for your LUKS encryption (unless you share your laptop with other trusted people who should be able to unlock the drives, but shouldn’t be able to become root). If you are the sole user of the laptop, then having your root password be different from your LUKS password has no meaningful security advantages. Generally, you can use the same passphrase for your UEFI administration, disk encryption, and root account — knowing any of these will give an attacker full control of your system anyway, so there is little security benefit to have them be different on a single-user workstation.
You should have a different, but equally strong password for your regular user account that you will be using for day-to-day tasks. This user should be member of the admin group (e.g. wheel or similar, depending on the distribution), allowing you to perform sudo to elevate privileges.￼￼￼￼
In other words, if you are the sole user on your workstation, you should have two distinct, robust, equally strong passphrases you will need to remember:
Admin-level, used in the following locations:
• UEFI administration
• Bootloader (GRUB)
• Disk encryption (LUKS)
• Workstation admin (root user)
User-level, used for the following:
• User account and sudo
• Master password for the password manager
All of them, obviously, can be different if there is a compelling reason.
Next time we’ll talk about post-installation security hardening. This will depend greatly on your distribution of choice, so we’ll provide an overview of the steps you should take rather than provide detailed instructions.