SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been reading about Hardened Linux from Scratch, and that got me wondering what it would take to build Slackware with some (or all?) of the HLFS modifications.
Has anyone done something like that?
To broaden the question a bit, what do you all do to harden your Slackware installation? Do you use IPTables? Do you encrypt your hard drive? Please share.
Is there a way to create a customized implementation of LUKS/AES...?
Inclusion or other symmetric encryption protocols, ncreased number of rounds in AES cypher, extended keyword length/permutation tables, different key scheduling mechanism...?
I know the code is open, but I would like ro read on the details of implementation...
This would be a real Hardened Slackware... IMHO...
I do all the usual low-hanging-fruit stuff: iptables, encrypted partition, use of different users/groups for different tasks, ensure daemons that are only needed locally only listen on 127.0.0.1.
I've been meaning to try grSecurity for a while now but I've not got around to it yet. To be honest, I'm not sure it would gain me all that much the way I use my box. If I wanted to run a secured server I'd probably implement it on OpenBSD rather than linux anyway.
That link is useful, though terse. It is, as I understand it, a different approach from HLFS, which actually compiles the system differently to harden it.
I need to do more research. I suspect, though, that it is possible to recompile Slackware with the hardened bits, just like GrapefruitGirl recompiled Slackware for performance last year. I also suspect that it would be a lot of work!
In the quest to continue on this theme, I've found a good thread on encrypting one's hard drive here. This is most useful if one already has Slackware installed.
What is the performance/speed impact of an encrypted installation? Is the system noticeably slower/sluggish? How is boot-up time affected?
I'm using encryption for example on my Atom Netbook. First I encryptet the whole disk and installed everything in LVM (which is the only possibility to encrypt swap for suspend to disk). The system felt really slow. Then I reinstalled and encrypted only /home. Now it feels like slackware again.
Distribution: Slackware64 14.2 and current, SlackwareARM current
Posts: 1,644
Rep:
Quote:
Originally Posted by GrapefruiTgirl
What is the performance/speed impact of an encrypted installation? Is the system noticeably slower/sluggish? How is boot-up time affected?
In my perception the speed loss is not that huge. I have my systems encrypted but have some partitions still unencrypted. Since my system partitions are all encrypted I cannot compare to unencrypted boot time. My impression (not measured, only impression) is that it makes a noticable difference if you're acting on many or big files, but I do not notice it in everyday usage. The "smallest" machine I can say this for has a Intel Celeron M530, a SATA harddisk and 1GB of RAM.
My opinion may be biased though - I don't have a choice because I absolutely need the encryption and I had expected a real slow down, so I'm more than happy with the result.
I use an encrypted LVM for my whole system and have not noticed any slowdown at all. I play the occasional game and get reasonable framerates, and between my formerly unencrypted Slackware 12.1 install and my now-former encrypted Slackware 12.2 install I noticed no significant slowdown of the system. And of course my current encrypted Slackware64-13.0 installation seems fine as well.
Of course this is all anecdotal, but the encryption certainly has not made using my system any more frustrating at the very least. If you are concerned you can always just encrypt /home and leave the rest unencrypted -- any data that has any value shouldn't be stored in any other place in the running system IMO.
For my systems, I make a scope-limiting assumption that physical access is already Game Over. Network-wise, I've got iptables set up so that all a scanner can tell about my computer is that there's a ethernet card.
If you are concerned you can always just encrypt /home and leave the rest unencrypted. . .
I guess I have two questions:
1) Is there any way to encrypt the /home directory without moving all the data and encrypting it based on the directions in README_CRYPT with cryptsetup?
2) /home has everyone's home directory (e.g., /home/drew and /home/robin). How does encryption work with multiple users?
Distribution: Slackware64 14.2 and current, SlackwareARM current
Posts: 1,644
Rep:
Quote:
Originally Posted by Lufbery
I guess I have two questions:
1) Is there any way to encrypt the /home directory without moving all the data and encrypting it based on the directions in README_CRYPT with cryptsetup?
2) /home has everyone's home directory (e.g., /home/drew and /home/robin). How does encryption work with multiple users?
Regards,
1) Not that I know of, at least not with cryptsetup-LUKS. I know that TrueCrypt does that with Windows system partitions on the fly though so it is not theoretically impossible. I don't know if truecrypt on Linux can handle this.
2) Works flawless, once the system is started you don't notice what folders are being encrypted as it is handled transparently.
If it is a desktop machine where several people will have access, the user that boots the machine is of course required to enter a passphrase (or use a keyfile etc.), else no user can access her/his home folders.
LUKS offers several key slots so that at least some users (seven, nine? I don't remember) could use their distinct passphrases or keyfiles.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.