Essential Host Security

From Kicksecure
Jump to navigation Jump to search

This page is targeted at advanced users who wish to improve the general security of their host operating system to become even more secure.

Kicksecure comes with many security featuresarchive.org. Kicksecure is Security Hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

Host Security Essentials[edit]

It is recommended to first read relevant Computer Security Education entries concerning host security, such as:

Power Saving Considerations[edit]

Warning: Upon system suspend / standby, Full Disk Encryption (FDE) keys are still kept in RAM.

Users at high risk or traveling should avoid leaving a system in the suspend or standby state. Instead, the recommended power mode to use is hibernation. This will lock all system partitions to a safe state, though there is a small trade-off in startup time.

On GNU/Linux hosts, standby will not always result in having LUKS keys retained in memory. Some experimental projects [1] and custom setups with systemd+scripting are able to erase the keys before system suspend to avoid mistakes.

Following a system standby period, the network fingerprint for Tor on the Kicksecure is identical to a standard Tor instance on the host that has gone through the same procedure. There are some old connections that go stale and need renewal, but nothing is seen by a network adversary because time leak identifiers have been stripped out of Tor's protocol / OpenSSL, and TCP Timestamps are gone.

To reconnect to Tor following a suspend / standby / hibernation period:

  • Kicksecure: Manual time adjustment is required or the VM can simply be powered off and then powered on again. [2]
  • Kicksecure for Qubes: After resume, time adjustment is automatic and seamless. [3] [4]


See Also[edit]

Footnotes[edit]

  1. https://github.com/jonasmalacofilho/ubuntu-luks-suspendarchive.org
  2. This step will be unnecessary once hypervisor-specific post resume hooks are used, because guest clocks will be seamlessly updated upon power state changes from the host.
  3. https://github.com/Kicksecure/sdwdate/blob/master/etc/qubes/suspend-pre.d/30_sdwdate.sharchive.org
  4. https://github.com/Kicksecure/sdwdate/blob/master/etc/qubes/suspend-post.d/30_sdwdate.sharchive.org

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!