> /I think I could do this with Ubuntu, but am open to suggestions. /
I haven't built a bootable, encrypted USB drive, but I've worked
with Ubuntu's encryption enough to know that it's a good candidate for
this project.
All of my Ubuntu workstations, servers, and Virtual Machines have
full-disk encryption. I just built a couple of 6TB RAID6 servers with
full-disk encryption on the RAID array, and they can be unlocked using a
$7 hardware USB key (no passphrase required). I've also built an
external USB disk backup system that used encrypted USB drives; the
decryption key is on the server that they back up, and the udev script
handles all mounting and unmounting, so they can be plugged in (and
unplugged) and the backup software Just Works. No need to mount, type a
passphrase, etc.
If you just do a standard install using the Ubuntu "Alternate" CD,
there will be an option to use full-disk encryption. The installer will
make an unencrypted 250MB /boot partition for you, and the rest of the
disk (incl. swap) will be AES-256 encrypted. That right there may be
all you need.
> /Read-only OS partition, passphrase encrypted. /
A read-only OS partition may be difficult to implement. Plugging
into a DHCP network will write resolv.conf in /etc. Daemons will write
to various places in like /var/run/, /var/log, etc. Security upgrades
will write all over the place (/sbin, /usr, etc.). Doing admin tasks as
root will write to /root/.bash_history.
Thanks,
Derek Simkowiak
On 11/18/2009 12:10 PM, Ted Stern wrote:
Hi all,
I'm interested in putting together a customized secure thumb drive
linux distribution as a demo project.
Primary goals:
- Security, security, security. This OS should make any HW safe to
run on, and provide a safe environment from which to connect to a
secure network from outside the firewall, via secure VPN.
- Read-only OS partition, passphrase encrypted.
- Run solid anti-virus, firewall and rootkit detectors by default.
[Is rootkit detection necessary if /boot, /bin, /sbin, /usr and
/etc are read-only?]
- Read-write /home partition, at least 1GB, passphrase encrypted, to
store persistent user data.
- Backup software to mirror user data when plugged into secure
docking station.
- Mechanism to upgrade OS partition on a regular basis to handle
security updates.
- Support for secure VPN software.
Optional goodies:
- Either KDE or Gnome available from kdm/gdm login screen.
- Netbook edition.
- Firefox, OpenJDK, VNC, texlive, OpenOffice, etc.
- Non-free software such as Adobe Macromedia Flash, Skype, etc.
The idea here is to demonstrate that, rather than provide a secure
laptop to every employee who needs access from outside, you could
accomplish the same goals with a secure bootable thumb drive.
Departments could save capital, avoid the Microsoft tax and make
employees more productive.
I'm shooting for OS + packages under 7GB, which I think is more than
reasonable. On a 16GB USB drive, you could have a relatively large
user space for under 40 dollars.
I think I could do this with Ubuntu, but am open to suggestions.
The floor is open ... :-)
Ted
