Post on 16-Jan-2017
Improving your openSUSE workstation security
Frédéric Crozat fcrozat@suse.com
2
Agenda
• Encrypting Data• Let's talk about passwords
Data security
4
Keeping your data safe
Data on your computer can be more or less sensible
Protection not only against hacking
5
Data encryption to the rescue
• 4 ways to do it on openSUSE, depending how much data you want to encrypt:‒ Full system encryption
‒ Single Partition encryption
‒ Container encryption
‒ File encryption
‒ What about swap ?
6
Full disk encryption
• Must be done at install time• Requires unencrypted /boot• Will create a LUKS encrypted partition on top of LVM• Decryption is handled by initrd/initramfs• Difficult to migrate to it without full installation
• Ensure all data (system and home) are safe• Independant of filesystem used (btrfs compatible)• One password to rule them all
7
Full disk encryption
8
Partition based encryption
• Same technique as full-disk encryption but working on a partition and not LVM
• Can be used to only encrypt /home but not really usable for multi-user setup
• Can also be used to encrypt removable devices (USB disk, memory stick...). Creation is done from YaST or desktop environment (GNOME Disks, ...)
• Passphrase can be queried by Plymouth on boot or by desktop enviroment
9
Partition-based encryption (YaST)
10
Container encryption
• LUKS again, but based on loopback file • Creation from YaST• Can be to have per-user encrypted home directories,
using pam_mount:‒ Password will be the passphrase used for encryption (easy
integration for login)
‒ doesn't protect from eye-dropping
11
Container encryption
12
File encryption
• Most secure way is to use GnuPG aka GPG• You'll most often will have to rely on CLI:
gpg -c < file_to_encrypt > file_encrypted
gpg -d < file_to_decrypt > file_decrypted
• This uses a symmetric encryption (-c)
13
Beware about swap
• When not using full-disk encryption, if you are hibernating a laptop, your memory will be written on disk, unencrypted
• You might want to use encrypted swap to prevent that
Accounts and passwords
15
Remembering password
• Once upon a time, there was one password to remember
16
Accounts and password proliferation
• Then the internet came• And how we have dozens if not hundreds passwords
to remember
• And we try to come up with ways to generate and remembers those passwords
17
Some data about password security
• Most used password : 123456[78], password, qwerty, abc123, 111111
• Most-common word used: password, hello, iloveyou, love, welcome, dragon, monkey, july
• Password lengths: 92.96% of password were <= 10 characters
• Not mixed enough: 40% lowercase, 42% lowercase+numbers, 15% numbers only
• Analysis made by LastPass.com based on gmail password leakage in September 2015 (5M password)
18
“Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months”
- Clifford Stoll
19
Some precautions to take
• Don't share the same password across accounts (website, servers, etc..)
• Don't use a scheme to create your password:iL0veC@tsF@c3b00k iL0veC@tsGm@1l
• Generate your password with a tool
• Use a password manager• Enable 2 factor authentication
20
Password managers
• GNOME-keyring/seahorse – kwallet: integrated in desktop, not much in browser..
• Keepass: a lot of features, written in C#, requires Mono and doesn't “feel” as a Linux application
• KeePassX: port of Keepass to C++/libQT. Still not as many features as KeePass
• Password Safe: wxWidgets based, support copy/paste• Pass: CLI tool, wrapping git + GPG• LastPass: cloud-based, proprietary but many
features..
21
Two Factor Authentication
• Add a second security challenge, after password is accepted
• Can be:‒ Secret token
‒ One-time password
‒ SMS / phonecall..
• Mitigate password leakage intrusion
22
One-Time passwords
• Most common:‒ S/Key
‒ HOTP : HMAC-based One-time Password Algorithm
‒ TOTP: Time-based One-time Password Algorithm
‒ Can be implemented on Linux, using pam modules, mostly useful for protecting ssh access
• Android client:‒ Google Authenticator
‒ Best to use FreeOTP from RedHat
23
USB hardware token
• One of the best known is YubiKey:‒ Support One-Time Password, variant supports openGPG,
NFC..
‒ can work with PAM authentication
‒ Can be used to secure some password managers
• Initiative to standardize this for Web (Google, etc..): FIDO Alliance, U2F standard‒ Only implemented in Chrome ATM
‒ Firefox implementation in progress
‒ Initial PAM support
Thank you.
Secure your passwords NOW !
Questions?
26
Have a Lot of Fun, and Join Us At:www.opensuse.org
General DisclaimerThis document is not to be construed as a promise by any participating organisation to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. openSUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for openSUSE products remains at the sole discretion of openSUSE. Further, openSUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All openSUSE marks referenced in this presentation are trademarks or registered trademarks of SUSE LLC, in the United States and other countries. All third-party trademarks are the property of their respective owners.
LicenseThis slide deck is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license. It can be shared and adapted for any purpose (even commercially) as long as Attribution is given and any derivative work is distributed under the same license.
Details can be found at https://creativecommons.org/licenses/by-sa/4.0/
Credits
TemplateRichard Brown rbrown@opensuse.org
Design & InspirationopenSUSE Design Teamhttp://opensuse.github.io/branding-guidelines/