This talk will describe several techniques (some easy, some requiring more expertise) on how you can easily secure your openSUSE system. We will also see how some tools can help you securing most of the accounts you might be using to access other systems or Internet services, to limit password leak damages.
You will learn about on-disk encryption, password managers, multi-factor authentication (including FIDO alliance), GPG and ssh.
This talk is mostly end-user / desktop oriented and not server oriented.
4. 4
Keeping your data safe
Data on your computer can be more or less sensible
Protection not only against hacking
5. 5
Data encryption to the rescue
• 4 ways to do it on openSUSE, depending how much
data you want to encrypt:
‒ Full system encryption
‒ Single Partition encryption
‒ Container encryption
‒ File encryption
‒ What about swap ?
6. 6
Full disk encryption
• Must be done at install time
• Requires unencrypted /boot
• Will create a LUKS encrypted partition on top of LVM
• Decryption is handled by initrd/initramfs
• Difficult to migrate to it without full installation
• Ensure all data (system and home) are safe
• Independant of filesystem used (btrfs compatible)
• One password to rule them all
8. 8
Partition based encryption
• Same technique as full-disk encryption but working
on a partition and not LVM
• Can be used to only encrypt /home but not really
usable for multi-user setup
• Can also be used to encrypt removable devices (USB
disk, memory stick...). Creation is done from YaST or
desktop environment (GNOME Disks, ...)
• Passphrase can be queried by Plymouth on boot or
by desktop enviroment
10. 10
Container encryption
• LUKS again, but based on loopback file
• Creation from YaST
• Can be to have per-user encrypted home directories,
using pam_mount:
‒ Password will be the passphrase used for encryption (easy
integration for login)
‒ doesn't protect from eye-dropping
12. 12
File encryption
• Most secure way is to use GnuPG aka GPG
• You'll most often will have to rely on CLI:
gpg -c < file_to_encrypt > file_encrypted
gpg -d < file_to_decrypt > file_decrypted
• This uses a symmetric encryption (-c)
13. 13
Beware about swap
• When not using full-disk encryption, if you are
hibernating a laptop, your memory will be written on
disk, unencrypted
• You might want to use encrypted swap to prevent
that
16. 16
Accounts and password proliferation
• Then the internet came
• And how we have dozens if not hundreds passwords
to remember
• And we try to come up with ways to generate and
remembers those passwords
17. 17
Some data about password security
• Most used password : 123456[78], password, qwerty,
abc123, 111111
• Most-common word used: password, hello, iloveyou,
love, welcome, dragon, monkey, july
• Password lengths: 92.96% of password were <= 10
characters
• Not mixed enough: 40% lowercase, 42%
lowercase+numbers, 15% numbers only
• Analysis made by LastPass.com based on gmail
password leakage in September 2015 (5M password)
18. 18
“Treat your password like your
toothbrush. Don't let anybody
else use it, and get a new one
every six months”
- Clifford Stoll
19. 19
Some precautions to take
• Don't share the same password across accounts
(website, servers, etc..)
• Don't use a scheme to create your password:
iL0veC@tsF@c3b00k iL0veC@tsGm@1l
• Generate your password with a tool
• Use a password manager
• Enable 2 factor authentication
20. 20
Password managers
• GNOME-keyring/seahorse – kwallet: integrated in
desktop, not much in browser..
• Keepass: a lot of features, written in C#, requires
Mono and doesn't “feel” as a Linux application
• KeePassX: port of Keepass to C++/libQT. Still not as
many features as KeePass
• Password Safe: wxWidgets based, support copy/paste
• Pass: CLI tool, wrapping git + GPG
• LastPass: cloud-based, proprietary but many
features..
21. 21
Two Factor Authentication
• Add a second security challenge, after password is
accepted
• Can be:
‒ Secret token
‒ One-time password
‒ SMS / phonecall..
• Mitigate password leakage intrusion
22. 22
One-Time passwords
• Most common:
‒ S/Key
‒ HOTP : HMAC-based One-time Password Algorithm
‒ TOTP: Time-based One-time Password Algorithm
‒ Can be implemented on Linux, using pam modules, mostly
useful for protecting ssh access
• Android client:
‒ Google Authenticator
‒ Best to use FreeOTP from RedHat
23. 23
USB hardware token
• One of the best known is YubiKey:
‒ Support One-Time Password, variant supports openGPG,
NFC..
‒ can work with PAM authentication
‒ Can be used to secure some password managers
• Initiative to standardize this for Web (Google, etc..):
FIDO Alliance, U2F standard
‒ Only implemented in Chrome ATM
‒ Firefox implementation in progress
‒ Initial PAM support
26. 26
Have a Lot of Fun, and Join Us At:
www.opensuse.org
27. General Disclaimer
This document is not to be construed as a promise by any participating organisation to develop,
deliver, or market a product. It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making purchasing decisions. openSUSE makes
no representations or warranties with respect to the contents of this document, and specifically
disclaims any express or implied warranties of merchantability or fitness for any particular
purpose. The development, release, and timing of features or functionality described for
openSUSE products remains at the sole discretion of openSUSE. Further, openSUSE reserves the
right to revise this document and to make changes to its content, at any time, without obligation
to notify any person or entity of such revisions or changes. All openSUSE marks referenced in this
presentation are trademarks or registered trademarks of SUSE LLC, in the United States and
other countries. All third-party trademarks are the property of their respective owners.
License
This slide deck is licensed under the Creative Commons Attribution-ShareAlike 4.0
International license. It can be shared and adapted for any purpose (even commercially) as
long as Attribution is given and any derivative work is distributed under the same license.
Details can be found at https://creativecommons.org/licenses/by-sa/4.0/
Credits
Template
Richard Brown
rbrown@opensuse.org
Design & Inspiration
openSUSE Design Team
http://opensuse.github.io/branding-
guidelines/