Just had an interesting question from a colleague who has a #linux notebook and works remotely from random places:
> I've got full-disk #encryption (FDE), what else I can do for #security ?
@kravietz Set a grub password!
Use OpenSCAP Workbench with the proper profile for Ubuntu, Fedora or CentOS to check compliance.
Full set of instructions (one might want to select just a few, but still):
I guess that should already help a lot :)
@sheogorath But will Grub password protect from evil maid attacks such as this one? https://github.com/nyxxxie/de-LUKS
Because the main problem is that in Ubuntu the bootloader is loaded from an unencrypted partition, which can be modified off-line...
@kravietz The main goal of using a grub password is preventing someone from booting, pressing e setting /bin/bash as init and use vi to write nasty little scripts around your boot partition. It rasies the bar to "I have to open the device" which that again can be made visible using nail polish:
https://mullvad.net/en/blog/2016/12/14/how-tamper-protect-laptop-nail-polish/
At least when you are paranoid enough.
Also of course you should use secureboot as you mentioned.
@sheogorath BTW nail polish cannot prevent someone booting your computer from an USB stick with Kali - much easier than physically opening the laptop. I think this can be also only prevented in BIOS.
@kravietz That of course. Standard BIOS setup should include:
- BIOS update
- BIOS password for accessing settings and changing boot options,
- Changing boot order and disable not needed boot devices
- Reset TPM and change to 2.0 mode
- Enable Secureboot and reset Secureboot keys
- Disable unneeded devices
- Explore further features in BIOS/firmware (like enable temper detection, disable Intel device mangement, β¦)