If you do care about your privacy, you'd better read what follows carefully ;). Basically, some rules of thumb to avoid common pitfalls and a few tricks to take care of your privacy as much as possible.
- Useful IT policies
- Use GNU/Linux (Ubuntu-based distro are not perfect but a good start, like Xubuntu; give exerbo a try if you're brave enough)
- Don't use binaries coming from the Internet, compile every program to the extent possible
- Forbid proprietary software as well - see alternatives below in this article
- Encrypt your whole HDD (and any other external ones) - see right below
- DO NOT INSTALL Facebook nor Twitter on your Android phone (or Cyanogen)
Before starting reading this article, you might be interested in this webpage, a full documentation about how encryption works with Linux.
Secure your computer and encrypt (part of) your local hard disk drive
First, set all possible BIOS passwords (usually one for the administrator and one for user(s); each password will give different rights for the BIOS, for example sensitive settings will be accessible to the administrator only).
Secondly, set HDD passwords from the BIOS panel (again, one for admins, one for user, both have the same purpose and rights: they kind of unlock the HDD, allowing it to be read and written).
Full disk encryption
Then, to encrypt your whole disk, you have 3 options:
- Use the *Ubuntu built-in installer to encrypt the whole disk, erasing EVERYTHING on the disk.
- Use the Ubuntu built-in installer with Gparted to encrypt the whole disk, more flexible (select something else*).
- DIY. It allows you to keep a dual boot installation.
In any case, here is how to write a new Xubuntu image on a USB stick:
lsblk # To identify the USB stick sudo dd if=/home/user/Downloads/xubuntu-15.10-desktop-amd64.iso of=/dev/sdb \ bs=1M && sudo sync
Please notice that with LUKS encryption, your computer is still vulnerable as long as you have a boot partition unencrypted.
/home encryption (using the filesystem called eCryptfs)
Encrypt external HDD with
dm-crypt and LUKS
Find the correct device (eg.
/dev/sdb1as a second internal SATA-HDD) and umount it:
sudo aptitude update ; sudo aptitude install cryptsetup sudo modprobe dm-crypt sha256 aes # Enable modules, might be already done lsblk sudo umount /dev/sdb1 sudo dd if=/dev/urandom of=/dev/sdb bs=4K # Optional, add obfuscation
Create one big partition using the whole space (system must be Linux):
sudo fdisk /dev/sdb
Encrypt the partition using LUKS:
sudo cryptsetup --verify-passphrase -c aes-xts-plain64 -s 512 \ -h sha256 luksFormat /dev/sdb1 # 512-bit AES encryption # with 256-bit SHA hashing algorithm
Create the filesystem:
sudo cryptsetup luksOpen /dev/sdb1 myhdd
Format it and test mounting:
sudo mkfs.ext4 /dev/mapper/myhdd -L <LABEL> -m 1 # -m specifies the percentage of the filesystem blocks reserved # for the super-user mkdir /mnt/hdd mount /dev/mapper/myhdd /mnt/hdd df -H umount /mnt/hdd
sudo cryptsetup luksClose /dev/mapper/myhdd sudo eject /dev/sdb
Optional step, after disconnecting and reconnecting the device:
sudo chown user:user /media/disk
You can check the partition using
fsck -vy /dev/mapper/myhdd
Finally, you might want to backup the LUKS headers or add or change keys (passwords), if so look some keywords up on the Internet, like
Automount encrypted HDDs with LUKS on bootup
mycryptedhdd UUID=00000000-0000-0000-0000-000000000000 none luks,tries=3
You can find the UUID using
blkid /dev/sdb. You can also directly enter the path
/dev/sdb. none means there's no keyfile, you'll have to type the password. tries is the number or tries you have.
/dev/mapper/mycryptedhdd /mnt/mounteddirectory ext4 defaults 0 0
mycryptedhdd must be the same name used as before. /mnt/mounteddirectory is where the encrypted disk will be available. ext4 is the filesystem used on the disk (see step 5). First 0 means the device will not be backed up by the dump utility, second 0 means the device will never be automatically checked by the
Encrypt what you put on Cloud Storages
This part is inspired from this blog post. I highly recommend encrypting content put online, should it be on proprietary platforms such as Google Drive ou Dropbox, or even on ownCloud.
sudo apt-get install ecryptfs-utils sudo modprobe cryptfs # Optional mkdir ~/Dropbox/Encrypted # This directory will be put online; its content is encrypted mkdir ~/SecureDropbox # You'll put your unencrypted files here sudo mount -t ecryptfs ~/Dropbox/Encrypted ~/SecureDropbox # Choose a passphrase (which will act as a password), aes 32 bytes. # Disable plaintext passthrough. Filename encryption might be useful. I would enable it.
Filename encryption might require another last command to be run, if your content is shared on more than one computer:
Encrypt one single file
openssl aes-256-cbc -in yourfile.txt -out file.enc # OR gpg -c filename
openssl aes-256-cbc -d -in file.enc -out yourfile.txt # OR gpg filename.gpg
Free alternatives to proprietary software
- Mozilla Firefox
- Atom (
Sublime Textis proprietary)
- Vim or Emacs
- Inkscape (vector)
- Quelle clé SSH choisir ? RSA, DSA, ou Ed25519 ?
- NSA - À propos de BULLRUN
- How to Destroy a Laptop with Top Secrets [cccamp15]
- Comment chiffrer ses emails ? (Thunderbird + GPG)
- OpenPGP Best Practices
- Je n'ai rien à cacher.
- tmpfs & Accélérez votre navigateur en mettant son cache en RAM
- Why privacy matters
- Your Password is Too Damn Short
- NSA-proof SSH
- Secure Secure Shell
- Cryptographie de comptoir
- Ma première (vraie) clé PGP
- Explaining public-key cryptography to non-geeks
- Le noob de l'autohébergement
- Do not underestimate credentials leaks
- It’s Always Sunny in Reykjavik (or) How I NSA-Proofed my Email
- Things not to do on Tor
- The IoT may be dangerous! Beware!
- What every Browser knows about you
- Panopticlick - Is your browser safe against tracking?
- Am I Unique?
- Should you encrypt or compress first?
- Protect your Documents with GPG
- Yes, You Have Something to Fear
- Something to Fear
- how to make the internet not suck (as much)
- Simple DNS Ad Blocker
- Shared lists of problem domains people may want to block with hosts files
- Tout ce que votre navigateur peut balancer sur vous
- Paramétrage de Firefox
- “I have nothing to hide. Why should I care about my privacy?”
- Extensions Firefox pour protéger sa vie privée
- L’authentification double facteur (2FA), oui mais pas n’importe comment !