I am trying to enhance the security of my Fedora system. For personal and sensitive reasons, I need to implement overkill-level security measures. I have attempted to encrypt my /boot partition using PBKDF2 and my root partition with Argon2id, but this has proven to be quite difficult (so far, I have not been successful).
I am aware that encrypting /boot does not provide substantial protection, especially against sophisticated attack vectors like the Evil Maid attack or cold boot attacks. However, I really like Fedora and would prefer to stick with it if possible.
Given my high-security needs, I am looking for any possible ways to harden Fedora for someone who is extremely paranoid about data security. I’m even considering advanced techniques like encrypting RAM—although I realize this might sound far-fetched, my situation involves highly sensitive data that needs maximum protection.
Would you recommend switching to a more security-focused OS like Qubes OS? I would greatly appreciate any help or suggestions you can provide.
You should look into using “Unified Kernel Image”, UKI, to boot your system.
It allows the secureboot key to protect you from power on to entering linux.
The grub boot does not.
Thank you very much — this seems like a pretty good idea. However, I do not want to place my trust in additional hardware, which, for various reasons, might still be exploitable. I understand that this level of paranoia never truly ends, but every person has a sense of what feels secure enough for them.
So, basically: is it possible to place /boot and the headers on a regular USB drive that is also encrypted with LUKS2, and then use that during boot? I’m not very advanced when it comes to using Fedora, so if there’s any guide or documentation on how to implement this setup, I would really appreciate it if you could link it for me.
One quick question as well: don’t you think that instead of spending so much effort on complex configurations, I should focus more on improving the physical security of the system? After all, if someone can, for example, install a hardware keylogger, what’s the point of all this?
If some gang stole my hardware and I got it back, I would unlock my LUKS encrypted data, back it up, then replace the hard disk and clean install. If some law enforcement agency got a hold of my hardware, even if I got it back, I would personally treat it as permanently rootkit’d and replace it.
IMO, encrypted root + regular EFI + boot partitions are “good enuf” for most reasonable, realistic use cases. Putting your EFI and boot partitions on a separate device, and keeping that on your person or in a safe would go a long way without over-complicating things.
I’ve managed to avoid becoming a high-risk target, but friends and colleagues have not been as lucky in their choices of employment, so I have some insight into the extra work and costs involved at the level of nation-state targets. Many have been required to segregate sensitive activities onto systems without network access that get locked up when not being used, protocols that include a very short list of allowed programs, frequently wiping disks and reinstall, etc. They end up spending a good part of their time on security measures.
You may want to make an exception to your no extra hardware for Yubikey. Apple has special treatment for high-risk users, and also works with Yubikey. You might consider running Fedora in a VM on Apple hardware.
How far are you willing to go with it? Unless you’ve vetted all the code involved and compiled everything:
Fedora → Red Hat → IBM → US Gov
SELinux → NSA → US Gov
US Gov has history of backdoors and other software compliances. Without continuous full-vetting, you’re entrusting your data in those conditions.
It sounds like you’d want a more Enterprise-like OS like RHEL. I’d ague you can get harder physical security easier with Windows.
Physical security like encrypted RAM is trusting magic against unknown determination. You gotta hope your RAM is encrypted and scrambled as ideally as it should on-paper (along with ambient temps, stuff like row hammer, etc), and hope the physical intruder isn’t government-backed with unlimited funds or savvy enough to just call up the motherboard MFG for their backdoor key
Sensitive data would be safe on an air-gapped PC with guards and a moat, and not really matter what OS is running.
That’s not something you can do as a user. You need hardware which does this automatically.
To have somewhat sane boot security on desktop Linux you would need UKI + SecureBoot + distrusting all other keys for secure boot (not every device can do that) + device with good firmware security + password-protected UEFI settings + LUKS2 protected OS and data.
I am not sure Fedora is the right choice for that. For example some mobile OSes like GrapheneOS are way more secure. To help you further you would need to present a threat model.