Hardening a Debian install post-installation

Hi,

I have Debian running on my Thinkpad X200 w/Libreboot.
I currently work as a sysadmin for the local council house and need them to encrypt EVERYTHING.
While I love the idea of doing this, personally when installing Debian, I forgot to set up my own encrypted disks.

My question is:

Can I use some sort of liveUSB to setup full-disk encryption without having to reinstall? I have everything setup the way I want, so uninstalling is kind of TOO deep to reinstall.

If this doesn’t work, can I backup my whole system (settings, programs, etc.), reinstall with full-disk encryption and restore the system to the way it looked before?

Thank you, guys.

EDIT: Best I could manage to do is use ecryptfs-migrate-home for my home folder. Now at least that is encrypted. Will work to see if I can encrypt the rest of my filesystem.

by them im guessing just your laptop? Is this laptop for work? connected to the corporate network? If so, local authorities usually have specific requirements on what is and isn’t allowed and to what standards systems must adhere to. If they arent, and your the sysadmin you might want to look into that as thats a pretty big hole (but thats another topic)

What are the encryption requirement? If its just for data you may be allowed to just encrypt /home which can be done post install. If you’re required to do full disk encryption, realistically the best way is to backup reinstall, unless you want to mess around with recreating the partitions and migrating the data which you might not have space for.

A reinstall may work out best as it will allow you to build your system to all the required security and system requirements, and not just the encryption.

3 Likes

Once you have your challenged addressed, if you are feeling frisky you can use the free DISA SCAP tool and latest STIGs to check out your systems at work to see if there are any other settings the STIGs recommend that you want set as well.

1 Like

This is where I was going, but local authorities don’t always apply as strict guidelines as DISA STIG, so its very dependant on what their current requirements are for electronic systems.

Oh, shoot, probably should’ve mentioned several facts, those got lost along the way:

  1. I’m in Europe, so it’s GDPR I’m worried about
  2. The workers all run Win10, so full-disk encryption and all that is a different can of worms to my Debian system
  3. my Debian system is not connected to their network, I’m something similar to a contractor, if you will.

My issue is that if I force these sweet old ladies to undertake all this OPSEC stuff they don’t even want to comprehend, I should lead the charge with my computer being secure as well. However, I started out at a time when I saw full-disk encryption as a nuisance rather than a strength. Is there a way I may correct my own ways now short of reinstalling my Debian system from scratch?

As mentioned, there is, but its not easy or simple and depends if you have the space. It might be faster to reinstall.

GDPR does not cover security of a system. There’s no requirement for full disk encryption. What controls you have on your laptop very much depend on what type of data you’ll have on it. The people you work for will be able to tell you what data protection measures you will be required to take depending on the data your handling.

You very much do not want PII on your laptop if you can avoid it, it’ll just make life easier, especially if your a contractor.

GDPR does not cover security of a system. There’s no requirement for full disk encryption. What controls you have on your laptop very much depend on what type of data you’ll have on it.

That’s true, but the council house got a country-appointed office. They issued directives I am tasked to carry out, since I know how. It’s basically follow the state-made manual and get stuff done.

I wanted to encrypt my SSD for personal reasons. I’ve got loads of space on my SSD, so there should be no problem to move it.

It’s my personal laptop, everything on it is only my personal stuff. I’ll give the encryption a shot when I have the time but it’s just for morale’s sake (so that I can show the workers HOW it can work).

It actually kinda does. It states that the data should be handled in a secure and correct fashion.
Edit - And yes, I do agree wipe and redo is quicker. LUKS might be nice when it’s in place - but I have pondered over this myself in the exact situation years ago. Did end up with the quicker way.

(perhaps we can ask Wendell to do an episode of this :wink: )

2 Likes

Which doesn’t mean encryption. GDPR says you need to use appropriate security measures but it’s not a security document.

Those measures depend on the data which will likely have other things that apply to it. If there’s no pii there’s no GDPR requirements.

2 Likes

I partially do agree. but I will not hijack the thread for it ;). However - perhaps we can both agree that encrypting data at rest in this case is preferred.

2 Likes