This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Feature: Wireless & Mobile

Securing Linux laptops

By Rick Cook on January 07, 2008 (9:00:00 PM)

Share    Print    Comments   

Laptop and notebooks are being stolen at an ever-increasing rate. In 2004, Safeware Insurance which sells computer insurance, estimated 600,000 laptop and notebooks a year were being stolen. In 2006 an estimated 750,000 were being swiped, according to Absolute Software a company that makes computer tracking products -- and does not support Linux. LoJack For Laptops, another computer tracing company -- which also does not support Linux -- says FBI statistics show 2 million laptop and notebook computers were stolen in the US in a recent year. While the figures may not agree in detail, they all show that laptop and notebook theft is a major problem -- and if you're not careful, your Linux laptop might be next.

While you can find dozens of products to secure Windows laptops, security products for Linux laptops are scarcer -- but they do exist. We found a range of products and fixes ranging from security patches for the operating system to encryption to the equivalent of computer bicycle locks which can help keep your Linux laptop or notebook safe.

Before we get to how to protect yourself, you need to accept a depressing statistic. According to the FBI, 97% of stolen computers are never recovered. While you can do things to better your odds (see the sidebar) you pretty much have to accept the fact that when your notebook disappears, it's gone and so is everything that was on it.

There are three problems with having a computer stolen: the loss of the machine, the loss of the information on it, and the possible security breach if that information includes sensitive information or client data. Each of those problems requires a different approach.


The economic loss is the easiest to deal with. Insure your system.

If you have homeowners or renters' insurance, you may already be covered. If not, you can usually get a policy rider to cover your computers, including your laptop. This is usually the cheapest way to do it, but you may not like the terms and conditions. For example, there is likely to be a hefty deductible.

You can also insure through a specialist company like Safeware. Such policies are usually more expensive than a rider on your homeowner's policy, but they tend to be more flexible. For example most specialist companies will allow you to insure your laptop for enough to completely cover replacement.

Be sure you understand just what you are getting. You need to make sure your computer is covered when you're away from home. Also, make sure you're covered for the current replacement value of your machine rather than something like the cash value, which is typically much lower.

The cost will depend on the value of your computer. Some homeowners' policies automatically include several thousand dollars in computer coverage for free. A rider or a special policy will probably cost in the neighborhood of $100 to $200 a year.

Protecting your work

If you're doing important work on your system, you want to get your data back even if you never see the computer again. One way to do that is to make frequent backups of your critical files to a device that isn't left connected to the computer. This can be an external hard drive or, more conveniently, a USB thumb drive.

Another approach is to do your non-confidential work on Web applications such as the Google Docs word processor. Google then stores the information no matter what happens to your computer. (Of course this assumes you've properly secured your computer against Wi-Fi threats and such -- but if you haven't, you've got bigger problems.)

And of course you can just email your work to yourself at frequent intervals. If you want more security you can encrypt the emails before sending them.

Encrypt your disk

Encrypting your system doesn't prevent someone from stealing your laptop, but it will prevent anyone from getting at the information on the system.

The actual risk that a thief will try to get at the information on your computer is pretty small. Although there are hundreds of thousands of laptops stolen each year, there are few cases reported in the news where the information on them was used by the bad guys. Mostly laptop thieves want to resell the hardware as quickly as possible and don't care about the information.

Encrypting your disk is easy and cheap enough that there's no reason to risk misuse of your data, even with a purely personal machine, where you may store passwords, credit card numbers and other personal information. Of course in the business case you have to be able to prove that thieves can't get at the data. If you can't definitely prove it, you're probably in trouble. If the stolen laptop has customer information, such as Social Security numbers, on it, your whole company has a problem and you may show up in the news.

Encryption alternatives

When it comes to disk encryption there are two approaches. One is to encrypt only part of the information on the disk. The other is to encrypt everything.

While you can encrypt files or folders individually, you're much more secure if you encrypt the entire disk. If the operating system is available, the attack surface is enormously increased. Not only are there unobvious vulnerabilities, such as files in the print spool, but there are more possibilities for getting around the file encryption.

One common method of full disk encryption allows the computer to begin to boot and then prompts for a user name and a password to complete the boot. This is convenient, which is why it's common, but it does involve a certain amount of exposure since it uses the system's boot routine.

An alternative method, using a USB flash drive, is described in our disk encryption HOWTO. This uses a USB flash drive holding GRUB, a minimal kernel and an initrd. The setup has just enough brains to ask for a password, set up the encryption mechanism and mount it. After mounting the device resumes the boot process from the encrypted disk.

The most common way to set up an encrypted Linux system is to establish a small partition to handle booting and encrypt everything else on the disk. This is more secure than file-level encryption, but it still exposes the boot partition to crackers. How much of a problem that presents is somewhat controversial. Some people think the added risk is negligible or non-existent, while others believe it poses a significant additional risk beyond true full disk encryption.

If you want stronger encryption than that you can use a utility that requires a separate key before you can even start booting.

A number of products let you encrypt only specific files, directories, and such. For example dm-crypt uses the device-mapper built into the Linux 2.6 kernel as a basis for block-level encryption. Device-mapper creates virtual block devices on physical virtual devices such as disks, and dm-crypt uses that ability to encrypt just about any kind of block you want encrypted.

Dm-crypt lets you pick the encoding method from among several symmetrical ciphers, as well as the key length, and then create a device in /dev. Writes and reads to the new device are then automatically encrypted and decrypted.

TrueCrypt creates encrypted devices, such as disk volumes, and encrypts and decrypts them on the fly without user intervention. Versions of TrueCrypt earlier than v4.1 suffer from the same vulnerability as older 2.6 kernels.

Of course, encryption implies keys, and those in turn imply key management. You need to be able to get into your system even if you lose a key. Needless to say, you don't keep a physical key with your computer. One common practice is to put a memory stick containing the key on your (physical) key chain. If you use a disk to hold your key you can stick the disk in your pocket or purse. Don't put it in your laptop case and always take it with you if you leave your machine.

Find your stolen system

If your system is stolen, you may be able to find it again if the thief connects to the Internet. There are a couple of products for Windows that do this, but none for Linux.

However, you can set up your own tracking system using a dynamic DNS provider, such as DynDNS, and setting up a client to keep track of the computer's actual IP address. If your computer is stolen, you can can look for your DNS entry with ping. If you find it online, you can use traceroute or something similar to find the gateway your computer is using. Then you can contact the police and the thief's ISP to get your computer back.

(Of course this technique is not foolproof. If the thief reformats the hard disk, you're out of luck. Unfortunately a lot of thieves, or their fences, do reformat disks as a matter of course. Still, implementing this system simple enough to do and can work against an unsophisticated crook.)

Compliance policy issues

Increasingly, security is about compliance with various laws and regulations. HIPPA, Sarbanes-Oxley, and a host of others mandate that data be protected. More than that, most of these mandates require that companies be able to prove the data is protected.

Where this gets sticky for Linux is that to meet those requirements, many companies mandate that only approved products be used for security. Since the approved lists are typically Windows-centric, it can be hard for Linux users to get products for their laptops approved.

There are two ways for Linux users to deal with the situation. Either check and see if your company's chosen security products come in a Linux version or get your security people to agree to let you use a Linux product.

A surprising number of security companies do offer Linux versions of their products, more than laptop Linux' market penetration actually warrants. For instance, Check Point Software Technologies specializes in data protection with emphasis on big enterprises, and most of its business is focused solidly on Windows. Yet Check Point's full disk encryption software also supports Linux. The reason, ironically, is that Check Point aims its business at large enterprises, in which a certain number of non-Windows laptops, running, say, Linux, need to be protected.

Alternatively, you can try to convince the IT security people that there are products available for Linux that offer equivalent levels of security, but this can be a long, hard slog.

And finally

Keep in mind that most of these methods are not foolproof. If a thief has your computer, technical knowledge, and persistence, it is hard to keep the information secure. But few thieves have the knowledge, equipment, or interest to break into a well-protected system.

The only truly foolproof security method is to not have sensitive data on your laptop or notebook in the first place.

How much protection is enough? Ultimately you have to decide.

Rick Cook has been writing about computers and high technology for nearly 30 years. He started on Linux on kernel v1.2 with Slackware. He is also the author of a number of fantasy novels full of bad computer jokes.

Share    Print    Comments   


on Securing Linux laptops

Note: Comments are owned by the poster. We are not responsible for their content.

Personal Responsibility

Posted by: Anonymous [ip:] on January 07, 2008 10:30 PM
I used to be overly paranoid about online identity theft, until one day, there was a backpack theft incident on campus. I lost ~100 USD, and since I've realized how closely intertwined physical security and personal responsibility are.


Re: Personal Responsibility

Posted by: Anonymous [ip:] on January 07, 2008 10:47 PM
Don't most governments make sure they can identify any computer user from there IP. So is it realy identity theft if you were simply notified of servelance befor you log on.


Re(1): Personal Responsibility

Posted by: Anonymous [ip:] on January 29, 2008 08:09 PM
Guud poynt. Pleez tern awn Spel Chek soe uthurz kin figger owt wut yer sayen. Thaync Ewe! Chow.


Re: Personal Responsibility

Posted by: Anonymous [ip:] on January 07, 2008 11:00 PM
Most governments make sure they can identify a computer user from there IP, so is it theft if you are told that you are being servailed befor you log in.


Securing Linux laptops

Posted by: Anonymous [ip:] on January 07, 2008 10:35 PM
A couple designs come to mind that allow a convienient way to carry your laptop with you. The smaller size of the Eee PC mite allow somthing like a book strap from the days befor backpacks to allow a sholder strap like a guitar or accordian. Cirtain neck straps provide a portable desk environment. Some RC model controlers have simmilar types of support. Also clothing like the tummy hand warmer pocket could be incorporated into atire used to carry a small device.


Securing Linux laptops

Posted by: Anonymous [ip:] on January 08, 2008 09:10 AM
For OS X there's actually a very neat application that works with this problem. It's a piece of software that checks the status of your laptop against a server, now if you have called the company and reported your laptop stolen the status will tagged as such and the macbook will start using it's builtin webcam to take screenshots and report back as much information as it can. This shouldn't be too difficult to make for Linux as well.. The only downside is that most PC laptops get equiped with webcams that have a led next to it when the cam is turned on.. macbooks do not so it's harder to see if the cam is active on a macbook.


Securing Linux laptops

Posted by: Anonymous [ip:] on January 08, 2008 09:38 AM
And how about using the built-in IDE/SATA disk password to forbid access to the hard disk by anybody not knowing the password? Extremely strong (the disk is no more than a brick if you lost the password) and no slowdown at all after disk has had his password. And there is free software "disk2brick" stuff.


disc trees

Posted by: Anonymous [ip:] on January 09, 2008 02:09 AM
And how about using a two port SATA controler on a hard drive to build a supercomputer topology accesseble by the top node or other possible configurations. I mention this as chips continue to become more efficient.


Securing Linux laptops

Posted by: Anonymous [ip:] on January 08, 2008 03:00 PM
There is also the simple expedient of using a USB drive (thumb or disk, depending on need of course) for the secure/proprietary data, and taking the drive with you or otherwise locking it up when not in active use.

The laptop itself can be stolen without losing the data, and if it's encrypted then stealing the drive isn't going to do any good. Just don't store them together.


Where do the thieves sell the laptops?

Posted by: Anonymous [ip:] on January 08, 2008 04:50 PM
Who is buying these laptops? Is there really a legitimate market for used laptops? Nobody I know has ever bought a used laptop. Also, nobody I know has ever sold one, either. You tend to stick with a laptop that works for you until it's obsolete, then give it away and buy a new one.


Re: Where do the thieves sell the laptops?

Posted by: bricks on January 09, 2008 03:10 PM
Their is a huge market for used laptops. I have owned at least a dozen and have never bought a new one. I don't believe any of the ones I have ever boughten were stolen, but rather good IBM Thinkpads that had come off corporate leases. You can get a really good T40 for about $350 bucks on eBay and with Ubuntu it runs very fast, so why shell out big bucks for a new laptop? Anyway...laptops clearly get stolen, and these thieves obviously have resources to unload them. <a href="">vinyl lettering</a>


Securing Linux laptops

Posted by: Anonymous [ip:] on January 08, 2008 05:45 PM
yes, there is a market for used laptops. just look on ebay, craigslist etc. for most people a used laptop is a better value.


Securing Linux laptops - avoid checkpoint at all costs.

Posted by: Anonymous [ip:] on January 08, 2008 06:27 PM
Contrary to what the article suggests, checkpoint is not a linux friendly company at all, just try finding a current linux client for their VPN software.
In my dealings with them, they first told me that it would cost a lot if I wanted a linux client, when I said OK, my company will pay how much will it cost, they eventually after much prodding came back with the responses that there was not enough demand/too technically complicated. My opinion is that you should avoid them like the plague.


Securing Linux laptops

Posted by: Anonymous [ip:] on January 08, 2008 07:32 PM
Encfs is a 3rd option for encrypting files on the harddisk. This can be supplemented with libpam-encfs to automatically mount the encrypted home directory when a user logs in. I have been using this system for approximately 18months and am happy with it. It is also important to encrypt your frequent backups and distroy the out of data ones

Ultimately you have to accept that most stolen laptops end up on Ebay as 'spares', you actually get more cash by splitting the machine up. You just have to ensure that the data is as hard to access as possible. So set BIOS boot password, drive boot password and encrypt what you can.


Securing Linux laptops

Posted by: Anonymous [ip:] on January 08, 2008 10:00 PM
Perhaps this is somewhere that the Linux BIOS project can innovate: implement something (optional of course) that can perform the DynDNS solution at a low level. Make it something that can't be reset with a simple power cycle reset and it will make thieves lives a nightmare (so might have to be compiled in by the user)... Their only option would be to replace BIOS chips, and I don't think petty thieves are going to do that...


Securing Linux laptops

Posted by: Anonymous [ip:] on January 09, 2008 07:42 AM
Just use Ubuntu, you can encrypt your entire hard drive at install time, make frequent backups of your data and get some insurance for your laptop and your all good :D

Love Linux


This story has been archived. Comments can no longer be posted.

Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya