status-im
/
status-security
mirror of https://github.com/status-im/status-security.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
status-security/drafts/linux-recommendations.md

10 KiB
Raw Permalink Blame History

Setup a secure Linux system

Why

Free Software & Linux enable most of the Status Principles

Those principle include Security, Privacy and Censorship resistance.

🛡️ Security

It is generally believed that Linux is a very secure operating system. The security will depend largely on the distribution & setup.

Some Linux distributions have achieved a very high level of security standards & certifications

㊙️ Privacy

Linux distributions have far greater respect for privacy than the competition from Microsoft, Google or Apple. Most Linux distributions will never require any form of identification to be installed, used or to access their app store.

🤐 Censorship resistance

Apple, Google & Microsoft operating systems, along with their respective software distribution channels (App Store, Google Play & Microsoft Store) may censor specific applications.

This is much more difficult or even impossible on Linux.

How

Install Linux in a Virtual Machine (VM)

Running Linux in a Virtual Machine is the best way to get a feel of what to expect. For some use cases, it could also be acceptable to operate long term by running Linux in a VM. But be aware from a security point of view, a VM and guest operating system will always somehow inherit the security of the host. Meaning that if your main host system is compromised, you should ultimately consider the guess insecure too (even this can be partially mitigated by disk encryption of the guest OS).

The most popular choice for virtualization is the free VirtualBox solution https://www.virtualbox.org/

Buy a laptop with Linux pre-installed

Some specialized computer vendors sell privacy-preserving laptops pre-installed with Linux. The most popular ones being:

Some traditional computer manufacturers now also sell laptops with Linux preinstalled:

Some manufacturers like Framework are also dedicated to support Linux https://frame.work/blog/linux-on-the-framework-laptop

If those manufacturers do not ship the specific model preinstalled with Linux in your country. The fact that a model can be shipped with Linux is still a valuable information in terms of compatibility.

Install Linux on an existing computer

Hardware compatibility

In general, most Intel/AMD based computers will support Linux pretty well nowadays.

You can probably find reports on most computer models in the Linux Hardware project database https://linux-hardware.org/?view=computers

Note that Linux compatibility can vary for special hardware like docking stations.

Linux Distributions for beginners

If you are new to Linux you will most likely start with one of the following distributions as they are very easy to install & use:

The installation process should not be more difficult than installing Apple macOS or MS Windows. Most choices to make will be about the language, locals, timezone, keyboard & target installation disk. The copy on the disk is usually very fast nowadays (~10 20 minutes)

Note that you can still keep your previous operating system (like MS Windows) intact on a distinct partition and boot on it if necessary (like to perform firmware upgrades).

Attention You should be careful to make sure full disk encryption is enabled during the installation:

  • For Fedora: Installation Destination screen > Encryption > ☑ Encrypt my data
  • For Ubuntu: Installation Type screen > Advanced features > ☑ Encrypt the new Ubuntu installation for security

Other Linux Distributions

Other popular Linux distributions includes:

and many more https://distrowatch.com/

Getting familiar

Most Linux distribution desktop environment is based on Gnome. You should first get familiar with its UI and common applications

Software sources

  • 🟢 Linux distribution official repositories
    • Examples: Debian or Fedora repositories
    • Trust: very high, with usually fast updates
    • Software usually sourced: base Operating System, Firefox, Chromium
  • 🟡 Third-party repositories
    • Examples: RPM Fusion, Flathub, Google repo, Microsoft repo
    • Trust: Lower, updates may vary
    • Software usually sourced: Brave, Google Chrome, Bitwarden
  • 🟡 Browser extensions
    • Examples: Chrome web store, Firefox add-ons
    • Trust: Low, Depends
    • Updates: Automatic
    • Software usually sourced: Metamask, Bitwarden
  • 🟡 Third party websites
    • Examples: Status website, Ledger website
    • Trust: Depends
    • Updates: not automatic usually (AppImage)
    • Software usually sourced: Status Desktop, Ledger Live, Bitwarden
The case of the Ubuntu Snap store

By default Ubuntu Software use the Snap Store which has an unconventional model with a large selection of software easily available but of various quality.

It is very convenient but the security model & controls applied are rather weak.

If you use Ubuntu, try to limit yourself to software where Canonical is the verified 🟢 developer or where you can verify a third-party vendor indeed control the package.

Applications distribution

Distribution package managers

Most applications on Linux are distributed as .rpm (on Fedora & Redhat derived systems) or .deb (on Ubuntu or Debian derived systems). Most likely you won't have to deal with those as the installation & update are transparent in the Software application

For most software, you should first look if it is available in this format through your distribution official repository and Gnome Software.

🟠 Those packages require admin or root privileges to be installed.

AppImage

AppImage is a popular format for distributing portable software on Linux without admin privilege. It is a bit similar to macOS .dmg image files.

Applications such as Status Desktop and LedgerLive Desktop are distributed in this format on Linux.

You will have to make the .AppImage files executable to run them, as explained in the Quickstart

🟢 AppImage do not require admin or root privileges to be used.

Flatpak

Flatpak is an emerging format & ecosystem supported by default on many Linux distributions such as Fedora, Centos, Clear Linux, Elementary, Pop OS!, PureOS, etc.

🟢 Flatpak do not require admin or root privileges to be installed & some sandboxing features are available.

Snap

Snap is an emerging format & ecosystem supported by default on many Linux distributions such as Ubuntu or Manjaro

🟢 Snap do not require admin or root privileges to be installed & some sandboxing features are available.

Updates

Gnome Software & Ubuntu Software will indicate when software updates are available.

Gnome Software updates tab

Depending on the types of updates, a computer restart may or may not be required to apply them.

On Fedora to apply quickly security updates: sudo dnf install -y --security

Common applications

Web browsers

Try to stick to Firefox or Chromium because they are usually provided, hardened & updated by the Linux distribution.

Please do not install any extensions besides things you really need (like Metamask)

Bookmark important URLs (Uniswap, etc.) once you have verified them.

Status Desktop

Status Desktop is available for Linux as an AppImage https://github.com/status-im/status-desktop/releases

You will be in charge to download the latest AppImage when a new version is released.

LedgerLive Desktop

LedgerLive is distributed as an AppImage and available on the Ledger official website https://www.ledger.com/ledger-live/download

You will be in charge to update LedgerLive within the application itself.

More things you can do

Recommended

Optional