Exact matches only
Search in title
Search in content
Search in posts
Search in pages

How to enhance the physical security posture of your Linux/BSD-powered PC

Secured Data Securing a computer goes beyond more than just using strong passwords. You should consider what happens if an unauthorized person gains physical access to your computer. If the only security feature protecting your data from an unauthorized person is a user account password, then you have not taken enough steps to protect your computer and your data. This article presents all the steps you could take to enhance the physical security of your Linux- or BSD-powered computer

  1. Set a BIOS Password – PC vendors generally configure their computers to boot from the hard disk, and failing that, to boot from the CD drive or other removable media. You can change this boot order by going into the BIOS setup. To prevent unauthorized persons from accessing the BIOS setup, you should enable the BIOS password. Enabling the BIOS pawword may also be used to prevent the system from booting.

    Let me illustrate with this scenario. Let’s say some bad guy gains physical access to your computer, and that computer was configured to boot from the hard disk and the BIOS password was not enabled. To dispense with the head ache of having to guess your username and/or password, Mr. Bad Guy could access the BIOS and change the boot order so that the computer boots from the CD drive or other removable media like a USB drive. Now he can pop in a live CD distro into the drive, boot the computer, mount the drive and … imagine how the story ends.

    Note that some live CD distros will automatically mount the hard dirve partitions in read-only mode. When it was first released, Knoppix was like that.

  2. Password-Protect the Bootloader – The bootloaders you will most likely be using on a Linux or BSD system are LILO (LInux LOader), GRUB (GRand Unified Bootloader) legacy, GRUB 2, GAG (Spanish acronym for Graphical Boot Manager), and BTX loader.

    You can set a bootloader password if your distro is using LILO, GAG, GRUB, but not GRUB 2. You typically set the bootloader password during installation, but you may also do it on a running system. Setting a bootloader password ensures that no one with unauthorized physical access to your computer will be able to gain access to single user mode. It also locks access to GRUB’s console.

  3. Encrypt the disk – See this article for why you should encrypt your computer’s disk. It mainly gives an example of how Fedora, a Linux distribution, implements disk encryption in its installer.
  4. Use Strong Passwords – When setting a user account password, most distros will warn you when the password is weak (especially for root). Concerning passwords, try as much as possible to adhere to the following:
    • Always choose strong passwords, minimum of eight characters.
    • Do not base the password on the username. If you are using a distro that uses the traditional root account system, do not set the root password to be the same as the regular account password.
    • Never enable the automatic login feature. Many distros have this feature. Do not use it. If you are just introducing your kid or spouse to a Linux or BSD system, do not enable this feature for them. It is a bad security practice.

    [warning]Do not write down your password(s) on a sticky note and stick it on your monitor. Also, do not store passwords unencrypted on your computer.[/warning]

  5. Implement Password Aging – The graphical user management program on some distros will allow you to set passwords to age or to expire at a certain date. An expiration time of six months is the norm. You can enable password aging on Mandriva Linux and Fedora, but not on Ubuntu, Mint, Pardus.

If you implement all five steps on all of your computers, give yourself a five star rating of paranoid. You are ultra secure (four star rating) if you implement steps 2 to 5, and secure (three star rating) if you implement only steps 3 to 5. Consider your security posture weak (two star rating) if you only implement steps 4 and 5 (user account password and password aging). You have a one star rating if you do not implement password aging. Smack yourself if you enable the automatic login feature.

Exact matches only
Search in title
Search in content
Search in posts
Search in pages
Digital Ocean SSD VPS Cloud Server droplets

Digital Ocean is a VPS/Cloud hosting provider. For just $5 per month, you can get yourself a Cloud server with 512 MB of RAM, 20 GB super-fast SSD, free snapshots, plus backups for a minimal fee. All via a simple graphical interface.

And by signing up with this referral link, you can help support this website.

If you are reading this, your ad could also be occupying this space. Contact us to make it happen.

If commenting on this article is closed, please post your comments at forum.linuxbsdos.com.


  1. Sceptic says:

    I still don’t see how all this crypto is going to protect you from someone with a $5 hammer.

  2. lj says:

    Lasander, that is indeed of limited use, but so is everything, and i would say it does slow people down (at least for a few minutes), especially if they didn’t come prepared for it.

    What might be more worrying is the possibility of someone replacing your bootloader or in linux the dm-crypt mounter by some version that does keylogging. Actually, linux is a bit lax in this as the /boot partition allows quite some space for this. If everything but the bootsector is encrypted, this is (I guess) harder.

  3. Lasander says:

    There is no point in setting a BIOS password. Once an attacker has *physical* access to your computer then there is no defense unless your drive is encrypted and if the machine is turned on at the time even whole disk encryption might not save you.

    All you need to do with a bios password when you have physical access is to reset it via jumper or just take the bios battery out for a few minutes. Doesnt even really slow people down. You could also just take the drive out and just stick it into your own machine.

    • Joseph says:

      Lasander, my case has a lock on the panel (as well as a locking front panel that covers the power/reset buttons, optical drive, etc.). They’d need to have a crowbar to get at the motherboard’s BIOS battery.

      lj, the answer to your scenario is an intrusion detection system (IDS) that compares the checksum of files with a secured copy. If that copy was on the encrypted drive, it could be run after boot to compare the bootloader signature with the stored checksum and detect a change. You could get REALLY fancy and boot from a flash drive or memory card and run in IDS on the boot partition comparing the values to those stored on the memory card to know if it’s safe to boot the PC or not. :-)

Leave a Comment