If the host has connectivity, this is absolutely not an airgap.

Yes

You can disable HOST networking and create one VM with networking and one VM without networking. I show you that with a screenshot soon.

So you can only live in a VM world. The HOST is unimportant.

Most important questions:
What is your threat model?
How risky is the activity you perform on your computer?

Some more considerations for your setup:

• Bubblejail uses unpriviledged user namespaces, which can be a security concern itself. Firejail probably needs no explanation. Flatpak could be preferrable, although it isn’t perfect either. Alternatively, you can use VMs as previously discussed, which can prevent apps from sharing the same kernel.

• SELinux may be more comprehensive than AppArmor

• gopass is like pass but written in go. Note that they both use PGP, which isn’t ideal. If you need a CLI password manager, you may want to consider 1Password’s CLI. Get started with 1Password CLI | 1Password Developer

• You may want to remove sudo, su, and/or doas in favor of run0 Lennart Poettering: "5️⃣ Here's the 5th installment of my series of po…" - Mastodon

• uutils, systeroid, and brush are memory-safe alternatives to coreutils, sysctl, and bash respectively

• You may want to consider @SkewedZeppelin 's Brace

• secureblue’s post-install guide and features list may be useful Install | secureblue

• You may want to consider Homebrew rather than pacman for CLI packages. They’ve had a recent security audit and have adjusted in response to the audit. They’re also planning to add sandboxing for packages on Linux. FAQ | secureblue

• Lastly, if and when you can get newer hardware and still want GNU/Linux, Windows Secure Core PCs (especially the less bloated ARM ones) may be useful Windows 11 Secured-Core PCs | Microsoft

But now I spill over to a more positive energy and summarize what was done really well.

– Very good! Awesome! Well done, exemplary.

1. Compile the kernel with Control Flow Integrity (CFI), hardened patches, minimal kernel modules.
   (Not sure why full LTO improves security.)

2. Better access control matrix (folder permissions), sysctl security in /etc/sysctl.conf and bwrap usage.

3. Mullvad VPN

4. Password manager, Luks2 encryption (hopefully full disk), IOMMU protection, remove SUID from binaries.

Excellent, very competent.

– Missing (Part 2)

• No Bluetooth mouse, keyboard, headphone etc? My headphone, mouse, keyboard always with a cable.
• No Wi-Fi? I connect to the Internet by cable - i use one PCI Express x1 Quad-Port server network card (only Intel, Broadcom).

Use always cable. Use only S/FTP or S/STP CAT RJ45 cable.
Imagine that your bank tells you that they are deliberately using Wlan.

Difference UTP - S/STP:

1cd6b4950f1d984d6aa8dd6c2c8059cb312×329 10.1 KB

0HY7RMMain787×384 33.5 KB

airplane1051×582 37.5 KB

– Stupid (Part 2)

To avoid hassle, I also have polkit rule to always return yes to wheel users, and sudo is passwordless, so wheel == root pretty much.

• Old Hardware
  Use always hardware that is supported. Security / privacy profs do not buy 8-10 year old hardware. Imagine that your bank tells you that they are deliberately using 10-year-old hardware.

Mind sharing where you got this information?

I guess they may not be planning sandboxing, but I got that info from the secureblue discord:

1000000382864×439 63.6 KB

Or

Terminals written in Rust: Alacritty, WezTerm

Avoid using terminals written in C. With Rust you eliminate 70% of all security problems in the computer world.

Or rage instead of age. Or gocryptfs instead of CryFS.

Alacritty uses too much RAM (about 100 MB per window vs Foot’s 15~20, adds up very fast). I’ll have a look at the other projects you mentioned. Thanks!

Can only enable CFI with LTO

Good question, I think that I had some issue with the standard version and switched to light. I’ll try switching back.

eh, I think it’s fine from my research. Running unsupported hardware is only very bad in phones because then you’re stuck on unsupported kernels

How likely is it that these ARM devices will be stuck on unsupported software 5-10 years from now?

–

Thanks everyone for the suggestions, didn’t expect this thread to be this active

It doesn’t seem like ARM support for software will be dropping anytime soon, Qualcomm, Apple, and Lenovo are doing well

Thank you for making this post, I myself have learned a lot from this topic

Yeah, but ARM isn’t very standardized hence why Linux support on phones is so spotty and even then only specific kernel versions work. I wonder if a device like this would be in a similar situation.

1 - This answer doesn’t make sense - it’s about security. If security means something to you, you accept this disadvantage.

2 - Hardware design / firmware errors cannot be fixed with OS software or can only be fixed with great difficulty. The general industry standard is: always the latest beta (hardware + software).

OK you don’t work for a company like American Express or IBM.

Imagine your bank tells you: We only use unsupported hardware and software.

A couple of potential heads up and maybe some items to consider:

uutils (coreutils replacement) is promising but not fully POSIX compliant — may break scripts that assume traditional coreutils behavior.

It seems that Wezterm doesn’t receive any security update since 02/2024.

–-------------------------------------

Some items to consider:

Not sure if was mentioned already but for intrusion detection you could maybe install AIDE

A somewhat controversy recommendation would be to use LKRG.

And another one is to adopt XDG-ninja

Rootkit detection may be something to look.

Fail2ban may be helpful to try to protect SSH brute-force attacks.

I also didn’t see any comment about DNS Encryption, you can try DNSCrypt

Proton Pass is planning a CLI, too