Not sure if this is discussed before, but for a home-based setup, what are some best practices to secure a Windows, Mac, or Linux computer in case there is a home break-in? I know I should have encryption like BitLocker and FileVault enabled at all times. The good news is that since there is no battery, if the desktops are physically removed, I’m assuming the encryption will be enabled and make it difficult, if not impossible, to access the data.
Anyone here use a USB key to unlock or lock their desktops? Is this a good security measure as well?
The main thing is to have a strong password and encryption enabled. So like you said, enable bitlocker, FileVault, whatever the native encryption feature is. I also like using Find My to track my stuff, and you can also remotely wipe your phone that way if you want.
I’d say unlocking your device with a security key is actually worse for a home break in because they can just steal the key too and have full access to your machine. Use a password/biometrics. iOS and Android have anti-theft features that require biometric authentication to change certain settings and things like that so it’s good to enable that.
With macOS, I’m not sure if I want to use my Apple ID for privacy reasons. I’m pretty sure that means I can’t use Find My. Do you trust it enough to use it?
With a USB key, wouldn’t I carry it with me like a phone? How could it be worse for security?
Not sure if this is discussed before, but for a home-based setup, what are some best practices to secure a Windows, Mac, or Linux
Windows:
Use the actual BitLocker (available at Pro and above) not the device encryption version of home.
Do not use TPM2.0 as a standalone decryption method. Choos passhrase + TPM2.0 or passprhase for decrypting your hard drivers.
Set the encryption to 256 bit instead of 128 via GPOs.
The default on Windows is AESXTS-128 Bit.
Use Secure Boot
Set up a Bios password and deactivate USB-Boot, IP-Boot and other boot methods so that only your primarily SSD is able to boot.
Linux:
Use a strong passhrase with LUKS
Use Secure Boot
Set up a Bios password and deactivate USB-Boot, IP-Boot and other boot methods so that only your primarily SSD is able to boot.
Add a grub password so no one is able to boot from older kernels without a password
if the desktops are physically removed, I’m assuming the encryption will be enabled and make it difficult, if not impossible, to access the data.
At least on Windows, if you do not use Windows Pro and above and do not harden Windows Bitlocker there is a good chance someone might get to the data.
Anyone here use a USB key to unlock or lock their desktops? Is this a good security measure as well?
USB-key/FIDO2 are like TPM2.0 a good MFA, but I would avoid it as single factor. So if you do setup a FIDO2 encrypted LUKS make sure you also needs some sort of password.
If you are worried about robbery, like @KathyM said you should consider physical security. Locks, dogs, hardened doors and windows, security vaults, etc. Even if your data would be secured by encryption, your devices will either be lost or rendered untrustworthy if an unauthorized person gains access to them.
Avoid Ring cameras but perhaps consider security cameras that watch areas where unauthorized people have no right to enter and authorized people don’t spend private time (or turn them off while authorized people use those areas).
Also something I forgot to mention, but Kensington locks are an option. It won’t stop a dedicated thief but might at least slow them down/discourage them.
It can be bypassed under certain physical attacks, such as:
Evil Maid Attacks: An attacker with physical access can modify the boot process (e.g., tamper with the bootloader, kernel, or initramfs) to log your passphrase or install malware.
Cold Boot Attacks: If the device is suspended (not shut down), RAM may retain encryption keys, which can be extracted using specialized techniques.
Hardware Keyloggers: Devices can be fitted with keylogging hardware to capture the passphrase as it’s entered.
Unencrypted /boot Partition: Most LUKS setups leave /boot unencrypted, allowing attackers to alter boot components to intercept keys or passwords
Evil Maid Attacks: An attacker with physical access can modify the boot process (e.g., tamper with the bootloader, kernel, or initramfs) to log your passphrase or install malware.
This would require that you, after the attacker modified the device, type the passphrase into the device. Which is not in the threat-model of a robbery.
For such attacks you have secure boot with your own keys. So that modified software doesn’t boot.
Cold Boot Attacks: If the device is suspended (not shut down), RAM may retain encryption keys, which can be extracted using specialized techniques.
Okay good point. There is a boot parameter and sysctl you can set to prevent such attacks.
Hardware Keyloggers: Devices can be fitted with keylogging hardware to capture the passphrase as it’s entered.
You need to trust your hardware otherwise no encryption and no security mechanism will help you.
Also, this is out of the scope of the threat model of a robbery.
It can be bypassed under certain physical attacks, such as:
This is also not a bypass, it is stealing the decryption key like with phising attacks.