Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
What do you use Gentoo for?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 167

PostPosted: Sun Oct 15, 2017 2:35 am    Post subject: Reply with quote

Tom_ wrote:
@nokilli, could you tell us more about your lvm / disk setup ? How do you use isolate your data? I'm curious... :)


A 1TB 3.5 HD as backing device with a 128GB SSD that's 32GB swap and the rest as a caching device for bcache. lvm on top of that, and then each lv gets its own dm-crypt layer.

My lvs looks something like this (edited for clarity):

Code:

  LV           VG   Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  hodl.home    vg   -wi-a-----  8.00g
  hodl.root.1  vg   -wi-a-----  8.00g
  hodl.root.2  vg   -wi-a-----  8.00g
  hodl.root.3  vg   -wi-a-----  8.00g
  hodl.root.4  vg   -wi-a-----  8.00g
  meta.home    vg   -wi-a-----  8.00g
  meta.portage vg   -wi-a-----  4.00g
  meta.root.1  vg   -wi-a-----  8.00g
  meta.root.2  vg   -wi-a-----  8.00g
  meta.root.3  vg   -wi-a-----  8.00g
  meta.root.4  vg   -wi-a-----  8.00g
  meta.src     vg   -wi-a-----  8.00g
  play.home    vg   -wi-ao----  8.00g
  play.portage vg   -wi-a-----  4.00g
  play.root.2  vg   -wi-a-----  8.00g
  play.root.3  vg   -wi-a-----  8.00g
  play.root.4  vg   -wi-a-----  8.00g
  play.root.5  vg   -wi-ao----  8.00g
  work.home    vg   -wi-a-----  8.00g
  work.root.1  vg   -wi-a-----  8.00g
  work.root.2  vg   -wi-a-----  8.00g
  work.root.3  vg   -wi-a-----  8.00g
  work.root.4  vg   -wi-a-----  8.00g


I basically create four systems; meta, hodl, work and play (hodl is a crypto-currency term, it just means "hold" but is used here just as a name). Each system has its own key and has at least a root and a home volume. meta and hodl are fully airgapped, work is on the net but for work only, and then play which is on the net and where I goof around. All logical volumes within a system share the same key, so for instance my meta key opens meta.portage, meta.src, meta.home and all of the meta.roots. I boot from USB stick and so from the grub menu get to pick which system to boot into by specifying a combination of the logical volume to use as root and the initramfs to be used, which may either contain the key for that system or an executable which can be run to let me enter a passphrase that is used to create the key (or both, in which case the passphrase decrypts the key in the initramfs and that is used). In any case the USB stick gets yanked as soon as the initramfs has loaded, and I maintain custody of the USB stick at all times.

So I run portage on meta and then use lvm snapshots and rsync to copy meta.root over to hodl.root and work.root. This is to minimize leakage; the only thing that leaks from meta is Gentoo Linux stuff. That's important because I have to bring in distfiles using an external USB drive which would otherwise provide a means for data to leak out. hodl is just where I keep wallets and private keys for crypto-currencies. It needs to be a running system because different clients need to be run to do offline signing of transactions. It needs to be airgapped because of course I want to protect those keys. I never ever mount any other storage device while I'm booted into hodl. There should be no way of data leaking out of here and I only boot into it when I need to do crypto stuff, which pretty much means, rarely.

There is of course the BIOS vulnerability but here obfuscation can be quite effective. My home partition for hodl is 8GB. I have many wallets. Only a few actually contain anything useful and there are no atimes, so enjoy! And then of course, there is another layer of encryption here as well and I've gotten good at memorizing long passphrases. :)

I plan to soon create a peer to hodl so that I can securely administer the USB stick. Right now I do it via meta, but that means there's a chance that keys can leak out of the stick and then get copied when I populate work.root. I have a lot of stuff sitting there that's used to create initramfs's and that'll go there too. I hope to have it so that one day I can have something like a ubuntu.root or a fedora.root or *cough* openbsd.root(?) that can co-exist with my Gentoo stuff in this vg and it's possible but it's a fair bit of work cause you got to get into their initramfs, see what modules they put there, get their kernel config, etc.

work and play are where I spend my time. I try to be disciplined with my browsing habits on work (no porn or mainstream news media sites), whitelisted javascript only, no binary-only executables (except icedtea-bin! grrr) and certainly no torrents or any kind of p2p. And on play of course I just do whatever. play isn't even based on meta it's multilib and the most I have to risk here is somebody maybe getting my browsing history or knowing what games I play, shows I watch, music I listen to. If somebody gets into my system it'll almost certainly be through play, but since all of the other systems use different keys they should be safe.

Oh and I do share an external USB drive that holds media between work and play, which is a potential leak. Mounting it read-only from work helps, but still I gotta figure out something better. It used to be hard drives had jumper switches that let you lock the sucker into read-only mode... what happened to that? Or a really big DVD-R would be work too. But lately I've discovered my A/V Receiver has a USB port and I can play music through that while on work, albeit it's a little clunky... when there's low-hanging fruit, take it!
_________________
Today is the first day of the rest of your Gentoo installation.
Back to top
View user's profile Send private message
devilheart
l33t
l33t


Joined: 17 Mar 2005
Posts: 826
Location: Villach, Austria

PostPosted: Fri Oct 20, 2017 12:28 pm    Post subject: Reply with quote

Now I feel like an evangelizer. March 2016 I was the first with a gentoo box in my office. This May, I converted another user. Now, I convinced our IT to migrate everything from ubuntu to gentoo
Back to top
View user's profile Send private message
ChalkboardHero
n00b
n00b


Joined: 11 Nov 2017
Posts: 5
Location: Tennessee

PostPosted: Sat Nov 11, 2017 6:17 pm    Post subject: Reply with quote

I use my gentoo box for non .NET development (NodeJS, Clojure). The only thing is, I do .NET development for my work (bleh).

I'm considering converting my Windows server over to Gentoo and then VM'ing windows for my BlueIris cameras. The other 8-10 things I run are running in a RancherOS VM, so I could port that easily.
Back to top
View user's profile Send private message
JackHunt
n00b
n00b


Joined: 21 Aug 2016
Posts: 15
Location: Oxfordshire, England

PostPosted: Mon Nov 13, 2017 11:02 am    Post subject: Reply with quote

Pretty much anything and everything. My main box at home is on Gentoo as is my Workstation in the lab. My old ThinkPad however is Debian. The thing overheats so badly when compiling for hours.

Most of my work is C++ and CUDA development. Hobbyist stuff I use the AVR toolchain and a little Haskell here and there. Oh, and Python3 for prototyping(I hate MATLAB).

Obviously the general PC use also; email, web browsing, chat etc.

Dual boot Windows 10 for games.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum