Add U2F section and tweak wks-security doc

Signed-off-by: Konstantin Ryabitsev <>
Konstantin Ryabitsev 5 years ago
parent 34233e9d81
commit 3148a35dda
No known key found for this signature in database
GPG Key ID: 34BAB80AF9F247B8

@ -1,3 +1,17 @@
# 2017-12-15
## Linux workstation security
- Remove detailed SELinux instrusctions
- Remove GrSecurity recommendation, as it's not available without subscription
- Change NoScript to uMatrix recommendation
- Add some Firejail usage quickies
## Protecting code integrity with PGP
- Add whole new doc on PGP and its use with Git. It is aimed at free software
developers and should be used alongside with the workstation security doc.
## Trusted team communication
- A fairly major rewrite in the works...
# 2017-01-23
## Linux workstation security checklist

@ -1,6 +1,6 @@
# Linux workstation security checklist
Updated: 2017-11-15
Updated: 2017-12-15
### Target audience
@ -122,10 +122,12 @@ considered potentially vulnerable, especially if it has not received
manufacturer firmware updates.
There are [some laptop manufacturers][27] that have started providing systems
with the Intel ME chip disabled, and it may be possible to manually disable
the IME by using a tool such as [me_cleaner][25], though you should be mindful
that it is an involved process and that disabling the IME may void the
manufacturer support warranty (or even be against your employer policy).
with a lot of IME functionality disabled (it is not possible to disable the
chip completely, as it would likely render the system unbootable). It is also
possible to use a tool such as [me_cleaner][25] to significantly reduce the
chip functionality on your own. You should be mindful that it is an involved
process, and that disabling the IME may void the manufacturer support warranty
(or even be against your employer policy).
## Pre-boot environment
@ -561,12 +563,6 @@ this browser for accessing any other sites except select few.
You should install the following Firefox add-ons:
- [ ] NoScript _(ESSENTIAL)_
- NoScript prevents active content from loading, except from user
whitelisted domains. It is a great hassle to use with your default browser
(though offers really good security benefits), so we recommend only
enabling it on the browser you use to access work-related sites.
- [ ] Privacy Badger _(ESSENTIAL)_
- EFF's Privacy Badger will prevent most external trackers and ad platforms
from being loaded, which will help avoid compromises on these tracking
@ -579,15 +575,13 @@ You should install the following Firefox add-ons:
over a secure connection, even if a link you click is using http:// (great
to avoid a number of attacks, such as [SSL-strip][7]).
- [ ] Certificate Patrol _(NICE)_
- This tool will alert you if the site you're accessing has recently changed
their TLS certificates -- especially if it wasn't nearing expiration dates
or if it is now using a different certification authority. It helps
alert you if someone is trying to man-in-the-middle your connection,
but generates a lot of benign false-positives.
You should leave Firefox as your default browser for opening links, as
NoScript will prevent most active content from loading or executing.
- [ ] uMatrix _(NICE)_
- uMatrix prevents active content from third-party locations from being
loaded and executed. It is a hassle to use with your default browser
(though offers really good security benefits), so we recommend only
enabling it on the browser you use to access work-related sites.
Here's a [Video Overview]( of
##### Chrome/Chromium for everything else
@ -600,8 +594,9 @@ the usual paranoid caution about not using it for anything you don't want
Google to know about).
It is recommended that you install **Privacy Badger** and **HTTPS Everywhere**
extensions in Chrome as well and give it a distinct theme from Firefox to
indicate that this is your "untrusted sites" browser.
extensions in Chrome (and uMatrix, too, if you're comfortable with it), as
well and give it a distinct theme from Firefox to indicate that this is your
"untrusted sites" browser.
#### 2: Use firejail _(ESSENTIAL)_
@ -618,6 +613,16 @@ documentation provided by the project:
- [Firefox Sandboxing Guide][20]
Most frequently, you'll just want to pass a `--private=directory` switch to
separate your browsing profiles. You can create convenient aliases and add
them to your `.bashrc`:
alias ff-perso="firejail --private=$HOME/.firejail/personal firefox -no-remote"
alias ff-work="firejail --private=$HOME/.firejail/work firefox -no-remote"
Any downloaded files will be located in `~/.firejail/[name]/Downloads`. To
upload files, you'll need to move them into that subdirectory first.
#### 3: Fully separate your work and play environments via virtualization _(PARANOID)_
See [QubesOS project][3], which strives to provide a "reasonably secure"
@ -717,31 +722,9 @@ to ensure that your private keys are well protected against theft.
#### Considerations
The best way to prevent private key theft is to use a smartcard to store your
encryption private keys and never copy them onto the workstation. There are
several manufacturers that offer OpenPGP capable devices:
- [Kernel Concepts][12], where you can purchase both the OpenPGP compatible
smartcards and the USB readers, should you need one.
- [Yubikey][13], which offers OpenPGP smartcard functionality in addition
to many other cool features (U2F, PIV, HOTP, etc).
- [NitroKey][21], which is based on open-source software and hardware
It is also important to make sure that the master PGP key is not stored on the
main workstation, and only subkeys are used. The master key will only be
needed when signing someone else's keys or creating new subkeys -- operations
which do not happen very frequently. You may follow [the Debian's subkeys][14]
guide to learn how to move your master key to removable storage and how to
create subkeys.
You should then configure your gnupg agent to act as ssh agent and use the
smartcard-based PGP Auth key to act as your ssh private key. We publish a
[detailed guide][15] on how to do that using either a smartcard reader or a
Yubikey NEO.
If you are not willing to go that far, at least make sure you have a strong
passphrase on both your PGP private key and your SSH private key, which will
make it harder for attackers to steal and use them.
Please see the "Protecting Code Integrity with PGP" document available in the
same repository for introduction to PGP best practices and instructions on how
to set up and use offline master and smartcard subkeys.
### Hibernate or shut down, do not suspend

@ -693,14 +693,14 @@ features on the internal chip. Here are a few recommendations:
but with fewest extra security features
- [Nitrokey Pro](
Similar to the Nitrokey Start, but is tamper-resistant and offers more
security features (see the U2F section of the guide)
security features (but not U2F, see the Fido U2F section of the guide)
- [Yubikey 4]( Proprietary
hardware and software, but cheaper than Nitrokey Pro and comes available
in the USB-C form that is more useful with newer laptops; also offers
additional security features such as U2F
Our recommendation is to pick a device that is capable of both smartcard
functionality and U2F, which means either a Nitrokey Pro, or a Yubikey 4.
functionality and U2F, which, at the time of writing, means a Yubikey 4.
#### Configuring your smartcard device
@ -1236,7 +1236,107 @@ keyservers, should you need to grant them ssh-based access to anything:
This can come in super handy if you need to allow developers access to git
repositories over ssh.
## TODO: Tarball release signatures
## Protecting online accounts
### Checklist
- [ ] Get a U2F-capable device _(ESSENTIAL)_
- [ ] Enable 2-factor authentication for your online accounts _(ESSENTIAL)_
- [ ] GitHub/GitLab
- [ ] Google
- [ ] Social Media
- [ ] Use U2F as primary mechanism, with TOTP as fallback _(ESSENTIAL)_
### Considerations
You may have noticed how a lot of your online developer identity is tied to
your email address. If someone can gain access to your mailbox, they would be
able to do a lot of damage to you personally, and to your reputation as a free
software developer. Protecting your email accounts is just as important as
protecting your PGP keys.
#### Two-factor authentication with Fido U2F
authentication]( is
a mechanism to improve account security by requiring a physical token in
addition to a username and password. The goal is to make sure that even if
someone steals your password (via keylogging, shoulder surfing, or other
means), they still wouldn't be able to gain access to your account without
having in their possession a specific pre-configured physical device.
The most widely known mechanisms for 2-factor authentication are:
- SMS-based verification
- Time-based One-Time Passwords (TOTP) via a smartphone app
- Hardware tokens supporting Fido U2F
SMS-based verification is easiest to configure, but has the following
important downsides: it is useless in areas without signal (e.g. building
basements), and can be defeated if the attacker is able to intercept or divert
SMS messages.
TOTP-based multi-factor authentication offers more protection than SMS, but
has important scaling hurdles (there's only so many tokens you can add to your
smartphone app before finding the correct one becomes wearisome). Plus,
there's no avoiding the fact that your secret key ends up stored on the
smartphone itself, which is a complex, globally connected device with a very
poor record of timely patching by the vendors.
Most importantly, neither TOTP nor SMS methods protect you from phishing
attacks -- if the phisher is able to obtain both your account password and
2-factor token, they can replay them on the legitimate site and gain access to
your account.
[Fido U2F]( is a standard
developed specifically to provide a mechanism for 2-factor authentication
*and* combat credential phishing. The U2F protocol will store site
authentication data on the USB token that will prevent you from accidentally
giving an attacker both your password and your one-time token if you try to
use it on anything other than the legitimate website.
Both Chrome and Firefox support U2F 2-factor authentication, and hopefully
other browsers will soon follow.
#### Get a token capable of Fido U2F
There are [many options available]( for
hardware tokens with Fido U2F support, but if you're already ordering a
smartcard-capable physical token, then your best option is a Yubikey 4, which
supports both.
#### Enable 2-factor authentication on your online accounts
You definitely want to enable this option on the email provider you are using
(especially if it is Google, which has excellent support for U2F). Other sites
where this should definitely be considered:
- GitHub: it probably occurred to you when you uploaded your public key that
if anyone else is able to gain access to your account, they can replace your
key with their own. If you publish code on GitHub, you should take care of
your account security by protecting it with U2F-backed authentication.
- GitLab: for the same reasons as above
- Google: if you have a google account, you will be surprised how many places
allow to log in with Google authentication instead of site-backed
- Facebook: same as above, a lot of online sites offer the option to
authenticate using a Facebook account. You should protect your Facebook
account even if you do not use it.
- Other sites, as you deem necessary. See
[]( for inspiration.
#### Configure TOTP failover, if possible
Many sites will allow you to configure multiple 2-factor mechanisms, and the
recommended option is:
- U2F token as the primary mechanism
- TOTP phone app as the secondary mechanism
This way, even if you lose your U2F token, you should be able to gain access
to your account. Alternatively, you can enroll multiple U2F tokens (e.g.
you can get another cheap token that only does U2F and use it for backup
## Further reading