How to enhance the physical security posture of your Linux/BSD-powered PC

Secured Data Securing a computer goes beyond more than just using strong passwords. You should consider what happens if an unauthorized person gains physical access to your computer. If the only security feature protecting your data from an unauthorized person is a user account password, then you have not taken enough steps to protect your computer and your data. This article presents all the steps you could take to enhance the physical security of your Linux- or BSD-powered computer

  1. Set a BIOS Password – PC vendors generally configure their computers to boot from the hard disk, and failing that, to boot from the CD drive or other removable media. You can change this boot order by going into the BIOS setup. To prevent unauthorized persons from accessing the BIOS setup, you should enable the BIOS password. Enabling the BIOS pawword may also be used to prevent the system from booting.

    Let me illustrate with this scenario. Let’s say some bad guy gains physical access to your computer, and that computer was configured to boot from the hard disk and the BIOS password was not enabled. To dispense with the head ache of having to guess your username and/or password, Mr. Bad Guy could access the BIOS and change the boot order so that the computer boots from the CD drive or other removable media like a USB drive. Now he can pop in a live CD distro into the drive, boot the computer, mount the drive and … imagine how the story ends.

    Note that some live CD distros will automatically mount the hard dirve partitions in read-only mode. When it was first released, Knoppix was like that.

  2. Password-Protect the Bootloader – The bootloaders you will most likely be using on a Linux or BSD system are LILO (LInux LOader), GRUB (GRand Unified Bootloader) legacy, GRUB 2, GAG (Spanish acronym for Graphical Boot Manager), and BTX loader.

    You can set a bootloader password if your distro is using LILO, GAG, GRUB, but not GRUB 2. You typically set the bootloader password during installation, but you may also do it on a running system. Setting a bootloader password ensures that no one with unauthorized physical access to your computer will be able to gain access to single user mode. It also locks access to GRUB’s console.

  3. Encrypt the disk – See this article for why you should encrypt your computer’s disk. It mainly gives an example of how Fedora, a Linux distribution, implements disk encryption in its installer.
  4. Use Strong Passwords – When setting a user account password, most distros will warn you when the password is weak (especially for root). Concerning passwords, try as much as possible to adhere to the following:
    • Always choose strong passwords, minimum of eight characters.
    • Do not base the password on the username. If you are using a distro that uses the traditional root account system, do not set the root password to be the same as the regular account password.
    • Never enable the automatic login feature. Many distros have this feature. Do not use it. If you are just introducing your kid or spouse to a Linux or BSD system, do not enable this feature for them. It is a bad security practice.

    [warning]Do not write down your password(s) on a sticky note and stick it on your monitor. Also, do not store passwords unencrypted on your computer.[/warning]

  5. Implement Password Aging – The graphical user management program on some distros will allow you to set passwords to age or to expire at a certain date. An expiration time of six months is the norm. You can enable password aging on Mandriva Linux and Fedora, but not on Ubuntu, Mint, Pardus.

If you implement all five steps on all of your computers, give yourself a five star rating of paranoid. You are ultra secure (four star rating) if you implement steps 2 to 5, and secure (three star rating) if you implement only steps 3 to 5. Consider your security posture weak (two star rating) if you only implement steps 4 and 5 (user account password and password aging). You have a one star rating if you do not implement password aging. Smack yourself if you enable the automatic login feature.

Related Posts

Anonymity and the Internet Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we ca...
Dual-booting PC-BSD 8.2 and Windows 7 In continuation of a series of articles on dual-booting Linux and BSD desktop distributions with Windows 7, this article presents a step by step guide...
How to customize Linux Mint 10 After a review of Linux Mint 10, the next logical step is to write a few tutorials and tips for those that might need it. The first of these tutorials...
Dual-boot Windows 7, Linux Mint Debian Edition 2 on a PC with UEFI firmware Linux Mint Debian Edition (LMDE) is a desktop distribution that's based on Debian. It's from the same folks responsible for Linux Mint, which is based...
Pardus 2009.2 review Pardus is a desktop-oriented Linux distribution sponsored and developed by the Scientific & Technological Research Council of Turkey. It's not a perfe...
Customizing Simply Linux 5 Simply Linux 5 is a distro from the same team that publishes ALT Linux. The first review of this distro on this site has just been published. This pos...

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


  1. I still don’t see how all this crypto is going to protect you from someone with a $5 hammer.

  2. Lasander, that is indeed of limited use, but so is everything, and i would say it does slow people down (at least for a few minutes), especially if they didn’t come prepared for it.

    What might be more worrying is the possibility of someone replacing your bootloader or in linux the dm-crypt mounter by some version that does keylogging. Actually, linux is a bit lax in this as the /boot partition allows quite some space for this. If everything but the bootsector is encrypted, this is (I guess) harder.

  3. There is no point in setting a BIOS password. Once an attacker has *physical* access to your computer then there is no defense unless your drive is encrypted and if the machine is turned on at the time even whole disk encryption might not save you.

    All you need to do with a bios password when you have physical access is to reset it via jumper or just take the bios battery out for a few minutes. Doesnt even really slow people down. You could also just take the drive out and just stick it into your own machine.

    • Lasander, my case has a lock on the panel (as well as a locking front panel that covers the power/reset buttons, optical drive, etc.). They’d need to have a crowbar to get at the motherboard’s BIOS battery.

      lj, the answer to your scenario is an intrusion detection system (IDS) that compares the checksum of files with a secured copy. If that copy was on the encrypted drive, it could be run after boot to compare the bootloader signature with the stored checksum and detect a change. You could get REALLY fancy and boot from a flash drive or memory card and run in IDS on the boot partition comparing the values to those stored on the memory card to know if it’s safe to boot the PC or not. 🙂

  4. Pingback: Quickies: physical security primer « 0ddn1x: tricks with *nix

Leave a Comment

Your email address will not be published. Required fields are marked *