privacy and licensing, Tutorials/Tips

How to enhance the physical security posture of your Linux/BSD-powered PC

Secured Data Securing a computer goes beyond more than just using strong passwords. You should consider what happens if an unauthorized person gains physical access to your computer. If the only security feature protecting your data from an unauthorized person is a user account password, then you have not taken enough steps to protect your computer and your data. This article presents all the steps you could take to enhance the physical security of your Linux- or BSD-powered computer

  1. Set a BIOS Password – PC vendors generally configure their computers to boot from the hard disk, and failing that, to boot from the CD drive or other removable media. You can change this boot order by going into the BIOS setup. To prevent unauthorized persons from accessing the BIOS setup, you should enable the BIOS password. Enabling the BIOS pawword may also be used to prevent the system from booting.

    Let me illustrate with this scenario. Let’s say some bad guy gains physical access to your computer, and that computer was configured to boot from the hard disk and the BIOS password was not enabled. To dispense with the head ache of having to guess your username and/or password, Mr. Bad Guy could access the BIOS and change the boot order so that the computer boots from the CD drive or other removable media like a USB drive. Now he can pop in a live CD distro into the drive, boot the computer, mount the drive and … imagine how the story ends.

    Note that some live CD distros will automatically mount the hard dirve partitions in read-only mode. When it was first released, Knoppix was like that.

  2. Password-Protect the Bootloader – The bootloaders you will most likely be using on a Linux or BSD system are LILO (LInux LOader), GRUB (GRand Unified Bootloader) legacy, GRUB 2, GAG (Spanish acronym for Graphical Boot Manager), and BTX loader.

    You can set a bootloader password if your distro is using LILO, GAG, GRUB, but not GRUB 2. You typically set the bootloader password during installation, but you may also do it on a running system. Setting a bootloader password ensures that no one with unauthorized physical access to your computer will be able to gain access to single user mode. It also locks access to GRUB’s console.

  3. Encrypt the disk – See this article for why you should encrypt your computer’s disk. It mainly gives an example of how Fedora, a Linux distribution, implements disk encryption in its installer.
  4. Use Strong Passwords – When setting a user account password, most distros will warn you when the password is weak (especially for root). Concerning passwords, try as much as possible to adhere to the following:
    • Always choose strong passwords, minimum of eight characters.
    • Do not base the password on the username. If you are using a distro that uses the traditional root account system, do not set the root password to be the same as the regular account password.
    • Never enable the automatic login feature. Many distros have this feature. Do not use it. If you are just introducing your kid or spouse to a Linux or BSD system, do not enable this feature for them. It is a bad security practice.

    [warning]Do not write down your password(s) on a sticky note and stick it on your monitor. Also, do not store passwords unencrypted on your computer.[/warning]

  5. Implement Password Aging – The graphical user management program on some distros will allow you to set passwords to age or to expire at a certain date. An expiration time of six months is the norm. You can enable password aging on Mandriva Linux and Fedora, but not on Ubuntu, Mint, Pardus.

If you implement all five steps on all of your computers, give yourself a five star rating of paranoid. You are ultra secure (four star rating) if you implement steps 2 to 5, and secure (three star rating) if you implement only steps 3 to 5. Consider your security posture weak (two star rating) if you only implement steps 4 and 5 (user account password and password aging). You have a one star rating if you do not implement password aging. Smack yourself if you enable the automatic login feature.

Subscribe to

Subscribe to receive the latest articles in your Inbox

Trust me, you'll not be spammed...

Please share:

We Recommend These Vendors and Free Offers

Register now for Blockchain & Cryptocurrency Con 2018, international conference on blockchain technnology in Dallas, TX (USA), Feb. 23-24, 2018. A 50% discount for students.

Best WhatsApp Plus features in Gbwhatsapp latest APK download

Best binary auto trading software reviews by

Google has got competition, because Presearch is building a blockchain-based search engine controlled by the community. At $0.15 a token, you can participation in Lot 3 of the token sale by clicking here

Open Money is building a solution that will run mainstream software on blockchain tech. Click here to get free tokens that will be the digital currency of the platform

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).


  1. I still don’t see how all this crypto is going to protect you from someone with a $5 hammer.

  2. Lasander, that is indeed of limited use, but so is everything, and i would say it does slow people down (at least for a few minutes), especially if they didn’t come prepared for it.

    What might be more worrying is the possibility of someone replacing your bootloader or in linux the dm-crypt mounter by some version that does keylogging. Actually, linux is a bit lax in this as the /boot partition allows quite some space for this. If everything but the bootsector is encrypted, this is (I guess) harder.

  3. There is no point in setting a BIOS password. Once an attacker has *physical* access to your computer then there is no defense unless your drive is encrypted and if the machine is turned on at the time even whole disk encryption might not save you.

    All you need to do with a bios password when you have physical access is to reset it via jumper or just take the bios battery out for a few minutes. Doesnt even really slow people down. You could also just take the drive out and just stick it into your own machine.

    • Lasander, my case has a lock on the panel (as well as a locking front panel that covers the power/reset buttons, optical drive, etc.). They’d need to have a crowbar to get at the motherboard’s BIOS battery.

      lj, the answer to your scenario is an intrusion detection system (IDS) that compares the checksum of files with a secured copy. If that copy was on the encrypted drive, it could be run after boot to compare the bootloader signature with the stored checksum and detect a change. You could get REALLY fancy and boot from a flash drive or memory card and run in IDS on the boot partition comparing the values to those stored on the memory card to know if it’s safe to boot the PC or not. 🙂

  4. Pingback: Quickies: physical security primer « 0ddn1x: tricks with *nix

Leave a Comment

Your email address will not be published. Required fields are marked *