In Machinae Veritas

27 Aug 2015

For context, see A Safer Space.

It didn’t work. Rebooting my primary machine to Nails, logging in, and getting going, takes 5+ minutes - and then another 5 minutes to get back to OS X. If my intention is to write for 5 minutes a day, that’s enough inertia that I don’t do it.

Version two is a dedicated machine, an MSI Wind U135 (ebay; £40).

The setup is actually simpler. I’m using Xubuntu 14 (Xubuntu 15 introduces a bug that makes the trackpad almost unusable), installed to hard disk from a usb key via Xubuntu can encrypt the home folder using ecryptfs, so I’m doing that with a very strong user-login password. This is because encfs has some issues and truecrypt, while secure, is no longer supported software.

Once I finished the install I disabled the network, both using the U135’s firmware-based switch, and by removing a couple of necessary files. This machine will never connect to a network again. A better solution would be to open the machine and physically remove the antenna.

I have a (slightly modified) nvpy editor as before, and a simple folder full of text documents.

I’ve disabled the swapfile by editting /etc/fstab.

Suspend/resume actually works on the U135, which is crucial, because it takes several minutes to boot. Suspending isn’t entirely secure because it is vulnerable to cold-boot attacks, but those are out of scope - for the simple reason that $5-wrench attacks are out of scope, and anyone in a position to use cold-boot can use $5-wrench.

There’s a bigger hole with Suspend - it’s possible to resume, log back in as root, and get access to the cleartext files, since ecryptfs is still mounted. Defenses include “strong root / sudo password” and “always logout before Suspend”.

Backup is via tar, piped to gpg with —symmetric, and then copied onto a USB key. The encrypted file could potentially be uploaded to gdrive for backup as well.

I’m reasonably happy with this. We’ll see how it goes.