One of the good things about Linux is there are many, many distributions from which to chose. That is also the bad part about Linux! There are many, many great distributions. Over the last couple of years, I’ve really gravitated towards the Debian-based distributions like Ubuntu, and it’s variants – mainly because it’s so easy, and there is SOOO much support for it. Well, I was on a kick where I really liked Ubuntu Mate, but there were a couple of little pet peeve items I didn’t like. Then, I really got on a Linux Mint with Cinnamon kick – and that is what I’ve been using for a while.
However, I just ran across this video showing the new Kubuntu. This distribution is basically Ubuntu, but instead of the “Unity” window manager, this uses the KDE window manager. I never really liked KDE before, but this new version is very sleek, modern, and intuitive!
So, I thought I’d check out the distribution in more detail to see what I liked and didn’t like. In this case, I REALLY like it – so below is how I typically set up a Linux workstation with security and privacy as a primary priority.
What’s the plan?
Before switching to a new distribution, there are several things I do – or things I want to make sure I can do:
- Be able to have an encrypted hard drive
- Be able to lock down the login screen (don’t show user list, show a warning message, etc)
- Easily update and patch the system
- Be able to setup PIA VPN (here’s why you too should be using VPN)
- Set up Firefox for secure browsing
- Set up Tor for secure browsing
Since this is Ubunu-based, which is based on Debian – some of this will be easy. Other things were a simple search away. As I was discovering these, I decided to write them down into a blog post, as this has sort of evolved into my standard “workstation” setup, which is quite secure, and quite private by default.
How to download and install Kubuntu?
Kubuntu is a free operating system, similar to Windows or MacOS – except it is free and open source. This means that a bunch of people decided to spend their free time and build an operating system the way they wanted, and then made it available for others to download. To get started, navigate here:
and click the Kubuntu 15.10 (as of this writing) and download the 64-bit version. Once downloaded, you should verify the hash of the download (to make sure it’s a legitimate copy). See: How to verify the file checksum of a download.
If you want to burn a DVD, and if you are in Windows, just right-click the .iso file you downloaded and choose “Burn disc image”:
if you want to make a bootable USB drive which has the operating system on it:
then download Win32DiskImager. Launch the program and you can write that downloaded .iso file out to your thumb drive:
When complete, you can put that thumb drive into any computer and reboot – and you can test drive Kubuntu. If you like it, there is an option right on the desktop for installing it:
Otherwise, you can continue to try it out, make sure it can see all of your hardware, etc. You can do this all without disturbing the hard drive in your computer. It won’t be unless/until you click “Install Kubuntu” that it will modify your drive, and you will be given plenty of warnings for that.
So, it’s safe to plug your USB drive and take the OS for a spin to see if you like it.
Encrypting the hard drive:
OK, so you’ve downloaded Kubuntu, booted it up and you like. You’ve already copied off all of your data from the computer and are ready to install Kubuntu. Ideally, you want to overwrite anything on the drive, use the entire drive, and use disk encryption – which in Linux is LUKS. From the screen above where you can “Install Kubuntu”, one of your very first options will let you configure what to do with the drive:
In this case, I’m choosing “use entire disk and set up encrypted LVM”, or logical volume manager – the thing that lets you have encrypted partitions. The text boxes below is where you type the password to unlock the drive upon bootup. These should be EXCELLENT passwords. See: No more excuses! Create a strong password TODAY! Here’s how…
With this option selected, your hard drive will be encrypted and completely inaccessible without that password you typed in those two boxes. That is why it’s critical to have high quality, excellent passwords.
If you are not familiar, Linux is pretty sneaky with hard drive encryption. On all distributions that I’ve seen, after the computer boots, the screen goes blank – it’s because it’s waiting for your disk encryption password. The only key that will show you more is the <ESC> key on your keyboard. On some distributions it toggles between: blank, a basic prompt, and a UI-based prompt. On Kubuntu, hit <ESC> twice and you’ll see a very minimalist prompt. Type in your disk encryption password and hit <ENTER>, and the system then starts to boot.
I say that is sneaky because someone who is not familiar might just assume the computer is broken because when you boot it, it just stays on a blank screen and doesn’t visually respond to any keystrokes or mouse. If a thief has stolen your laptop, then this is a good thing, they will probably just overwrite your hard drive.
Lock down the login screen:
This took some time to figure out. You see, each distribution of Linux uses one of a few different login managers, and each one of those is typically customized. if you are using Ubuntu, and the “Unity” greeter, you can just modify a file and set some values and you’re done. With Kubuntu, from what I can tell, it uses the KDM login manager, not lightdm. However, looking at the documentation for KDM, there should be a configuration file called “kdmrc” somewhere on my file system, but if I search:
find / –name kdmrc
I don’t have that file – which makes me think maybe this does use lightdm? But if so, why doesn’t it respect the settings I linked above (with setting the [SeatDefaults])?? I’ll continue to research this…
Update and patch the system:
I already have a system for this – but I just made it one step easier. Whenever I install a Debian-based system, I follow my own directions from here and download my update.sh file. The trouble is, the URL is very long. So, I just created a shortened URL. This means now, you can open a terminal window and run:
wget https://tinyurl.com/update-sh –O update.sh && chmod +x ./update.sh
This downloads that small and simple file, makes it “update.sh” in your home directory and then chmod marks it as executable. To run it, now just run:
You will be prompted to re-enter your password, and then it will go update your system and apply all patches.
Set up PIA VPN:
As discussed, I use Private Internet Access for VPN. This makes it so my network traffic bypasses my ISP, and instead comes out onto the internet in a different place, and via a provider that explicitly does not track me, nor log my internet activity. I also am a big fan of using OpenDNS so that even my DNS requests don’t leak information. So, how do we get PIA VPN working on Kubuntu? Well, on Ubuntu or Linux Mint for example, it’s easy – you can follow the instructions directly from this page. However, since Kubuntu uses KDE, it doesn’t use the “Network Manager” by default.
That means that we need to install a few things first, and then we can follow the regular directions for Ubuntu. Luckily, PIA has the generic Debian-based instructions here – which are (simplified):
sudo apt-get install network-manager-openvpn network-manager network-manager-gnome network-manager-openvpn-gnome
then, edit this page:
sudo nano /etc/NetworkManager/NetworkManager.conf
Then, reboot. When you come back, now you can use the regular Ubuntu instructions which are basically:
wget https://www.privateinternetaccess.com/installer/install_ubuntu.sh && chmod +x ./install_ubuntu.sh
This downloads a script file and marks it as executable. Then, to run it, just type:
and follow the prompt – it just prompts you for your PIA username. Now, reboot.
What did all of that do? Well, when you come back from a reboot and log in, look in the network manager in the bottom right:
you can now select the various VPN regions – click one of them and you will be prompted for your PIA VPN password, and then you are connected!
Also notice how the icon now also has a tiny blue padlock to designate that you are connected over VPN.
If you don’t use VPN, PIA costs $3.33/month – and if interested, here is my affiliate link. But even if you don’t use it, or PIA in general – in modern times, you really should be using a VPN to protect the privacy of yourself and your family.
Set up Tor (and configure Firefox):
I’ve covered Tor a little bit in a few posts, but probably most fully – here. Tor stands for The Onion Router, and it’s a technology which bounces your web requests, encrypted, across typically three Tor nodes. This makes your web requests almost impossible to trace – plus, it gives you the added bonus of giving you access to the so-called “dark web”, if you are interested. If you are not familiar, you should read the warnings and understand the limitations of this technology – start from the main page:
What Tor is from your perspective, is really just the Firefox browser which has been highly-customized to know how to route traffic over the Tor network. As far as setting it up, ALWAYS get Tor from the official website, here:
On Linux, the easiest way is to click on the 64-bit download link and choose “open with”:
and then from the program that opens, right click the top-level folder (tor-browser_en-US) and choose, Extract, and Extract to:
and then navigate to the “Home” folder on the left, choose to extract “All files”, and then click Extract
Now, to launch it, you can either start it from the command line via:
or, you can drag .desktop file to your desktop:
When you do start it, you will prompted the first time – most people can just click the top button:
How do you know it’s working? Well, there are two ways. One would be to navigate to a site like www.ipaddress.com and see what your internet-facing IP address looks like. And/or, you can click on the Onion button in the toolbar and it will show you the current circuit your traffic is taking, within the Tor network:
meaning that in the picture above, I came out of my VPN connection and entered the Tor network in Switzerland, then routed to Germany, then routed to a Tor “exit node” in the Czech Republic.
Although generally you should never install any plug-ins, I do always install two plug-ins for Firefox and for Tor (which is basically Firefox):
- EFF Privacy Badger – which blocks ads that spy – https://www.eff.org/privacybadger
- EFF Https Everywhere – which always attempts to go to the https version of every website – https://www.eff.org/https-everywhere
Putting it all together:
Well, that was a few extra steps, but what did that buy us? Well, we now have a computer that is very secure in terms of physical security. So long as you have excellent passwords, a would-be thief wouldn’t be able to do anything with your stolen laptop. They would just overwrite the hard drive with Windows 10 and sell it on Craigs List – thanks to Linux disk encryption.
Next, we automatically connect to a VPN when we log in and we use OpenDNS. This means that our ISP can’t see any DNS requests nor glean any information about internet usage, devices, etc. All they see is a LOT of encrypted traffic coming out of our network connection. Our actual network traffic is coming out of a PIA VPN exit node where they have in-writing that they are not logging anything about our traffic.
Then, we can optionally use the Tor browser to send all of our web traffic through the Tor network – which makes our traffic very, very difficult or almost impossible to trace.
Why? Why do we do any of this? Why NOT? This should’ve been the default way to use the internet in the first place! In real life, you don’t tolerate peeping toms leering at you through your window, right? In real life, you don’t tolerate people going through your trash bags, right? Well, when you use your regular internet connection from your ISP, that is pretty much the equivalent. They are, they’ve confirmed it in writing, monitoring, logging, correlating, and selling the information about everything you do.
So, given how pretty painless it is to set up these basic things above – most of them are just one-time things (disk encryption, VPN setup, downloading Tor). After that, using them is effortless it is changes your privacy from 0% to perhaps 98%. So, instead of asking why we would do this – I ask why wouldn’t you?
After having played with Kubuntu for a little bit, I like it a lot. It has that very “clean” feeling like Fedora is known-for. Even better though, this is all based on Ubuntu/Debian so there is lots and lots of support available. Speaking of which, when I have more detail about how to lock down the login screen, I will update this post. And finally, I am otherwise able to make this a very secure, very private workstation setup which is easy to use – but still very secure!