Filesystem and Security Features in Nitrux

In today’s tutorial, we’ll check all the filesystem, security, privacy, and anonymization features in Nitrux.

Difficulty: ★☆☆☆☆

📜 Table of Contents

1. 1. Default Security Policies in Nitrux
   2. XFS Features and Root Immutability in Nitrux
   3. Importing an OpenVPN connection in NetworkManager
   4. File Encryption in Nitrux
   5. Using F2FS Features in Nirux
      1. Native File Compression in F2FS
      2. Native File Encryption in F2FS

---

Default Security Policies in Nitrux

Nitrux enables the following security features and policies by default, and any encryption capabilities (enabled by Nitrux™).

• Features:
  • Application sandboxing.
    • AppBoxes and other executables.
      • AppArmor.
      • Firejail.
    • Flatpaks.
      • Bubblewrap.
  • Network security.
    • Firewall (UFW), using Plasma Firewall.
    • OpenVPN, OpenConnect, and OpenFortiVPN support in NetworkManager.
    • Wireguard support.
  • Filesystem immutability.
    • See XFS Features and Root Immutability in Nitrux.
  • Password management.
    • KWalletManager. KWalletManager is a tool for managing passwords on your system.
      • 🔰 Information: To use KWalletManager with GPG keys, we recommend creating a key using KGpg. To do this, see our tutorial on How to use KWalletManager in Nitrux.
• Policies:
  • Disable core dumps. Applications create core dumps to facilitate troubleshooting errors in Linux applications. However, they may contain sensitive Information, such as passwords and user data, including PAN, SSN, or encryption keys. They also take up a large amount of disk space.
  • Stricter password expiration date. Passwords are the primary key to accessing an account, related services, and data, and therefore, a strong password and a password expiry policy are required. The default password expiration in Debian is 99999 days; ours is 1111.1 times shorter.
  • Increase the number of password hashing rounds. With over 60k rounds, brute-forcing the password is more difficult; by default, Debian uses 5000 rounds, which is too low for modern hardware.
  • New passwords must be more complex. Nitrux enforces this rule, starting with version 2.8.1.
  • Deactivate the root account in the Live session and on the installed system. By default, Nitrux does not add or enable a password for the root account.
  • Enforce a stricter password quality policy. By default, we use libpwquality to increase user account security during installation and for user accounts created post-installation. With sufficient randomness, these passwords must be at least eight characters long and include uppercase and lowercase letters, numbers, and symbols.
  • Enable BPF JIT hardening if JIT is enabled: Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler helps mitigate JIT spraying attacks.
  • Fill freed pages and heap objects with zeroes: Ensure that when freed, they are filled with zeroes, enhancing security by preventing data leaks through uninitialized memory.
  • Disable slab merging: Preventing the kernel from merging memory slabs of similar sizes can improve security by making it harder for attackers to exploit specific memory corruption vulnerabilities.
  • Disable Virtual Syscalls: This option disables virtual Syscalls and user-space system calls for performance reasons, potentially reducing the attack surface for specific exploits.
  • Randomize kernel stack offset on syscall entry: Introduce randomness to the kernel stack offset whenever software makes a system call, adding another layer of security by making it harder for attackers to predict memory addresses.
  • Enable MAC addresses randomization mode. MAC randomization can enhance privacy by preventing the network from learning the actual MAC address.
  • Enable IPv6 Privacy Extensions standard. With privacy extensions, the kernel generates a temporary address mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server to hide the original address.
  • Enable Reverse Path Filtering. It prevents IP spoofing attacks, enhances security, and reduces vulnerability to DDoS attacks.
  • Disable Source Routing. Prevents IP spoofing and strengthens security by disabling source routing, blocking potential bypasses of security controls.
  • Restricts access to kernel pointer addresses. Improves security by restricting access to kernel pointer addresses to privileged processes, preventing information leaks.
  • Turn off the SysRq key. This policy enhances security by preventing unauthorized system commands.
  • Enable Page Table Isolation. Mitigates speculative execution attacks like Meltdown.
  • Brute-force password protection through adding lockouts and slowing down guessing.
  • No empty passwords allowed.
  • Consistent password flow between modules and predictable order of evaluation.
  • Prevent password reuse and reject attempts to restore the previous attempts.

XFS Features and Root Immutability in Nitrux

The root partition will use the XFS filesystem. This XFS-formatted partition will also use the following additional filesystem features (enabled by Nitrux™).

• Allow the filesystem to place inodes anywhere in itself. Storing a file’s inode at the same location as its data improves performance.

Additionally, by default, Nitrux performs filesystem checks and repairs (if needed) during boot time.

Since Nitrux 2.6.0, the root directory is immutable by default. This change allows us to provide new versions of the distribution with a higher degree of certainty that no changes have happened to the root that might cause a conflict. We also want to avoid sudden issues caused by upgraded packages from a different origin than our repository, which we have little control over. However, we understand that there may be cases where users need to change something in the root directory.

• ⚠️ Important: Any changes to the root directory should be explicitly made only through the shell session after running overlayroot-chroot.
  • ⚠️ Important: Mounting the devices’ pseudo-filesystem /dev is essential; otherwise, stuff like the CLI text editor we include in Nitrux (micro) will not work. Depending on the task, other filesystems must be mounted, e.g., /var/lib, /home, /tmpfs, etcetera. Only /proc, /run, and /sys are mounted by default.
• 🔰 Information: After making the desired modifications, unmount the filesystems and exit.

sudo overlayroot-chroot

# Filesystems to mount; /dev is strictly necessary.

mount -t devtmpfs dev /dev

# To mount the partitions created by our Calamares configuration use findfs and the partition label.

mount -t auto $(findfs LABEL=NX_VAR_LIB) /var/lib

# (... do stuff...)

sync

# Unmount the partitions.

umount /dev /var/lib

exit

Changes are applied immediately to the root, i.e., the lower directory. However, for the changes to appear on the overlay, i.e., the upper directory, users must reboot the computer or reload the kernel using Kernel Boot (where supported); otherwise, any modifications won’t be visible.

Alternatively, users can temporarily boot with the immutability disabled. To do that, do the following steps.

• ⚠️ Important: We must stress that the preferred method for modifying the root is the one above. If you know what you’re doing, use the technique below at your own risk.
  
  • Press E in the GRUB boot menu.
  • Using the arrow keys, navigate the text and find the kernel parameter overlayroot=tmpfs:swap=1,recurse=0, and change the parameter to overlayroot=disabled.
  • To continue the boot process, press F10.
  • After making the desired modifications, reboot.

Disclaimer: The user is responsible for any manual, permanent changes to the root using either of the methods described in this section. If these changes create conflicts during an upgrade using the Nitrux Update Tool System, users should resolve them independently. Please do not open issues regarding this use case in the bug tracker; they will be closed.

Importing an OpenVPN connection in NetworkManager

Since Nitrux 2.7.0, the distribution includes the OpenVPN plugin for NetworkManager. To import an OpenVPN connection using a file, i.e., example-vpn.ovpn, do the following.

1. Open System Settings→Connections.
2. Click the add (+) button and scroll down until you find “Import VPN connection…”
3. Click the button “Create” and select your .ovpn file.
4. Select the new VPN connection and ensure that in the connection type “Password with certificates (TLS)” is selected, then ensure that “Save password only for this user (cipher)” is selected for the secret key and VPN passwords.
5. Activate the connection from the Connection settings (right-click → connect) or use the network icon in the system tray.
   • ⚠️ Important: If you use some public VPNs to protect your privacy, you might get a public IP address or at least be exposed to external connections. Once a public VPN is enabled, the firewalls in front of your computer no longer protect you. Nitru uses UFW by default and blocks incoming connections to alleviate this issue.
   • ⚠️ Important: Activating the connection immediately will cause a second dialog window to appear in the app, asking for the VPN password again after entering both passwords. To avoid this, log out and log in or reboot after adding the VPN connection.
6. A dialog window will appear asking for two passwords: the VPN password and the secret key. Enter the VPN password and the secret key password.
   • 🔰 Information: Enter a password you’re familiar with. While it’s possible to use the user account password, we strongly recommend against it.
7. (Optional) Pair the VPN with a primary connection so it connects automatically. Go to System Settings→Connections→Your Connection→General configuration, check the box “Connect automatically to VPN,” select the VPN, and click “Apply.”

Please note the following when importing an OpenVPN connection.

• ⚠️ Important: IPv6 support depends on the VPN provider; this is not a bug in Nitrux. If the provider doesn’t support IPv6 tunneling, turn off IPv6 on the primary connection. Go to System Settings→Connections→Your Connection→IPv6, select “Ignored” as the method, and click “Apply.”

File Encryption in Nitrux

Nitrux provides multiple ways to encrypt data, including block-device encryption with dm-crypt (see Installing Nitrux), filesystem-level encryption with f2fs-crypt, and userland encryption tools like fscrypt.

• A non-GUI option is fscrypt. fscrypt (not to be confused with f2fscrypt) is a tool for managing the native file encryption support of the ext4, F2FS, and UBIFS file systems.

Using F2FS Features in Nitrux

Since Nitrux 2.8.0, the home and /var/lib partitions will use F2FS instead of XFS. These F2FS-formatted partitions will also use the following additional filesystem features (enabled by Nitrux™).

• Compression using zstd with compression at level 6. The primary goal is reducing writes to extend the flash lifetime and, potentially, a slight increase in performance.
• Verification of compressed blocks using a checksum to avoid corruption.
• Enable a better garbage collector and asynchronous garbage collection.
• Avoid synchronously updating access or modification times, which improves I/O performance and flash durability.
• Native F2FS file encryption. The filesystem applies encryption at the directory level, and different directories can use different encryption keys. To use F2FS’s native encryption support.

Native File Compression in F2FS

F2FS allows the user to compress directories on demand; to do this, run the following command.

chattr -R +c $DIRECTORY

Native File Encryption in F2FS

F2FS provides native encryption via f2fscrypt and fscrypt.

• If using f2fscrypt, do the following.
  • First, create the key in the keyring using a simple salt (or generate a random salt).

f2fscrypt add_key -S 0x1234
Enter passphrase (echo disabled):
Added key with descriptor [28e21cc0c4393da1]

• Then use it to set the policy for encrypting the directory.

f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir
Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.

• After each reboot, use the same command to set the key for decrypting the directory and its child directories.

f2fscrypt get_policy /encrypted/dir/
/encrypted/dir/: 28e21cc0c4393da1

• If using fscrypt, do the following.
  • • 🔰 Information: fscrypt is the preferred option over f2fscrypt; while both can manage F2FS native encryption features, f2fscrypt is deemed to be missing many essential features and is no longer actively developed.
  • Run fscrypt to create its configuration file and work directory.

sudo fscrypt setup

• Then, run the following command.
  • Where $MOUNTPOINT is the mount point, e.g., /home.

sudo fscrypt setup $MOUNTPOINT

• The command creates the $MOUNTPOINT/.fscrypt directory to store fscrypt policies and protectors.
  • ⚠️ Important: Never delete the hidden directory; otherwise, users will lose all access to encrypted files.

---

That’s it; this concludes today’s tutorial.