I’ve been looking into reinstalling EOS for my laptop, but make it more hardened. Right now, I’m considering the following partition layout:
In terms of hardening, should I do more? How much more should I do? I know there are no definitive answers to my questions. I’m merely asking for opinions on what you all would do.
You don’t need an unencrypted boot for systemd. We mount the ESP at /efi and that is the only thing that needs to be unencrypted.
You have to start with understanding what threats you are trying to prevent. For example, disk encryption helps protect you against theft or inadvertent loss of a physical drive or device.
You need to think about the threats you care about and put controls in place to mitigate those threats. Other than installing and running a local firewall, you will find it difficult to blindly make your machine “more secure” against all threats.
You can start here for some hints:
You don’t need an unencrypted boot for systemd. We mount the ESP at
/efiand that is the only thing that needs to be unencrypted.
My apologies, this is what I meant. I read that there would be delays in booting if the ESP partition was also encrypted.
…against theft or inadvertent loss of a physical drive or device.
This is my main concern since this is a laptop. I’ve also read about cold boot attacks, where an attacker might dump the RAM contents and possibly get the encryption key (the RAM is easily removable on my laptop). However, I don’t know if this is something I specifically should be concerned about, or perhaps it’s only a concern for targeted thefts, i.e. if I was a government official or celebrity.
There has been an awful lot written about security & hardening… I have joined that ‘club’. If you want to read about my journeys they are documented in too much details here:
Sane defaults will vary, for different values of “sane.” From the Arch page Dalto cited:
I see where you’re coming from: for the average user, shouldn’t there be some middle-of-the-road defaults you can use as a starting point? The answer, though is no. Depending on your circumstances, how you use your computer, what you connect to, and what information you need or have, your sane defaults are going to vary – a lot.
Your security learning can start with EOS, which provides a decent starting point, then learn by doing. Manyroads’ article is a decent outline of the huge security landscape, so read, learn, test.
looks at the article Too much details indeed lol.
In all seriousness, this looks like a great resource, especially those related articles. Thanks for linking!
I was hoping to get individuals’ opinions on what their defaults and preferences are and then evaluate if a certain practice they do is something that’s feasible and practical for my use case. Since I haven’t really received anything (other than what manyroads linked), I’m settling on something like:
Then maybe adding something more depending on what I find in the manyroads’ article.
I have been testing a little in a VM, but I will have to test on my real machine due to some hypervisor limitations. It’s okay though, I don’t have that much data on this laptop, and what data I do have is already backed up.
Your partition layout has a very small impact on security.
This increases security but do keep in mind that BIOS passwords can usually be removed/reset.
This helps against very specific types of attacks, you should check and see if those are real world issues for your use case.
Again, it all depends on what you are trying to protect against. Is physical loss your biggest concern? Are you trying to protect against government espionage or common theft?
Most security issues come from other places. Typically successful attacks from a compromised device inside your network or from inside your device.
I can tell you some of the things that I personally do for my concerns:
There are probably other things I am forgetting but those are some of the basics. I am not saying this is the list that everyone should use. Others have different data than me, different computing habits and different risks. Those all demand their own considerations.
Again, if you focus on “being more secure” you will almost always get to the wrong answer. I can’t tell you how many times I have seen someone be compromised who thought they had done everything possible to increase security only to have missed something obvious or critical. Instead focus on “how do people compromise my security” and put mitigations in place for those things.
Since this is a laptop, I was thinking more of common theft. I want to make sure that would-be thieves wouldn’t be able to access my data and, at worst, just wipe my drive to use for their own purposes.
Regarding the practices you’ve adopted, I do some of what you do. The thing I’ll have to look into is securing my network since you’re right about network compromised devices being a more common security issue.
This is well said. I’ll be more sensible and practical in what security practices I adopt.
You have two firewalls installed on your computer? one typical firewall and the other application firewall? How does that work?
I was under the impression that there can be a single active firewall only.
I do a lot of these as well.
Now days I don’t really know of a good way of creating new passwords for my machine accounts so I’ve been using the same one a long time for different systems but I do use FDE. How do you create new passwords for your machine accounts? I’m curious to know if you have a good system for remember new passwords that you created when you get a new machine?
I use Password1, Password2, Password3 etc. No hacker is ever going to compromise me!
I don’t follow how that’s a good system and way to remember new passwords?
Sorry, I should have used the 
emoji to avoid confusion.
I can’t speak for what Dalto has but I think I have a similar setup. I think mine may be similar but if not maybe someone reading will find what I have interesting anyway.
I have UFW software firewall and it’s only role is to manage inbound connections. The outgoing firewall is one that only managed outbound connections (Block is default), so they serve two different roles.
The outgoing firewall Dalto is using is likely the same as what I use, it’s called Opensnitch and is an application level firewall where you control the network traffic in fine detail for every individual software (or command line such as Yay, Pacman, YT-DLP) on the PC. In mine I have specific domains in a global block list so software cannot call out to them and I also have a global allow list for ports, or destinations I am fine with any software accessing, I also block TCP6 and UDP6 for everything too.
I also have lots of firewall rules in Opensnitch for softwares with their own unique parameters, for Onlyoffice I reject all outbound connections it may connect to, same with Obsidian as I feel those applications don’t need to connect anywhere outside for my use of them. For global block list I prevent any software reaching many google domains plus other telemetry ones like firefox, also on games they try to connect to servers such as epic games, I block games connecting externally since this ls likely telemetry while you play the game, I don’t play online games so this connectivity is mostly never necessary.
But what is useful about opensnitch is it whenever you use software or install new software it pops up messages telling you what it’s connecting to externally and lets you control whether to allow it or not so I always know where a software tries to call out externally in the event one tries to call out to something suspicious.
You should only have one network-type local firewall like firewalld or ufw.
An application firewall is a different thing entirely. It looks at what applications are doing and can deny or all traffic to specific applications. These tools serve different purposes.
I don’t have a system. I just come up with a new password. I also keep the passwords in my password manage because I will sometimes forget them right after changing them.
I’m jealous.
this is an incredibly good report of your security and I really like it. I like UFW default that you are using.
I think a guy like me could watch Opensnitch for hours though. How do you differentiate normal from alarming? (I was so in over my head with Wireshark once…)
Also. Do you run your global blocklist thru UBO? or hosts? or iptables?
I used to have one like this. Did you find this at gihub? (I want it).
^^^ I trust Endeavour, I trust ufw, firewalld, linux architecture for day-to-day bug/pup/mal prevention, but like you, OP, it’s the stealth firmware sh@! that is worrying me. It is 2025 and we still don’t know how to see/find a lot of that new firmware malware…as far as my reading that is.
Because opensnitch tells you which application is making the connection, it is usually pretty easy to figure it out. Every once in a while I find something I have to lookup.
That being said, when you first turn it on, everything starts sending popups asking you to allow access so it is pretty annoying for the first couple of days. It is generally smooth once you get through that startup period though.
had to ask.
Wireshark never told you crap :).
I’m getting a feeling that is a much more friendly/understandable app then I’d been led to believe. Thanks Dalto