My new setup with Gentoo

Go back

I guess I did it.

Gentoo

Appearently I installed Gentoo on my machine. It's fine for what it is, most annoyances I had where during the install due to my linux-unfriendly hardware [1]. What hardware I use you can see in the screenshot, but if you are to lazy to zoom in, it's a Ryzen 5 1600 and a GTX 970 with 16GB of RAM. Sounds good right? Ye, it is and it is the first machine I installed Gentoo on where it didn't needed ages to compile everything. Don't get me wrong, I sat there a whole day, but in comparison to a Core 2 Duo of my old Thinkpad T61, it's a day and night difference.

My make.conf is not too full, it does everything I need and a tiny bit more, but is pretty small nonethless. The only two useflags worth talking about are hardened and -telemetry. The former enchances security in the toolchain, as the gentoo sites says and the latter one make so that packages do not include telemetry. [2]

Transparently routing all my traffic through Tor

I am planing on routing all my traffic through tor. As of now most of my traffic is already going through Tor, but it's all done manually and seperatly, but nothing system-wide. I am on doing that. I will first try that on my other machine, if that works I will aim to do that on my main machine too. Here are some guides I found on doing that:

Disk encryption

To avoid more hassle than needed I just followed the AMD64 handbook and did not install any full disk encryption LUKS and LVM. Now, I regret it. Now, I have basically two options: installing something like Veracrypt or booting into a live CD and installing the encryption with dm-crypt manually. The latter one sounds honestly like I am losing all my data plus some unneeded kernel panics (I have to change some stuff in the kernel to do so) as well. The former is probably easier, but it feels less secure. So, I don't know. Currently I do not have time for either one of the two, but when I get permanently home again, I will consider getting some disk encryption like all the cool kids have it nowadays.

Eh, I wanted to include another post from nanochan here on how to secure the bootloader, but it's not available now, so maybe next weekend I will write more about this

AppArmour and Firejail

This might be one of the points where OpenBSD is far supeior by default, but on this computer I am running right now I have no choice but to run GNU/Linux (if I want a free as in freedom operating system). Back in the day I ran Whonix virtual machines, which I used exclusively for all internet- related stuff. The problem with this setup is, and the reason why I do not use it anymore is, it's bloated, very bloated. Virtualbox, Whonix, all the stuff Whonix brings with it and the kernel modules needed to run it, all of it, is just very big, bloated and a huge security risk. It doesn't matter how private and anonymous my network traffic is if there are thousand and one ways to compromise my system.

The best tools for this purpose I are probably AppArmour and Firejail, both have very low overhead and are pretty minimalist, while achieving what I need. I'll keep you up to date on that.