Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Setup
PC Setup Configuration Help & Showcase
Stenographers' Surface Go Tablet Security Config 2022
Message
<blockquote data-quote="Stenographers" data-source="post: 1011936" data-attributes="member: 97396"><p>I am running Fedora Silverblue 37 on my Surface Go tablet. Fedora Silverblue is an immutable operating system, meaning that it cannot end up in an unrecoverable state due to software. </p><p></p><p>To achieve this Fedora Silverblue mounts the system as read only, you only have write access to a handful of folders like /var/home/%username%/. This means you cannot install software the traditional way. Instead you are meant to use Flatpaks, which can have their permissions managed by the program Flatseal. For those programs that are only available as .rpm files, you have two options. Either layer the RPM on top of the system by installing it with rpm-ostree, or install it in a toolbox (which is just a Podman container with access to devices and /var/home/ on the host.) Obviously the latter is the preferred method. </p><p></p><p>Fedora Silverblue's system files are stored in snapshots with rpm-ostree providing a method similar to git (but for system files.) When you update the system it creates a new system snapshot, applies the updates to that, then when you reboot it boots into that new snapshot. It then leaves the last few for you to roll back to in case something goes sideways. </p><p></p><p>Managing permissions of programs with Flatseal is critical to privacy. For example, I have Microsoft Edge installed but it only has access to my downloads folder. The read only file system and SELinux in enforced mode also provide some resiliency against most malware. This isn't my primary device, my main computer is running Qubes OS.</p><p></p><p>For my files I host a Nextcloud server (Ubuntu, public cloud provider) with E2E encryption and encryption at rest. Those get backed up to an isolated virtual machine in my home running Open Suse MicroOS. That server then encrypts and uploads the files to S3 storage in the cloud.</p></blockquote><p></p>
[QUOTE="Stenographers, post: 1011936, member: 97396"] I am running Fedora Silverblue 37 on my Surface Go tablet. Fedora Silverblue is an immutable operating system, meaning that it cannot end up in an unrecoverable state due to software. To achieve this Fedora Silverblue mounts the system as read only, you only have write access to a handful of folders like /var/home/%username%/. This means you cannot install software the traditional way. Instead you are meant to use Flatpaks, which can have their permissions managed by the program Flatseal. For those programs that are only available as .rpm files, you have two options. Either layer the RPM on top of the system by installing it with rpm-ostree, or install it in a toolbox (which is just a Podman container with access to devices and /var/home/ on the host.) Obviously the latter is the preferred method. Fedora Silverblue's system files are stored in snapshots with rpm-ostree providing a method similar to git (but for system files.) When you update the system it creates a new system snapshot, applies the updates to that, then when you reboot it boots into that new snapshot. It then leaves the last few for you to roll back to in case something goes sideways. Managing permissions of programs with Flatseal is critical to privacy. For example, I have Microsoft Edge installed but it only has access to my downloads folder. The read only file system and SELinux in enforced mode also provide some resiliency against most malware. This isn't my primary device, my main computer is running Qubes OS. For my files I host a Nextcloud server (Ubuntu, public cloud provider) with E2E encryption and encryption at rest. Those get backed up to an isolated virtual machine in my home running Open Suse MicroOS. That server then encrypts and uploads the files to S3 storage in the cloud. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
