While you can find dozens of products to secure Windows laptops, security products for Linux laptops are scarcer — but they do exist. We found a range of products and fixes ranging from security patches for the operating system to encryption to the equivalent of computer bicycle locks which can help keep your Linux laptop or notebook safe.

Before we get to how to protect yourself, you need to accept a depressing statistic. According to the FBI, 97% of stolen computers are never recovered. While you can do things to better your odds (see the sidebar) you pretty much have to accept the fact that when your notebook disappears, it’s gone and so is everything that was on it.

There are three problems with having a computer stolen: the loss of the machine, the loss of the information on it, and the possible security breach if that information includes sensitive information or client data. Each of those problems requires a different approach.

Insurance

The economic loss is the easiest to deal with. Insure your system.

If you have homeowners or renters’ insurance, you may already be covered. If not, you can usually get a policy rider to cover your computers, including your laptop. This is usually the cheapest way to do it, but you may not like the terms and conditions. For example, there is likely to be a hefty deductible.

You can also insure through a specialist company like Safeware. Such policies are usually more expensive than a rider on your homeowner’s policy, but they tend to be more flexible. For example most specialist companies will allow you to insure your laptop for enough to completely cover replacement.

Be sure you understand just what you are getting. You need to make sure your computer is covered when you’re away from home. Also, make sure you’re covered for the current replacement value of your machine rather than something like the cash value, which is typically much lower.

The cost will depend on the value of your computer. Some homeowners’ policies automatically include several thousand dollars in computer coverage for free. A rider or a special policy will probably cost in the neighborhood of $100 to $200 a year.

Protecting your work

If you’re doing important work on your system, you want to get your data back even if you never see the computer again. One way to do that is to make frequent backups of your critical files to a device that isn’t left connected to the computer. This can be an external hard drive or, more conveniently, a USB thumb drive.

Another approach is to do your non-confidential work on Web applications such as the Google Docs word processor. Google then stores the information no matter what happens to your computer. (Of course this assumes you’ve properly secured your computer against Wi-Fi threats and such — but if you haven’t, you’ve got bigger problems.)

And of course you can just email your work to yourself at frequent intervals. If you want more security you can encrypt the emails before sending them.

Encrypt your disk

Encrypting your system doesn’t prevent someone from stealing your laptop, but it will prevent anyone from getting at the information on the system.

The actual risk that a thief will try to get at the information on your computer is pretty small. Although there are hundreds of thousands of laptops stolen each year, there are few cases reported in the news where the information on them was used by the bad guys. Mostly laptop thieves want to resell the hardware as quickly as possible and don’t care about the information.

Encrypting your disk is easy and cheap enough that there’s no reason to risk misuse of your data, even with a purely personal machine, where you may store passwords, credit card numbers and other personal information. Of course in the business case you have to be able to prove that thieves can’t get at the data. If you can’t definitely prove it, you’re probably in trouble. If the stolen laptop has customer information, such as Social Security numbers, on it, your whole company has a problem and you may show up in the news.

Encryption alternatives

When it comes to disk encryption there are two approaches. One is to encrypt only part of the information on the disk. The other is to encrypt everything.

While you can encrypt files or folders individually, you’re much more secure if you encrypt the entire disk. If the operating system is available, the attack surface is enormously increased. Not only are there unobvious vulnerabilities, such as files in the print spool, but there are more possibilities for getting around the file encryption.

One common method of full disk encryption allows the computer to begin to boot and then prompts for a user name and a password to complete the boot. This is convenient, which is why it’s common, but it does involve a certain amount of exposure since it uses the system’s boot routine.

Physical security

Linux will not keep your laptop from being stolen. You have to do that without help from the operating system. Here are some tools that can help.

Record it — Make a record of your computer’s serial number, exact specifications, etc. write it down, and keep it in a safe place, preferably with your sales receipt. That means don’t keep it on the computer and don’t keep it in the computer case!

Paint it — Mark your computer and its carrying case with a design that’s big, bright, unique and obvious. Subtle is right out. You want something that can be seen from across the room.

Warpaint on your computer does two things. First, it helps to uniquely identify it, which makes it harder for a thief to steal it unobtrusively. It’s also harder to sell a conspicuously marked system on eBay.

Engrave it — Engrave your name and some identifying number prominently on the case, either inside or outside. This not only reduces the value to a thief, it increases the chances you’ll get the computer back.

An alternative to engraving your laptop yourself is to attach a security plate. For about $25, Stoptheft will sell you an official-looking barcoded aluminum plate that leaves the words “Stolen computer” and a phone number on the case even if it’s pried off. The bar code can also help you get the machine back if it is stolen.

Guard it — Never leave your laptop unattended unless it is secured with a lock. Even then, try not to leave it alone. Taking a computer to the bathroom with you is annoying, but not nearly as bad as coming back and finding it gone.

Lock it — Most computers have a Kensington connection (named after the vendor that popularized it) for a lock. Computer cable locks usually cost between $20 and $50 and work like a bicycle cable lock.

Alarm it — In addition to locking cables, you can use an alarm that will sound if the laptop is moved. For example, Targus’s DEFCON 1 uses an alarm attached to the locking cable. If the cable is cut or the system is moved, it activates a motion sensor alarm that sounds off at 95 dB.

Hide it — Leaving a laptop on the seat of a car is asking for trouble; put it in the trunk or covered security compartment. And don’t leave your computer on your desk in a dorm room or office. Put it in a drawer and, if possible, lock the drawer.

Finally, remember that laptops aren’t status symbols anymore. A fancy computer bag may be convenient, but it tells everyone what you’re carrying. An attache case or portfolio is less conspicuous. One young lady of my acquaintance, who is into anime, carries her laptop in a Hello Kitty diaper bag. It’s colorful and waterproof, and no one is likely to steal a diaper bag.

An alternative method, using a USB flash drive, is described in our disk encryption HOWTO. This uses a USB flash drive holding GRUB, a minimal kernel and an initrd. The setup has just enough brains to ask for a password, set up the encryption mechanism and mount it. After mounting the device resumes the boot process from the encrypted disk.

The most common way to set up an encrypted Linux system is to establish a small partition to handle booting and encrypt everything else on the disk. This is more secure than file-level encryption, but it still exposes the boot partition to crackers. How much of a problem that presents is somewhat controversial. Some people think the added risk is negligible or non-existent, while others believe it poses a significant additional risk beyond true full disk encryption.

If you want stronger encryption than that you can use a utility that requires a separate key before you can even start booting.

A number of products let you encrypt only specific files, directories, and such. For example dm-crypt uses the device-mapper built into the Linux 2.6 kernel as a basis for block-level encryption. Device-mapper creates virtual block devices on physical virtual devices such as disks, and dm-crypt uses that ability to encrypt just about any kind of block you want encrypted.

Dm-crypt lets you pick the encoding method from among several symmetrical ciphers, as well as the key length, and then create a device in /dev. Writes and reads to the new device are then automatically encrypted and decrypted.

TrueCrypt creates encrypted devices, such as disk volumes, and encrypts and decrypts them on the fly without user intervention. Versions of TrueCrypt earlier than v4.1 suffer from the same vulnerability as older 2.6 kernels.

Of course, encryption implies keys, and those in turn imply key management. You need to be able to get into your system even if you lose a key. Needless to say, you don’t keep a physical key with your computer. One common practice is to put a memory stick containing the key on your (physical) key chain. If you use a disk to hold your key you can stick the disk in your pocket or purse. Don’t put it in your laptop case and always take it with you if you leave your machine.

Find your stolen system

If your system is stolen, you may be able to find it again if the thief connects to the Internet. There are a couple of products for Windows that do this, but none for Linux.

However, you can set up your own tracking system using a dynamic DNS provider, such as DynDNS, and setting up a client to keep track of the computer’s actual IP address. If your computer is stolen, you can can look for your DNS entry with ping. If you find it online, you can use traceroute or something similar to find the gateway your computer is using. Then you can contact the police and the thief’s ISP to get your computer back.

(Of course this technique is not foolproof. If the thief reformats the hard disk, you’re out of luck. Unfortunately a lot of thieves, or their fences, do reformat disks as a matter of course. Still, implementing this system simple enough to do and can work against an unsophisticated crook.)

Compliance policy issues

Increasingly, security is about compliance with various laws and regulations. HIPPA, Sarbanes-Oxley, and a host of others mandate that data be protected. More than that, most of these mandates require that companies be able to prove the data is protected.

Where this gets sticky for Linux is that to meet those requirements, many companies mandate that only approved products be used for security. Since the approved lists are typically Windows-centric, it can be hard for Linux users to get products for their laptops approved.

There are two ways for Linux users to deal with the situation. Either check and see if your company’s chosen security products come in a Linux version or get your security people to agree to let you use a Linux product.

A surprising number of security companies do offer Linux versions of their products, more than laptop Linux’ market penetration actually warrants. For instance, Check Point Software Technologies specializes in data protection with emphasis on big enterprises, and most of its business is focused solidly on Windows. Yet Check Point’s full disk encryption software also supports Linux. The reason, ironically, is that Check Point aims its business at large enterprises, in which a certain number of non-Windows laptops, running, say, Linux, need to be protected.

Alternatively, you can try to convince the IT security people that there are products available for Linux that offer equivalent levels of security, but this can be a long, hard slog.

And finally

Keep in mind that most of these methods are not foolproof. If a thief has your computer, technical knowledge, and persistence, it is hard to keep the information secure. But few thieves have the knowledge, equipment, or interest to break into a well-protected system.

The only truly foolproof security method is to not have sensitive data on your laptop or notebook in the first place.

How much protection is enough? Ultimately you have to decide.

Privoxy

Privoxy is a standalone application full of impressive features. It’s a breeze to install. Its default settings are ideal for most users. Fedora and Ubuntu users can respectively install it with the commands yum install privoxy and sudo apt-get install privoxy, or you can grab the source tarball and install it with the commands ./configure, make, make install. Once installed, Privoxy will bind to localhost (127.0.0.1) at port 8118. You can choose a different port and network interface during the manual installation, or specify it under section 4.1 of the /etc/privoxy/config file.

You need to inform your browser about Privoxy before you begin using it. In the Firefox preferences dialog box, click Advanced and then click the Network tab, and click the Settings button under Connection. Choose Manual proxy configuration and fill in 127.0.0.1 and port 8118 for HTTP proxy. Make sure localhost or 127.0.0.1 are not listed in the “No proxy for” field. You can now access the Privoxy browser interface at http://p.p/

Privoxy has two sets of configuration files. You can filter HTML, CSS, JavaScript, and other content using the filter files. The default filter rules are defined in the /etc/privoxy/default.filter file. The other set of files, which are called action files, define what action Privoxy should take for each Web site it encounters. The rules for cookies, ads, and other objects are defined in action files. On a default installation, Privoxy disables banner ads based on size, all popup windows, and Google ads. The default action rules are contained in the /etc/privoxy/default.action file. All configuration files rely on regular expressions, so unless you are confident about what you are doing, do not edit the default.filter or the default.action files. Unfortunately you can’t edit the files through the browser interface.

Webcleaner

Webcleaner can do everything Privoxy can, and it also has an antivirus filter and can reduce images on a Web site to low-bandwidth JPEGs. Unlike Privoxy, the Webcleaner browser interface can be used to handle the configuration. However, Webcleaner makes users suffer through a demanding installation. It requires tools such as Python Image Libraries (PIL) and Clamav to be installed if you respectively wish to use the image compression and virus filter features. To apply content filtering to SSL-encrypted Web pages, you need to additionally install the Open-SSL and Python-openssl packages, in addition to Python 2.4 and Runit (a replacement for the init system), and although the software’s requirements don’t list it, I had to also install the python-devel package.

If you follow the installation instructions, you should be able to bring up the browser interface. Make sure your browser proxy settings point to 127.0.0.1 and port 8080 instead of the 8118 used for Privoxy. Open a terminal window, start Webcleaner with the command webcleaner, then point your browser to http://127.0.0.1:8080. You will see two passwords on your screen; edit the /usr/share/webcleaner/config/webcleaner.conf file and look for the adminpass="" line. Fill in the MD5 password generated by Webcleaner into this field. The other password you’ll use to log in to Webcleaner. Now you can restart Webcleaner. This time, visiting http://127.0.0.1:8080 will bring up a login screen.

I find the Webcleaner interface a little complicated. While it’s well-categorized and moving around is easy, when it comes to adding your own filter settings, Privoxy wins hands down. Like Privoxy, Webcleaner blocks ads and deanimates GIFs out of the box. But on a few sites, I found it had corrupted the text flow by removing the ads.

Dansguardian and Squid

A third alternative, and one of the most popular content filter setups, involves two applications. The actual filtering is performed by DansGuardian. It allows you to filter Web pages based on exact phrase matching, and also supports Platform for Internet Content Selection (PICS), which means you can filter pages with possible objectionable content. You can even configure DansGuardian to use third-party blacklists or use it to maintain one of your own.

Squid is a proxy server that supports HTTP and FTP, but it has limited support for other protocols, such as TLS and SSL. In this setup, Squid fetches Web pages and feeds them to DansGuardian. (You can configure DansGuardian to work with any proxy server.)

Once installed, Squid binds to port 3128 — but DansGuardian listens on port 8080. This means you need to use iptables to redirect all traffic to port 8080 as we’ve discussed in the past.

Final verdict

Both Webcleaner and DansGuardian are useful if you’re prone to virus attacks. Their only downside is that while Webcleaner has an uncomfortable configuration system, Dansguardian is not a standalone application. Privoxy, with its ease of use and impressive features, should suffice for any home user on most networks.