PC-BSD Day 19: Improving end-user security (day 2)
Vidalia and TOR
My my, this experiment took longer than I expected. Trying to install Vidalia via the ports collection didn’t work out. There were dependency issues with Qt-xx-4.3.1 packages while Qt-xx-4.3.0 were installed. That brought back some bad memories about the ‘old days’ under Linux. I still can’t figure out why a third digit update should brake other packages.
Anyway, I decided on sticking with the packages and installed TOR, Privoxy and Vidalia that way. For Vidalia I needed to install tor-devel instead of tor. Remember, I wanted Vidalia to have a nice graphical interface to setup both Privoxy and TOR. Unfortunately, this was one of those days. Launching Vidalia ran into segmentation fault 11 and then nothing. The good thing is that you can set up both TOR and Privoxy by getting into the configuration files. For one, I needed to ‘tell’ PC-BSD to run the two programs at boottime. This was my first acquaintance with the /etc/rc.conf file. I added two lines:
After that I needed to create two new directories that Privoxy badly wanted in order to work:
The third step required editing the config file in /usr/local/etc/privoxy. According to the TOR page the following line had to be added in order for TOR to user Privoxy in the proper way:
forward-socks4a / 127.0.0.1:9050 .
Finally, in order to make the use of TOR from within Firefox somewhat easier, I added the TORbutton extension to the webbrowser. That should do it. I thought.
The only thing I could actually get while browsing was the privoxy page telling me it wasn’t possible. I guess some more fiddling is required. When it comes to setting up TOR for the end-user I think we could call this a fail. Compared to setting TOR up under Windows and/or Linux the version for FreeBSD needs some work before it can be called userfriendly.
Drive and file encryption
One program I like for getting an encrypted drive is Truecrypt. The version for Windows is easy to install and to use. The Linux version is more cumbersome since there is no GUI included with the program. And -as I found out- there is no *BSD version for it. For good measure I tried to install it under Wine (it did install but wouldn’t launch) or compile it from source (no luck there). So, what other methods are there for drive and file encryption for FreeBSD/PC-BSD.
For starters, you can set up an encrypted swap space while installing PC-BSD. This is considered a good thing for laptop users. FreeBSD has the ability on-board to encrypt disk partitions and this is explained in chapter 18.16 of the FreeBSD handbook. The chapter discusses two methods, but -in all honesty- in kind of turned out when I noticed the phrase: Rebuild the kernel as described in Chapter 8.
This doesn’t mean file encryption isn’t possible. It is, but it requires command-line actions. I found references to three programs: bcrypt, mcrypt and ncrypt. Of these three I found ncrypt the easiest to use. The instructions how to construct the proper command-line to encrypt or decrypt a file are concise and easy to understand. The other two had quite cryptic messages (pun intended) before I could actually start working with them.
Anyway, the available methods are outside the reach of the average end-user, especially when he/she is trying to get away from Windows. On the other hand, if you are aware of the need for this level of security you’re not the average user anymore and you might even enjoy the command-line tools.