Enterprise Security
With Encryption, SSH, and VPN

Purpose

Please read the Disclaimers before proceeding.

Review features often required for enterprise security.

Workflow Overview

Manage LUKS encryption

You should change your disk encryption passphrase when first running the laptop and as-needed after that. Open a terminal and enter the following. It is critical you remember your passphrase; there is no way to recover the disk if it is lost! Keep a copy someplace safe and type carefully.

sudo cryptsetup luksChangeKey /dev/nvme0n1p3 # > Enter passphrase to be changed: # > Enter new passphrase: # > Verify passphrase:

Out of the box, your disk encryption should use only a single key (YubiKey users will have two). You may see the slots in use by issuing the following command. Example (shortened) output is shown below.

sudo cryptsetup luksDump /dev/nvme0n1p3 # > sudo cryptsetup luksDump /dev/nvme0n1p3 # > LUKS header information for /dev/nvme0n1p3 # > Key Slot 0: DISABLED # > Key Slot 1: ENABLED ... # > Key Slot 2: ENABLED ... # > Key Slot 3: DISABLED # > Key Slot 4: DISABLED # > Key Slot 5: DISABLED # > Key Slot 6: DISABLED # > Key Slot 7: DISABLED

If you see more keys than expected, you may remove them. Do this carefully and make sure your data is backed-up before proceeding! In the example below, we remove a key from slot 2.

sudo cryptsetup luksKillSlot /dev/nvme0n1p3 2 # > Enter any remaining passphrase:

Use the luksDump command again as shown above to ensure the slot has been removed.

If you need to add a new key:

sudo cryptsetup luksAddKey /dev/nvme0n1p3

Configure SSH

A default configuration is provided and annotated in .ssh/config for all new users.

Connect to VPN

OpenVPN is installed to ease connection to corporate networks. However, there are numerous additional VPN clients which we will detail as needed.

Disclaimers

We try hard to provide a useful workflow validated by professionals. However, we cannot anticipate every situation, and therefore cannot guarantee this procedure will work for your needs. Always back up your data and test the workflow to determine the correct procedure for you.

THIS WORKFLOW IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS WORKFLOW, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.