How to run Bitmessage in a secure Linux and Firejail sandbox

BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v
Mar 10 20:08 [raw]

How to run Bitmessage in a secure Linux and Firejail sandbox ============================================================ This is a short how-to for running Bitmessage securely so that any bugs in the code will not compromise the host system. This guide is for Debian-based systems such as Ubuntu and Mint. It can be adapted with a little work to other Linux distros. This assumes you have already installed all Bitmessage dependencies such as python, PyQt, etc. Install firejail ---------------- Enter this command in bash: $ sudo apt-get install firejail Encrypt a USB thumb drive ------------------------- Get a thumbdrive and format it with LUKS / LVM encryption, encrypting the whole drive with a passphrase. This will destroy all data on the USB media. It prepares a secure medium from which we will sandbox and run Bitmessage. This sandboxing will prevent bitmessage from accessing your /home/ directory. The encryption will prevent anyone from stealing the Bitmessage keys from your media. Never copy encryption keys to an external media without encrypting them. Copy Bitmessage to drive ------------------------ Copy the Bitmessage /src/ directory to the thumb drive. Only copy "/src/" and not the higher level directory "PyBitmessage". Now there should be only one directory on the thumb drive and it must be named "src". Create a firejail script ------------------------ In the root directory of the thumb drive create a file named run.sh and put this code in it: #!/bin/bash bmdir="/src/" bmfile="bitmessagemain.py" firejail --noprofile --blacklist=/home --whitelist=$PWD$bmdir python $PWD$bmdir$bmfile In bash navigate to the root directory of the thumb drive. Change the permissions on your firejail script and all other files and folders so they can't be modified: $ chmod 0555 run.sh $ chmod 0555 -Rfv src/ Now you should have one file (run.sh) and one folder (src) in the root of the USB media. Copy keys.dat to the /src directory ----------------------------------- This is not optional. The keys.dat file must be located in that directory. Be sure to always back up your keys.dat file elsewhere in case the USB media is lost. Both keys.dat and messages.dat must remain writeable. Run the firejail script ----------------------- On the command line navigate to the root of the thumb drive and execute this command: $ ./run.sh or: $ bash run.sh Firejail will start bitmessage in a sandbox so that Bitmessage has no access to your /home directory. If Bitmessage is exploited by any bug your personal files won't be affected. Because of changed permissions on the source code files exploits won't be able to easily modify them.

[chan] Crypto-Anarchist Federation
BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v