How to run Bitmessage in a secure Linux and Firejail sandbox

BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v
Mar 10 20:08 [raw]

How to run Bitmessage in a secure Linux and Firejail sandbox ============================================================ This is a short how-to for running Bitmessage securely so that any bugs in the code will not compromise the host system. This guide is for Debian-based systems such as Ubuntu and Mint. It can be adapted with a little work to other Linux distros. This assumes you have already installed all Bitmessage dependencies such as python, PyQt, etc. Install firejail ---------------- Enter this command in bash: $ sudo apt-get install firejail Encrypt a USB thumb drive ------------------------- Get a thumbdrive and format it with LUKS / LVM encryption, encrypting the whole drive with a passphrase. This will destroy all data on the USB media. It prepares a secure medium from which we will sandbox and run Bitmessage. This sandboxing will prevent bitmessage from accessing your /home/ directory. The encryption will prevent anyone from stealing the Bitmessage keys from your media. Never copy encryption keys to an external media without encrypting them. Copy Bitmessage to drive ------------------------ Copy the Bitmessage /src/ directory to the thumb drive. Only copy "/src/" and not the higher level directory "PyBitmessage". Now there should be only one directory on the thumb drive and it must be named "src". Create a firejail script ------------------------ In the root directory of the thumb drive create a file named run.sh and put this code in it: #!/bin/bash bmdir="/src/" bmfile="bitmessagemain.py" firejail --noprofile --blacklist=/home --whitelist=$PWD$bmdir python $PWD$bmdir$bmfile In bash navigate to the root directory of the thumb drive. Change the permissions on your firejail script and all other files and folders so they can't be modified: $ chmod 0555 run.sh $ chmod 0555 -Rfv src/ Now you should have one file (run.sh) and one folder (src) in the root of the USB media. Copy keys.dat to the /src directory ----------------------------------- This is not optional. The keys.dat file must be located in that directory. Be sure to always back up your keys.dat file elsewhere in case the USB media is lost. Both keys.dat and messages.dat must remain writeable. Run the firejail script ----------------------- On the command line navigate to the root of the thumb drive and execute this command: $ ./run.sh or: $ bash run.sh Firejail will start bitmessage in a sandbox so that Bitmessage has no access to your /home directory. If Bitmessage is exploited by any bug your personal files won't be affected. Because of changed permissions on the source code files exploits won't be able to easily modify them.

[chan] Crypto-Anarchist Federation
BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v

Subject Last Count
1 Sep 19 13:20 2
111 Sep 18 22:09 1
eita Sep 14 20:36 1
ankw Sep 14 20:36 1
ltd Sep 14 20:36 1
ycy Sep 14 20:36 1
bzgk Sep 14 20:25 1
imy Sep 14 20:25 1
pmrc Sep 14 20:14 1
vgz Sep 14 20:11 1
npjyr Sep 14 20:08 1
puij Sep 14 20:05 1
yml Sep 14 20:03 1
vcw Sep 14 20:02 1
kbkz Sep 14 19:58 1
byfx Sep 14 19:58 1
vdqqy Sep 14 19:57 1
ngcj Sep 14 19:56 1
ficeu Sep 14 19:54 1
gduv Sep 14 19:46 1
yczg Sep 14 19:46 1
jiy Sep 14 19:45 1
xun Sep 14 19:44 1
zft Sep 14 19:44 1
eto Sep 14 19:44 1
mqtjx Sep 14 19:44 1
uow Sep 14 19:43 1
odo Sep 14 19:43 1
bjzd Sep 14 19:41 1
pczer Sep 14 19:23 1
dob Sep 14 19:23 1
dni Sep 14 19:23 1
xldp Sep 14 19:23 1
ukzj Sep 14 19:20 1
yhx Sep 14 19:15 1
egjo Sep 14 19:12 1
zxg Sep 14 19:07 1
gihxd Sep 14 19:07 1
rqow Sep 14 19:07 1
sgaj Sep 14 19:07 1
mvttv Sep 14 19:06 1
lakyj Sep 14 19:04 1
jxns Sep 14 19:03 1
sbxp Sep 14 19:00 1
sgqic Sep 14 18:59 1
cxr Sep 14 18:58 1
cur Sep 14 18:56 1
malxq Sep 14 18:56 1
hhjf Sep 14 18:56 1
gyei Sep 14 18:50 1
dhfiw Sep 14 18:48 1
qkz Sep 14 18:32 1
zqzc Sep 14 18:31 1
aanp Sep 14 18:29 1
llezn Sep 14 18:25 1
ybqir Sep 14 18:10 1
orl Sep 14 18:10 1
tfbhw Sep 14 18:00 1
wha Sep 14 17:48 1
ovv Sep 14 17:48 1
rch Sep 14 17:44 1
rdxp Sep 14 17:44 1
zom Sep 14 17:40 1
vmdk Sep 14 17:37 1
pxvwp Sep 14 17:34 1
kkrdt Sep 14 17:31 1
ukbw Sep 14 17:30 1
gzsh Sep 14 17:29 1
yilmg Sep 14 17:19 1
rtpqj Sep 14 17:17 1
egxt Sep 14 17:12 1
shymw Sep 14 17:12 1
lgn Sep 14 17:08 1
jom Sep 14 17:08 1
cga Sep 14 17:08 1
rmlc Sep 14 17:08 1
rcc Sep 14 17:08 1
qht Sep 14 17:06 1
ukqep Sep 14 16:47 1
puxwg Sep 14 16:47 1
shin Sep 14 16:47 1
uftg Sep 14 16:47 1
gfp Sep 14 16:46 1
xjz Sep 14 16:39 1
afnp Sep 14 16:38 1
jokre Sep 14 16:36 1
acsyd Sep 14 16:30 1
qpx Sep 14 16:29 1
zkqnl Sep 14 16:29 1
zwlf Sep 14 16:29 1
eiu Sep 14 16:25 1
rgvs Sep 14 16:19 1
qkcs Sep 14 16:19 1
ewoe Sep 14 16:13 1
aylru Sep 14 16:11 1
ljacu Sep 14 16:06 1
dmub Sep 14 16:06 1
vithq Sep 14 16:06 1
zfcv Sep 14 16:01 1
glwvv Sep 14 16:00 1