You can download any Parrot OS edition on the official Parrot website , and also use it with different methods:. It works in two parts: a gateway that acts as the Tor gateway which redirects all of your traffic just as Tails does , and a workstation that routes all the connections via that Tor gateway.
Just leave it there handling the Tor routing. And remember, the workstation depends on the gateway. But once you take away these drawbacks, you get an extremely secure and anonymous virtual machine running on top of your operating system. If you care about being anonymous, Whonix is a good-to-go option. It has additional security hardening like that strength Linux account isolation, and a VM live mode that prevents malware propagation.
Virtual machines are the only way to run Whonix OS, so you can choose the right dowload method according to your current OS. Qubes is an open-source, security-oriented operating system. Unlike other Linux OSs covered in this article, Qubes need to be installed directly on your computer. You can use different templates to run different kinds of software. For example, run Microsoft Word on top of a Windows template, or use a terminal app qube based on the Debian template.
Visit Star Labs for information, to buy and get support. Pre-installed open-source notebooks with free Tails live boot options "to hide your whereabouts. Your own personal Linux computer in the cloud , available on any device.
Please include a few pros and a few cons, along with your overall impression of the operating system. Our FAQ page has tips on writing a good mini-review. Version: -- System is slow and buggy. Resources Blog Articles. Menu Help Create Join Login. Brought to you by: mrfaildeveloper. Add a Review. Get project updates , sponsored content from our select partners, and more.
Full Name. Your activities die as soon as you boot off the system. Apart from that, Tails provide you complete anonymity with a pre-configured Tor browser.
This helps you to stay anonymous on the internet and circumvent censorship. Tails also has a long list of pre-installed privacy software.
You can see the entire list here. Whonix is another popular Tor based Linux system. It is actually a heavily reconfigured Debian Linux that is designed to run inside a virtual machine. The virtual machine provides a sandbox that keeps your actual system also called host system safe.
In other words, it uses Tor protocol for accessing internet. Which means that your connection is ultrasecure and encrypted. Compartmentalization offers exceptional privacy. Because, whenever you run a program in this OS, it places them in an isolated virtual environment and once you close the program, no one will ever be able to find out the session data. You would want a system with at least 16 Gigs of RAM and a decent processor to make use of it easily.
This distro is being upheld by online privacy activists for many years. If you want absolute anonymity and if you want to keep your data to yourself whether offline or online, this is the OS you want.
The same measures used to mitigate Evil Maid attacks should be in place for Cold Boot attacks with some added ones:. You should limit the use of Sleep stand-by and instead use Shutdown or Hibernate to prevent the encryption keys from staying in RAM when your computer goes to sleep.
This is because sleep will maintain power in your memory for resuming your activity faster. Only hibernation and shutdown will actually clear the key from the memory If you want better security, you should shut down your laptop completely every time you leave it unattended or close the lid. However, this can be a bit inconvenient as you will have to reboot completely and type in a ton of passwords into various apps. Restart various VMs and other apps. So instead, you could also use hibernation not supported on Qubes OS.
Since the whole disk is encrypted, hibernation in itself should not pose a large security risk but will still shut down your laptop and clear the memory while allowing you to conveniently resume your work afterward. What you should never do is using the standard sleep feature which will keep your computer on, and the memory powered. This is an attack vector against evil-maid and cold-boot attacks discussed earlier. This is because your powered-on memory holds the encryption keys to your disk encrypted or not and could then be accessed by a skilled adversary.
This guide will provide guidance later on how to enable hibernation on various host OSes except Qubes OS if you do not want to shut down every time. As mentioned briefly earlier, these are data leaks and traces from your operating system and apps when you perform any activity on your computer.
These mostly apply to encrypted file containers with or without plausible deniability than OS-wide encryption. Let us say for example you have a Veracrypt encrypted USB key with plausible deniability enabled. Depending on the password you use when mounting the USB key, it will open a decoy folder or the sensitive folder. In all cases, you will most likely open these folders with Windows Explorer, macOS Finder, or any other utility and do whatever you planned to do. Maybe you will edit a document within the sensitive folder.
Maybe you will search for a document within the folder. Maybe you will delete one or watch a sensitive video using VLC. Well, all those Apps and your Operating System might keep logs and traces of that usage. Windows Indexing keeping traces of the files present in your user folder by default Recent lists aka Jump Lists in Windows and various apps keeping traces of recently accessed documents Gatekeeper and XProtect keeping track of your download history in a local database and file attributes.
Forensics cannot extract local data leaks from an OS they cannot access. And you will be able to clean most of those traces by wiping the drive or by securely erasing your virtual machines which is not as easy as you think on SSD drives. Whether you are using simple encryption or plausible deniability encryption.
Even if you covered your tracks on the computer itself. There is still a risk of online data leaks that could reveal the presence of hidden data. Telemetry is your enemy. As explained earlier in this guide, the telemetry of Operating Systems but also from Apps can send staggering amounts of private information online. Therefore, it is critically important that you disable and block telemetry with all the means at your disposal. No matter what OS you are using. You should never conduct sensitive activities from a non-encrypted system.
And even if it is encrypted, you should never conduct sensitive activities from the Host OS itself. Instead, you should use a VM to be able to efficiently isolate and compartmentalize your activities and prevent local data leaks. If you have little to no knowledge of Linux or if you want to use OS-wide plausible deniability, I recommend going for Windows or back to the Tails route for convenience. This guide will help you hardening it as much as possible to prevent leaks. This guide will also help you hardening macOS and Linux as much as possible to prevent similar leaks.
If you have no interest in OS-wide plausible deniability and want to learn to use Linux, I will strongly recommend going for Linux or the Qubes route if your hardware allows it.
In all cases, the host OS should never be used to conduct sensitive activities directly. It will be left unused while you conduct sensitive activities and should ideally not be used for any of your day-to-day activities. As mentioned earlier, I do not recommend using your daily laptop for sensitive activities.
Or at least I do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS.
If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at your own risk. You should always remember that despite the reputation, Linux mainstream distributions Ubuntu for instance are not necessarily better at security than other systems such as macOS and Windows. For other distros, you will have to document yourself, but it will likely be similar. Encryption during install is just much easier in the context of this guide.
There are several ways to achieve plausible deniability on Linux and it is possible to achieve. Here are some more details about some of the ways I would recommend. All these options require some higher level of skills at using Linux. This is not supported by Veracrypt System encryption is only supported on Windows and requires some tinkering with various commands.
This is not recommended at all for unskilled users and should only be used at your own risk. Any other distro: You will need to document yourself and find out yourself how to disable telemetry if there is any.
As explained previously, you should not use the sleep features but shut down or hibernate your laptop to mitigate some evil-maid and cold-boot attacks. Unfortunately, this feature is disabled by default on many Linux distros including Ubuntu.
It is possible to enable it, but it might not work as expected. Follow this information at your own risk. If you do not want to do this, you should never use the sleep function and power off instead and set the lid closing behavior to power off instead of sleep. After Hibernate is enabled, change the behavior so that your laptop will hibernate when you close the lid by following this tutorial for Ubuntu Unfortunately, this will not clean the key from memory directly when hibernating.
Any other distro: you will have to find the documentation yourself, but it should be quite similar to the Ubuntu tutorial. Due to Virtualbox not supporting this architecture yet. It could however be possible if you use commercial tools like VMWare or Parallels but those are not covered in this guide.
Again, this is to prevent some cold-boot and evil-maid attacks by powering down your RAM and cleaning the encryption key when you close the lid. You should always either hibernate or shut down. On macOS, the hibernate feature even has a special option to specifically clear the encryption key from memory when hibernating while you might have to wait for the memory to decay on other Operating Systems.
Once again there are no easy options to do this within the settings so instead, we will have to do this by running a few commands to enable hibernation:. Run: sudo pmset -a destroyfvkeyonstandby 1. Now when you close the lid of your MacBook, it should hibernate instead of sleep and mitigate attempts at performing cold-boot attacks. But you should document yourself on the actual issue before acting. Up to you really. I would block it because I do not want any telemetry at all from my OS to the mothership without my specific consent.
Be careful when enabling. Do not store the recovery key at Apple if prompted should not be an issue since you should be offline at this stage. You do not want a third party to have your recovery key. Unfortunately, macOS does not offer a native convenient way of randomizing your MAC Address and so you will have to do this manually. This will be reset at each reboot, and you will have to re-do it each time to ensure you do not use your actual MAC Address when connecting to various Wi-Fis.
Turn the Wi-Fi off networksetup -setairportpower en0 off. Change the MAC Address sudo ifconfig en0 ether Turn the Wi-Fi back on networksetup -setairportpower en0 on. You should follow Appendix A: Windows Installation. Veracrypt is the software I will recommend for full-disk encryption, file encryption, and plausible deniability. It is a fork of the well-known but deprecated and unmaintained TrueCrypt. It can be used for:. Full Disk encryption with plausible deniability this means that depending on the passphrase entered at boot, you will either boot a decoy OS or a hidden OS.
File container simple encryption it is a large file that you will be able to mount within Veracrypt as if it were an external drive to store encrypted files within. It is to my knowledge the only convenient and usable by anyone free, open-source, and openly audited encryption software that also provides plausible deniability for widespread use and it works with Windows Home Edition.
After installation, please take a moment to review the following options that will help mitigate some attacks:. This setting will also disable hibernation which does not actively clear the key when hibernating and instead encrypt the memory altogether to mitigate some cold-boot attacks.
This could help in case your system is seized while still on but locked. This will prevent Windows from writing some logs about your mounts in the Event logs and prevent some local data leaks. Be careful and have a good situational awareness if you sense something weird.
Shut your laptop down as fast as possible. If you do not want to use encrypted memory because performance might be an issue , you should at least enable hibernation instead of sleep. This will not clear the keys from memory you are still vulnerable to cold boot attacks but at least should mitigate them if your memory has enough time to decay. For this case, I will recommend the use of BitLocker instead of Veracrypt for the full disk encryption.
The reasoning is that BitLocker does not offer a plausible deniability possibility contrary to Veracrypt. Normally, you should have installed Windows Pro in this case and the BitLocker setup is quite straightforward.
Only save the recovery key to an external encrypted drive. To bypass this, print the recovery key using the Microsoft Print to PDF printer and save the key within the Documents folder. Delete that file later. Encryption should now be started in the background you can check by clicking the Bitlocker icon on the lower right side of the taskbar. Unfortunately, this is not enough. With this setup, your Bitlocker key can just be stored as-is in the TPM chip of your computer.
To mitigate this, we will have to enable a few more options as per the recommendations of Microsoft :. Run manage-bde -protectors -delete c: this will delete current protection: the recovery key we will not need. Again, as explained earlier. Instead, you should Shut down or hibernate.
You should therefore switch your laptop from sleeping to hibernating when closing the lid or when your laptop goes to sleep. Note that you cannot enable hibernation if you previously enabled RAM encryption within Veracrypt. The reason is that Hibernation will actually shut down your laptop completely and clean the memory. Sleep on the other hand will leave the memory powered on including your decryption key and could leave your laptop vulnerable to cold-boot attacks.
You could be compelled by an adversary to reveal your password and all your secrets and will have no plausible deniability. Route B: Simple encryption of your current OS with later use of plausible deniability on files themselves:. As you can see, Route C only offers two privacy advantages over the others, and it will only be of use against a soft lawful adversary.
Always be sure to check for new versions of Veracrypt frequently to ensure you benefit from the latest patches. Especially check this before applying large Windows updates that might break the Veracrypt bootloader and send you into a boot loop. So, make sure you check when doing the test boot what keyboard layout your BIOS is using. You do not have to have an HDD for this method, and you do not need to disable Trim on this route.
Trim leaks will only be of use to forensics in detecting the presence of a Hidden Volume but will not be of much use otherwise. This route is rather straightforward and will just encrypt your current Operating System in place without losing any data.
Be sure to read all the texts Veracrypt is showing you, so you have a full understanding of what is going on. Here are the steps:. Enter a strong passphrase longer the better, remember Appendix A2: Guidelines for passwords and passphrases.
To rescue disk or not rescue disk, well that is up to you. I recommend making one just in case , just make sure to store it outside your encrypted drive USB key for instance or wait and see the end of this guide for guidance on safe backups. This rescue disk will not store your passphrase and you will still need it to use it. If you have sensitive data on an SSD, Trim alone should take care of it but I would recommend one pass random data just to be sure.
Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward. After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process. There will be another section on creating encrypted file containers with Plausible Deniability on Windows. This is only recommended on an HDD drive. This is not recommended on an SSD drive.
Therefore, this route will recommend and guide you through a full clean installation that will wipe everything on your laptop. As you can see this process requires you to have two partitions on your hard drive from the start. Encrypt your second partition the outer volume that will look like an empty unformatted disk from the decoy OS. Create a hidden volume within the outer volume of that second partition. This is where the hidden OS will reside.
This means that your current Windows 10 will become the hidden Windows 10 and that you will need to reinstall a fresh decoy Windows 10 OS. Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything.
But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability The only way around this at the moment is to have a laptop with a classic HDD drive instead. Do not connect this OS to your known Wi-Fi.
You should download the Veracrypt installer from a different computer and copy the installer here using a USB key. Use a strong passphrase remember Appendix A2: Guidelines for passwords and passphrases. At this stage, you should copy decoy data onto the outer volume. In case you need to reveal a password to this Volume. Remember you must leave enough space for the Hidden OS which will be the same size as the first partition you created during installation.
Use a strong passphrase for the Hidden Volume obviously a different one than the one for the Outer Volume. Veracrypt will now restart and Clone the Windows where you started this process into the Hidden Volume. This Windows will become your Hidden OS. Veracrypt will inform you that the Hidden System is now installed and then prompt you to wipe the Original OS the one you installed previously with the USB key.
See Appendix A: Windows Installation and proceed with installing Windows 10 Home again do not install a different version and stick with Home.
Pre-Test your setup. You are mounting it as read-only now because if you were to write data on it, you could override content from your Hidden OS. Before going to the next step, you should learn the way to mount your Outer Volume safely for writing content on it. Basically, you are going to mount your Outer Volume while also providing the Hidden Volume passphrase within the Mount Options to protect the Hidden Volume from being overwritten. Veracrypt will then allow you to write data to the Outer volume without risking overwriting any data on the Hidden Volume:.
This operation will not actually mount the Hidden Volume and should prevent the creation of any forensic evidence that could lead to the discovery of the hidden OS. However, while you are performing this operation, both passwords will be stored in your RAM and therefore you could still be susceptible to a Cold-Boot Attack.
To mitigate this, be sure to have the option to encrypt your RAM too as instructed before. We must make the Decoy OS as plausible as possible. We also want your adversary to think you are not that smart. Therefore, it is important to voluntarily leave some forensic evidence of your Decoy Content within your Decoy OS.
This evidence will let forensic examiners see that you mounted your Outer Volume frequently to access its content.
Be sure to keep a history of those. Remember that you will need valid excuses for this plausible deniability scenario to work:.
You are using Veracrypt because you are using Windows 10 Home which does not feature Bitlocker but still wanted Privacy. You have two Partitions because you wanted to separate the System and the Data for easy organization and because some Geek friend told you this was better for performance.
You have used a weak password for easy convenient booting on the System and a Strong long passphrase on the Outer Volume because you were too lazy to type a strong passphrase at each boot. You encrypted the second Partition with a different password than the System because you do not want anyone in your entourage to see your stuff. And so, you did not want that data available to anyone. If you did this, it would create forensics evidence of the Hidden Volume within the Decoy OS that could jeopardize your attempt at plausible deniability.
If you did this anyway intentionally or by mistake from the Decoy OS, there are ways to erase forensics evidence that will be explained later at the end of this guide. You should always mount it as read-only. The Hidden OS is only meant to protect you from a soft adversary that could gain access to your laptop and compel you to reveal your password.
Be careful of any tampering with your laptop. Evil-Maid Attacks can reveal your hidden OS. This step and the following steps should be done from within the Host OS. In this route, we will make extensive use of the free Oracle Virtualbox software. Even if your VM is compromised by malware, this malware should not be able to the VM and compromise your actual laptop.
It will allow us to force all the network traffic from your client VM to run through another Gateway VM that will direct torify all the traffic towards the Tor Network. Your VM will lose its network connectivity completely and go offline if the other VM loses its connection to the Tor Network.
0コメント