A Penguin tries out Secure-K OS

A Penguin tries out Secure-K OS on his macbook pro hardware for a (rainy) weekend as his only operating system.

Secure-K OS

As the name suggests (Secure Key), Secure-K OS is a live operating system, based on Debian 9 Stretch, meant to be run from any USB key and “developed with security in mind”, according to its developers, Mon-K Data Protection.

A couple of “hardware versions” of the operating system are being sold on the project website, which means that one can buy Secure-K OS already deployed into a hardware-encrypted USB key with a pin-pad. It feels geeky.

Because I cannot download that piece of hardware via my network (I guess you cannot as well), what I have actually downloaded is the system image file of Secure-K OS Lite, then written into a USB stick of mine.

 

Installation

Writing the image into my USB key was trivial, I simply did:

dd if=/path/to/secure-k.img of=/dev/sdx

as root, where of course sdx is the unix device file corresponding to my key (I just used fdisk -l to find it out after having inserted my USB key into the notebook).

I also wrote the image within a Windows 10 environment by using Win32DiskImager and succeded. It is not rare that the latest builds of Windows 10 (since Creators Update) give write errors when dealing with (already multi-partitioned) USB keys. It’s just Windows: retry until success.

So the “installation” phase completed fast.


Structure

Before deepening how the operating system works and my experience with it, I’m talking about its structure, which really astonishes me.

A common live operating system is made up of one partition, containing the kernel, the initrd, the compressed filesystem.squashfs image and the second stage bootloader, usually isolinux (boot sector code is contained in the MBR). If you need a live OS which does persistence, you will find a second partition, usually an EXT4 one.

Secure-K OS image contains five partitions; they can assure a “live” experience with encrypted data persistence, plus a native UEFI/Secure Boot compatibility and a partition dedicated to the update of the kernel. As far as I know, it’s the first live operating system which features a complete system and kernel update! Consider also that kernel partition is ISO9660 formatted, so during the update a re-write of this partition is performed.

Besides the two ISO9660 partitions (system and kernel), data persistence partition is an EXT4 with LUKS, while UEFI Secure Boot complatibility is assured by a FAT partition (most lives do not have proper U/EFI compatibility – and for sure no Secure Boot compliance). And the fifth? Well, it’s actually positioned at the beginning of the key’s space and it can be used as a clean, unencrypted, “data swap” partition between different operating systems.

Partitioning scheme is assured by a GPT with a protected MBR following.

At the end of the day, Secure-K OS is a live operating system which saves my data encrypted on the key and it is capable of a system and kernel update, plus system reset to initial settings and system backup and restore. Smart.

 

Security

What’s the actual security level of my data? Well, the LUKS partition makes use of a 512bit AES encryption, which is really safe, but the Lite build has got some critical limitations, obviated in the full Personal version, according to Mon-K:

(1) Filesystem encryption key defined by the user upon the first boot (key is static in Lite version, hence data protection is very low).
(2) System boot self-check/tampering detection (no boot-check in the Lite version, crackers could modify system files if they phisically manage to own your USB key).

If the aforementioned limitation (point 1) can be acceptable when Secure-K OS runs within a hardware-encrypted USB key, otherwise my data are not safe if the unlock key of the LUKS partition isn’t under my control… and this is why I have already bought copy a of Secure-K OS Personal (software), the full operating system.

In the full version of the operating system, a self-checking kernel component is also available, which is responsible of verifying that system files have not been tampered, preventing the virtualization of the image, the use of the init= kernel boot parameter, and so on.

I’m going to document how it’s done in a future article, so just stay tuned and please subscribe to my delicious RSS feed.

 

First ever run

On my macbook (second to last version), booting my USB device by pressing and keeping hold the Alt key was straightforward and all the hardware, except for the webcam, was recognized with ease. Actually, the kernel module for my webcam is loaded but I guess Secure-K OS lacks the (proprietary) firmware, exactly like my Debian OS installed on the bare metal – maybe I didn’t tell you: my macbook is debianized as well as me. It’s a “OS X outside” sort of computer.

Live operating systems use to have the “live” user already created, while Secure-K OS pops up the new GNOME Initial Setup interface in order to create one, together with language, keyboard and time zone. I think the new GNOME Initial Setup is the right way to first-boot an operating system, live or “traditional”.

Secure-K OS desktop

 

A first thought

Secure-K OS is a Linux-based live operating system on-steroids with the GNOME desktop environment, and I’m a debianized GNOME-addicted Penguin: today I cannot be happier.
I also appreciate how a kernel update can improve the overall security of a live system (specially while connected to the Internet) in the long run.

Secure-K OS will be really useful for me: now I can move my porn images from my PC and safely use them work with my favourite programming IDE and bring my code with me when I travel.

You can download the image of Secure-K OS Lite 18.5 from the project’s website. It’s an .img file containing all the aforementioned partitions.