Morning Musings

I'm not ready to wake up yet...

Temporary Security Mirror

| Comments

Sometimes you need to perform a task in a secure way that leaves no trace on your computer. The traditional way of accomplishing this is to boot from a live CD like Tails. The problem with this is that you might need the software, drivers, or setup you have on your main operating system to accomplish the task. An example of this might be creating a Bitcoin Paper Wallet with a proprietary printer; it might be too difficult to set up the printer on a live CD for a one-off task.

Below is a script that help for these specialized cases. It creates a secure mirror of your system that never touches the disk; anything you do is wiped away on shutdown. Best part is, you can use this from an already running system.

This script will:

  • Disable swap
  • Do a read only bind mount of root
  • Apply a tmpfs aufs layer over the read only root view
  • Start an X server and chroot into the root view

The end result is a temporary secure mirror of your running system.
You need the following installed for this to work:

  • aufs-tools
  • Xephyr
  • fluxbox

Simply run tsm.sh and you will get a window of your running system, where anything you do is forgotten when closed. You will have access to all your files and devices. For more security, close any applications and disconnect your internet before running this script. When finished, close the window and restart your computer.

(tsm.sh) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/bin/bash

# tsm.sh
# Copyright (C) 2015 Joe Ruether jrruethe@gmail.com
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Stop on any error
set -e

# Declare an array of tasks to perform on exit
declare -a on_exit_items

# This function is run on exit
function on_exit()
{
    for i in "${on_exit_items[@]}"
    do
        eval $i
    done
}

# Add to the list of tasks to run on exit
function add_on_exit_reverse()
{
    on_exit_items=("$*" "${on_exit_items[@]}")
    if [[ $n -eq 0 ]]; then
        trap on_exit EXIT
    fi
}

# Check to make sure we are running as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root"
   exit 1
fi

# Define variables
insecure_root=insecure_root
tmpfs_redirect=tmpfs_redirect
secure_root=secure_root

# Disable Swap
swapoff -a

# Create the mount points
mkdir -p $insecure_root
mkdir -p $tmpfs_redirect
mkdir -p $secure_root

# Clean up the mount points
add_on_exit_reverse rmdir $insecure_root
add_on_exit_reverse rmdir $tmpfs_redirect
add_on_exit_reverse rmdir $secure_root

# Bind mount the root directory
mount --bind / $insecure_root
add_on_exit_reverse umount $insecure_root || umount -lf $insecure_root

# Remount the root directory as read only
mount -o remount,ro,bind $insecure_root

# Create a tmpfs filesystem
mount -t tmpfs tmpfs $tmpfs_redirect
add_on_exit_reverse umount $tmpfs_redirect || umount -lf $tmpfs_redirect

# Aufs mount to redirect all 
mount -t aufs -o br=$tmpfs_redirect=rw:$insecure_root=ro none $secure_root
add_on_exit_reverse umount $secure_root || umount -lf $secure_root

# Mount the necessary filesystems in the chroot
mount --bind /dev $secure_root/dev
mount -t proc none $secure_root/proc
mount -t sysfs none $secure_root/sys
mount -t devpts none $secure_root/dev/pts

add_on_exit_reverse umount $secure_root/dev || umount -lf $secure_root/dev
add_on_exit_reverse umount $secure_root/proc || umount -lf $secure_root/proc
add_on_exit_reverse umount $secure_root/sys || umount -lf $secure_root/sys
add_on_exit_reverse umount $secure_root/dev/pts || umount -lf $secure_root/dev/pts

# Everything is set up, enter the chroot
set +e

# Start the nested X server
Xephyr -screen 1024x768 -name "Temporary Security Mirror" -title "Temporary Security Mirror" :1 &

# Wait for the X server to start
sleep 5

# Chroot in and startx
chroot $secure_root env DISPLAY=localhost:1 /usr/bin/fluxbox

# Wait for things to settle down
sleep 5

Comments