With a single ext3 formatted usb stick partition, along with grub4dos installed onto that, and a menu.lst of
Code: Select all
title Fatdog USB Multi-session
root (hd0,0)
kernel /vmlinuz savefile=direct:multi:sda1::
initrd /initrd
Note no rootfstype=ramfs kernel boot parameter ... so the above is using tmpfs - which includes support for using swap as part of tmpfs (that does however mean that is smaller ram systems Fatdog might not boot (I'd guess if less than 2GB of available RAM)).
I've also set up a HDD linux-swap partition, 16GB on the second partition (first partition is used for storing data). And at the end of /etc/rc.d/rc.local I've added
Code: Select all
# Need to be careful as sda,sdb etc are somewhat dynamic, so here
# we check that our intended sdb2 swap partition is actually present
# as sdb2
CHK=`sfdisk -l /dev/sdb | grep swap | grep sdb2`
if [ ! -z "$CHK" ]; then
# Create the encrypted swap /dev/mapper ...
cryptsetup open --type plain --key-file /dev/urandom /dev/sdb2 cswap
mkswap /dev/mapper/cswap
swapon /dev/mapper/cswap
# My swap partition is 16GB, so I resize pup_save and tmp to match that
mount -o remount,size=16G /aufs/pup_save
mount -o remount,size=16G /tmp
fi
In Event Manager I've set the save duration to 0 (zero), which means once the laptop has booted I can pull out the usb and all system and saves are stored in ram (only need to reattach the usb if a save is being made).
On my first HDD partition that I use for storing data, I created a top level folder and used Fatdog's rox right click Encrypt Folder option to secure that. So all data/files stored within that are secure in the event of the laptop being lost/stolen.
That's all working incredibly well. Boot, pull USB and all runs in ram, with data safe in a encrypted HDD folder. As a test for the encrypted swap I created a 14GB file in /root (dd if=/dev/zero of=bigfile bs=1G count=14) and not only did that run through relatively quickly (being run in 'ram'), but the system continued running reasonably well (did slow some due to using swap, but comfortably/usable slowed, not impatiently/crippled slowed).
So we ...
1. Boot using usb stick, that also contains our 'saves' and where the usb is removed after bootup, so there's no way for a cracker to crack a running system and modify any of the boot, system or save files.
2. We only save dot (configuration changes), and only after booting a 'clean' version, making the changes and creating a 'save' of those changes. Otherwise we just boot, use, shutdown without saving. That way we keep a 'clean' system that is booted each/every time.
3. If the usb is lost/stolen, it only contains openly available stuff anyway. Fatdog system files, plus our save files that just contain configuration changes (dot files).
4. Our data is stored on HDD, under a encrypted folder. So if the laptop is stolen that data is within a encrypted folder (secure - excluding if the encryption is broken/cracked).
If the usb and/or laptop is stolen, we're still relatively secure.
Whilst online, if a session is cracked, then that cracker cannot modify any of the boot, OS, configuration files, as they're on usb - that is physically disconnected. They could destroy our data folder/content, so its important to maintain disconnected backups of that. For online banking we can boot a clean session, go directly to our banks web site, nowhere else before or after, and reboot again afterwards. Even with outdated software (browser etc.) that is pretty safe/secure.
Yes a single session could have userid/passwords used for sites revealed via a crack. But that's comparable if not lower risk than a site having all of its userids/passwords (and other) data cracked/stolen. Where that is low risk site stuff however, not our banking userid/password, then that's a commonly accepted risk factor.
Whilst all being relatively simple to setup and use. Fatdog is great in the respect it comes ready out of the box and typically works very well 'as-is'. All pre-setup as a desktop system for the things most people do/use without having to learn the in depth things required to otherwise install/configure programs.