INSECA is a set of tools to build and manage very secure live Linux based endpoint systems.
It builds on top of Debian's livebuild technology and adds many security oriented features to ensure a high level of security while keeping the overall usage as simple as any system.
Main features of the resulting systems include:
- possibility to be installed on any mass storage device (which will be made bootable), internal PC hard disk or VM's disk
- all non yet public data (i.e. what is not already present on the Internet) is encrypted, data is most of the time digitally signed as well
- encrypted partitions dedicated to store system and end-user data, which access is only possible after the end user authenticated and if the device has not been altered
- and more
For more infos, refer the documentation in the doc/ directory.
INSECA operates from several configuration files, all grouped in one single global configuration directory, pointed by the $INSECA_ROOT environment variable or using the --root command line argument of the inseca tool.
These configuration files define sets of objects which main ones are:
- build configurations describing the contents of a live Linux to be built, ranging from packages, configuration scripts and the like to cryptographic keys used to protect data;
- install configurations describing how a live Linux build will be installed (cryptographic keys and secrets and various other parameters)
- domain configurations listing a coherent set of install configurations all bubdled in a domain which can be seen as a business need
The global settings are described in the $INSECA_ROOT/inseca.json file.
WARNING This program is useable but still rough, at least regarding areas such as:
- language: most is in English, with some strings still in French (gettext has started to be used)
- the documentation, which is only on French
- error reporting, especially in the configuration files handling where one is prone to make mistakes
- installation: there is no installation procedure, just download and run
- some components are not yet complete, some features don't yet work as expected
- expect some bugs
What follows should work out of the box on any Linux distribution but has only been tested using Debian and Fedora. YMMV.
-
install the dependencies :
- rclone: https://rclone.org/downloads/
- borgbackup: https://www.borgbackup.org/
- python3 and python3-pacparser (python 3 with the pacparser)
- git: https://git-scm.com/
- dbus
- make
- requests (already included with Python3)
- sqlite3 modules (already included with Python3)
- libgtk-3-dev (GTK3 libraries)
- the Docker engine : https://docs.docker.com/engine/install/
-
download INSECA in dedicated directory (refered to as
$SRCDIRafterwards) -
create the required Docker images: run
makefrom the$SRCDIR/docker-images/grub-bios/and the$SRCDIR/docker-images/livebuild/directories -
download VeraCrypt as a DEB file from https://www.veracrypt.fr/en/Downloads.html in the
$SRCDIR/components/veracrypt/packages.deb/directory
One the installation is finished, check that the $SRCDIR/inseca program can be run: inseca -h should display the help.
- download INSECA in dedicated directory (refered to as
$SRCDIRafterwards) - run the
setup-debian.shorsetup-fedora.shfrom the$SRCDIRdirectory
To create a global configuration:
- set the local environment variables:
cd $SRCDIR/tools && source ./set-env.sh(where SRCDIR points to the directory where inseca has been installed) if you are using bash - create a dedicated directory and define the
$INSECA_ROOTenvironment variable to point to it - initialize the configuration's structure, run:
inseca init - create a default build configuration:
inseca config-create build "My first INSECA build" - build the associated live Linux:
inseca build "My first INSECA build"
These steps, if sucessfull, ensure that INSECA is operational, from that point, refer to the documentation and build your own ecosystem.