Hardening Linux desktop machine against people from my household

  1. Use a strong and difficult password for the root user. Secondly, always login and work from another user with no administrative rights (and also a strong password).

  2. Enable the BIOS password option. Every time you power on your computer, the BIOS itself will ask you for a password before even booting on. It will also prevent everyone from applying changes to the BIOS setup.

  3. Encrypt every partition of your hard drive (check cryptsetup for Debian - if it can't encrypt you Windows partition, too, use TrueCrypt (from Windows for your Windows))

  4. Watch out for external hardware devices connected on your PC (like USB sticks or hubs) that you haven't used before. Someone might have plugged in a keylogger or something.

  5. Always lock or power off the machine when you are away.

  6. Software hardening:

    Install gufw (GUI for the iptables firewall which is pre-installed) and block incoming traffic. Also install rkhunter and check your system for known rootkits and other threats from time to time.

That's all I can think of right now. If you have any questions feel free to comment below.


I hate to be this guy, but

Law 3:

If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

You are asking how to best lock a plywood door. People are giving you very good suggestions for locks, but none of them matter since your system is physically vulnerable and your attackers are competent. They will just use an axe (or in your case, a screwdriver).


Depending on the performance you require and money you are willing to expend, a removable "Live USB" or completely bootable normal system on a USB "hard drive" (a small ssd would work great) might be an ideal solution considering your "unique" constraints of needing high security against local attackers. It would allow you to just leave the compromised windows system in place, and create a Linux system on a removable device that you can keep with your person. For lowest cost you can use a very cheap thumbdrive. Spend a little more on a fast thumbdrive or a more robust USB SSD and you can achieve reasonable performance for most applications. Encrypting it is a good idea in case you are separated from it, but given that it's always with you and it constitutes the entire OS it is safe from local attacks.