How to secure my laptop so that hacking by physical access is not possible?
My guess is that only full disk encryption using a strong algorithm and, most important, good password is the only thing that can secure your locally stored data. This gives you probably 99.99% security. Please refer to one of the many guides on how to do this.
Besides than that, it is NOT possible to secure your machine from an experienced hacker with physical access.
User/account passwords:
It's easy to create a new admin user if you boot into recovery mode, as you described yourself, because you get a root shell without being asked for passwords this way.
That might look like an accidental security issue, but is intended for (who would have thought that?) recovery cases, where you e.g. lost your admin password or messed up thesudocommand or other vital stuff.root password:
Ubuntu has not set any root user password by default. However, you can set one and will be asked for it if you boot in recovery mode. This seems pretty secure, but is still no ultimately secure solution. You can still add the kernel parametersingle init=/bin/bashthrough GRUB before booting Ubuntu that starts it in single user mode - which is in fact a root shell without password too.Securing the GRUB menu with a password:
You can secure your GRUB menu entries to be only accessible after authentication, i.e. you can deny booting the recovery mode without password. This also prevents from manipulating the kernel parameters. For more information, refer see the Grub2/Passwords site on help.ubuntu.com. This can only be bypassed if you boot from an external medium or connect the HDD to another machine directly.Disable booting from external media in BIOS:
You can set the boot order and usually exclude devices from boot in many current BIOS/UEFI versions. Those settings are not secured though, as everybody can enter the setup menu. You have to set a password here too, but...BIOS passwords:
You can usually bypass BIOS passwords as well. There are several methods:- Reset CMOS memory (where BIOS settings are stored) by opening the computer case and physically removing the CMOS battery or temporarily setting a "Clear CMOS" jumper.
- Reset BIOS settings with a service key combination. Most motherboard manufacturers describe key combinations in their service manuals to reset messed up BIOS settings to default values, including the password. An example would be to hold ScreenUp while turning on the power, which, if I remember right, unlocked an acer motherboard with AMI BIOS once for me after I messed up my overclocking settings.
- Last but not least, there are a set of default BIOS passwords that seem to always work, independent of the real set password. I did not test it, but this site offers a list of them, categorized by manufacturer.
Thanks to Rinzwind for this information and link!
Lock the computer case/deny physical access to the motherboard and hard disk:
Even if everything else fails, a data thief can still open your laptop/computer, take the HDD out and connect it to his own computer. Mounting it and accessing all unencrypted files is a piece of cake from thereon. You have to put it into a securely locked case where you can be sure nobody is able to open the computer. This however is impossible for laptops and difficult for desktops. Maybe you can think of owning an action film like self-destructing device that blows up some explosives inside if somebody tries to open it? ;-) But make sure you'll never have to open it yourself for maintenance then!Full disk encryption:
I know I advised this method as secure, but it also is not 100% safe if you lose your laptop while it is on. There is a so-called "cold boot attack" that allows the attacker to read the encryption keys from your RAM after resetting the running machine. This unloads the system, but does not flush the RAM contents of the time without power is short enough.
Thanks to kos for his comment about this attack!
I'm also going to quote his second comment here:This is an old video, but explains the concept well: "Lest We Remember: Cold Boot Attacks on Encryption Keys" on YouTube; if you have a BIOS password set, the attacker can still remove the CMOS battery while the laptop is still on to enable the custom crafted drive to boot without losing any crucial second; this is scarier nowadays due to SSDs, as a custom crafted SSD will probably be capable to dump even 8GB in less than 1 minute, considering a write speed of ~150MB/s
Related, but still unanswered question on how to prevent Cold Boot Attacks: How do I enable Ubuntu (using full disk encryption) to call LUKSsupend before sleeping/suspending to RAM?
To conclude: Currently nothing really protects your laptop from getting used by someone with physical access and malicious intent. You can only fully encrypt all your data if you're paranoid enough to risk losing everything by forgetting your password or a crash. So encryption makes backups even more important than they're already are. However, they should then be encrypted too and located in a very safe place.
Or just don't give your laptop away and hope you'll never lose it. ;-)
If you care less about your data but more about your hardware, you might want to buy and install a GPS sender into your case though, but that is only for the real paranoid people or federal agents.
The most secure laptop is the one without any data on it. You could set up your own private cloud environment and then don't store anything of importance locally.
Or take out the hard drive and melt it down with thermite. While this technically answers the question, it might not be the most practical since you won't be able to use your laptop anymore. But neither will those ever-nebulous hackers.
Barring those options, dual-encrypt the hard drive and require a USB thumbdrive to be plugged in to decrypt it. The USB thumbdrive contains one set of decryption keys and the BIOS contains the other set - password protected, of course. Combine that with an automatic data self-destruct routine if the USB thumbdrive is not plugged in during boot/resume from suspend. Carry the USB thumbdrive on your person at all times. This combination also happens to deal with XKCD #538.
Encrypt your disk. This way your system and your data will be safe in case your laptop is stolen. Otherwise:
- BIOS password won't help: the thief can easily extract the disk from your computer and put it on another PC to boot from it.
- Your user/root password won't help either: the thief can easily mount the disk as explained above and access all your data.
I would recommend you to have a LUKS partition in which you could set up a LVM. You could leave your boot partition unencrypted so that you only need to enter your password once. This means your system could be more easily compromised if tampered (stolen and given back to you without you even noticing), but this is a very rare case and, unless you think you are being followed by the NSA, a government or some kind of mafia, you should not be worried about this.
Your Ubuntu installer should give you the option of installing with LUKS+LVM in a very easy and automated way. I am not re-posting the details in here, as there is already plenty of documentation out there on the internet. :-)