Rev 11/8/19 (see notes)
(For the latest revision of this article, go to toggwu.blogspot.com.)
When it comes to isolating data from the internet, I don't trust software, except AES-grade encryption software (and only then if its checksum matches its reference value, and the reference has been thoroughly authenticated). Instead, I rely on electromagnetic isolation, which I obtain by using a pseudo air-gap PC in the form of a cheap mini-PC without any wired internet connection, without any wireless capability (including in peripherals such as keyboards), and without any internal storage (or with internal storage disabled via the PC's "BIOS"-settings menu, by disabling the SATA controller). Any wireless capability must be eliminated to prevent it from being surreptitiously activated in wi-fi burst mode (look it up), which cannot be detected without specialized equipment. I use a KVM switch to share the keyboard and monitor with my other PC's. (Currently, I use an Iogear 4-port VGA KVM switch, but the $90 CKLau 4Kx2K Ultra HD 4 port HDMI KVM switch looks like a good one, partly because it has a wired remote, as opposed to a wireless one, which seems like a security risk.) For the OS, I use an encrypted flash-drive installation of Ubuntu or one of its derivatives, and conceal it when not in use, partly to prevent it from simply being taken.
Truly secure communications
One reason for having such a secure installation is to compose and encrypt messages to be sent over the internet, and to decrypt and read encrypted messages received via the internet. So-called secure messaging apps might be secure, but there's no way for the average person to be certain, and the underlying OS might not be secure, so it's best to err on the side of caution, partly because using one PC for accessing the internet (which I just assume is used for spying on us), and another PC which is completely isolated from the internet for everything else, eliminates the need to be constantly concerned about OS security vulnerabilities, which it seems are always being discovered, perhaps long after hackers have known about them and exploited them, perhaps to access messages in their unencrypted state (known as "plaintext"). By using a PC which is electromagnetically isolated from the internet, hackers are definitely unable to access your data, and you don't need to be a security expert to be certain - you just have to know that there is no physical connection to the internet, no wireless circuitry, and no way for the PC to store data which can be uploaded to the internet if and when an internet connection ever becomes available. There are claims that Big Brother can spy on us via the power line, but this is a fairy tale concocted by hackers to scare us away from using air-gap PC's. For details, see my posting on AnAptOfflineBlog.blogspot.com on this subject.
If you don't need to communicate securely with many people, you could use Ccrypt, which is a symmetrical system, which uses the same password for encryption and decryption. The alternative is a public-private key system, which is much more complex and requires the private key to be kept secret, and the public key to be registered in a highly secure manner, although those who use such systems usually do so as part of an organization with a system administrator who handles the details and trains the users.
To send passwords to use with Ccrypt, I'd put them on an encrypted drive with a long, unique serial number (such as a Kingston Datatraveler with a Linux encrypted format, known as LUKS), get the serial number of the drive using the Disks program and store the serial number securely, send the drive to the correspondent, and call them (preferably via video call, to ensure that you're talking with the right person) to confirm that they got the flash drive which you sent, and if so, to give them the password. It's extremely unlikely, if not impossible, for two or more drives with long serial numbers to have the same serial number, but if the serial number checks out, and the password won't open it, you should assume that someone else would have the passwords at that point, and that you should start over.
If you're using a Datatraveler, you could attach a Master Lock Speed Dial to the drive, which would provide another layer of authentication before providing the password, since the Speed Dial lock is resettable and uncrackable. When setting the combination, make a video with a camera which has no wireless, to ensure that you can unlock the lock if you accidentally enter the wrong combination when setting it, which is easy to do with the Speed Dial. When done with the video, erase it. Also close the lock firmly, and then try hard to pull it open, to ensure that it's really locked, because if you just "click" it closed, it might seem to be locked without really being locked. Some of the locks just don't work right, or stop working after the combination is changed, so keep extras on hand. Those are the main problems with the Speed Dial lock. It's not perfect, but it's the only lock I trust.
If you use a Speed Dial lock and its combination checks out, if the drive's serial number checks out, and the password works, you can assume that nobody has intercepted the passwords. The passwords should be transferred to secure storage and deleted from the flash drive used for sending them (or its password should be changed by the recipient). Then you could use any of the passwords in the list and indicate which one was used by its position in the list.
With such security, the correspondent and their system becomes the weak link, so there's really not much use in having such high security unless the correspondent has a vested interest in maintaining security. As a rule, just don't let anyone know about your plans, including your shopping list, unless it's absolutely necessary, because Big Brother is watching, and he's always looking for ways to use information about us to make us suffer. (1984 indicates that making someone suffer is a means of confirming one's power over them, although this is actually intended as a motive for inflicting suffering, which is intended to drive our consciousness-evolution. A certain amount of suffering is beneficial. However, this subject is very deep and mysterious, and I am not qualified to be more specific.)
Live installations: more secure, but less convenient
If you want even better security, use a so-called "live" installation, which "forgets" everything upon shutdown. The disadvantage of live installations is that it's not feasible to customize them to precisely suit your needs in every detail, making it necessary to use multiple installations to obtain all of the desired apps, (or to do without some apps), or to change settings each time they're booted. There are so-called persistent live flash-drive installations which retain data and settings, but no expert, as far as I know, recommends using such installations any more, and there are very few usb-installers which can create persistent installations (Startup Disk Creator once had this capability, but it was dropped in about 2015).
It is feasible to delete all traces of data from full installations, or at least I'm fairly certain that it is, so that even if Big Brother can find the installation, and there's a back door, there would be nothing behind it. (Data would be stored on encrypted partitions on data drives, which would be formatted with the Disks utility. The NSA reportedly doesn't even try to crack the Linux encryption system, known as Linux Unified Key System, or LUKS, but instead tries to get the passwords. So, store your passwords on encrypted drives, and in your own memory.)
Potential problems with Xubuntu with KVM's
As much as I like Xubuntu, it has problems that make it unsuitable for use with some KM switches, at least up through version 18.10. Otherwise, it's hard to go wrong with any type of Ubuntu, although I prefer Ubuntu Mate because the interface/desktop is intuitive, and it includes almost everything I need in a secure installation.
Recommended type of mini-PC
As of this writing, Ryzen-based mini-PC's are just becoming available, so there's not a great selection and they're a bit pricey. But eventually there will be a good selection, and the prices will come down, and they'll be the logical choice for a powerful, energy-efficient mini-PC. If you're in a hurry, you could either shell out whatever it costs to get a Ryzen-based unit, or you could get by with a cheap mini-PC until Ryzen-based units are affordable. I'm satisfied with my basic Zbox BI320-U (or B1320-U) the vast majority of the time, but I'd obviously prefer the latest technology if it didn't cost much more. One of the more important reasons for choosing an AMD-based PC is that AMD processors generally don't include built-in wireless circuitry. Instead, the wireless circuitry is typically placed on a small circuit board, which must be removed to ensure that it cannot be surreptitiously activated in burst mode, which cannot be detected without special equipment. (To disconnect the tiny RF connectors, pull straight up on them, using a pair of long-nosed pliers. Once loose, I'd cover them with tape to prevent them from shorting something to ground, since their exposed metal portion is connected to ground.)
To ensure that nobody can tamper with the PC and compromise its security, it could be stored in a lockbox, drawer, file cabinet, etc., locked with a Speed Dial lock (mentioned previously). The motherboards on desktop PC's have case intrusion detection systems which would serve the same purpose. Edward Snowden created an app which allows some or perhaps all Android devices to detect any movement, allowing them to act as tampering-detectors, assuming that they wouldn't be moved otherwise.
Recommended Linux sources
Shop Linux Online is my most trusted source for copies of Linux, although I've had good luck with a couple of sources on Ebay. I've given up on downloading Linux, or ordering it from OSDisc.com, since I've gotten little from these sources but copies with dirty tricks, such as ones that permanently lock encrypted flash drives when the password is entered, after allowing a few weeks to store data on it. Because I back-up my data religiously, this trick never did anything more to me than cause inconvenience. One of the worst tricks was one in a text editor, which would insert cut and deleted text into random locations off-screen. So, if you're unsure of a new copy of Linux, I'd make a backup copy of any long text files before editing them, and perform a search for any cut or deleted text to see if it has been inserted in some random location.
Linux provided in two main forms
Linux is made available in the form of an "image," either on a "live" DVD or in a secure archive file known as an "ISO" (.iso-file, also known as an "image file") which cannot be altered without leaving evidence. PC's can be booted directly from live DVD's by putting them in the DVD drive, booting the PC, and responding to the prompts. Unfortunately, this takes a long time, so live flash-drive installations are preferable.
Creating ISO's from live DVD's
ISO's, which are required for creating live flash-drive installations, can be created from live DVD's by using various "burner" programs, such as CD Burner XP in Windows, which was a free download the last time I checked. There are various burner-programs in Linux which can be used for this purpose, such as Brasero and x3b.
Creating live flash-drive installations
Creating a live flash drive installation is a matter of installing the image from an ISO or DVD onto a flash drive by means of a "usb-installer" program. (There was a time when you could boot from a DVD and create a flash-drive installation from the same DVD, but this capability is apparently history, although you could try it by booting from a DVD, which takes a long time, and using the program known as Startup Disk Creator, or some variation on this name.) I recommend Rufus, a usb-installer that runs on Windows, and Etcher, a usb-installer that runs on Linux (both are free downloads). I've tried to run Etcher on live installations, but it apparently has to be run on full installations. I run it on my desktop PC which has a relatively powerful processor, an SSD, and a large HDD, and haven't had any problems with it there.
Creating full installations
To create a "full" installation on an SSD, HDD, or a USB 3.0 flash drive, you would boot a live installation (select the install-option when booting), and use it to create the full installation. (When creating a full installation on a flash drive, use the PC where the full installation will be used.) I've found that to create a full installation on a flash drive, it's best to use a flash drive with a really fast write-speed (although I don't understand why), which seems to require using one with a lot of storage. For example, a 60 GB Sandisk FIT works well for Ubuntu Mate 18.04 (the resulting performance is good), but a 15 GB Sandisk FIT doesn't work very well. Before creating the installation (instead of selecting the erase-option during installation), I usually erase the flash drive for purposes of security by using the Disks program to format it the slow way, which can take hours. Disks is included by default on Ubuntu and Ubuntu Mate, but not on Xubuntu or Kubuntu, the last time I checked. It can be installed under the name gnome-disk-utility. (Gparted, another disk utility, doesn't have the ability to create encrypted partitions, or at least it didn't the last time I checked.)
When creating the full installation, be certain to select the option to install 3rd-party software, if you'll want to use a USB modem to temporarily connect the installation to the internet to set it up (which you would do before using the installation to access any sensitive data). I use a Panda PAU05 (I boot the PC, turn on the wi-fi hotspot and wait for it to make a connection to the 4G base-station, and then plug the modem into the PC). You can also use a wi-fi bridge (avoid cheapies, which in my experience fail after a year or so), which connects to the ethernet port and eliminates the need for USB-modem drivers.
Installation set-up
Setting up the installation would start by updating the internal software index, known as the local package index. (The update-process doesn't actually update the existing index - it deletes it and replaces it with a fresh copy of the desired/selected sections of the online index.) The online index contains all of the sections and is updated daily to reflect changes to the software which it references, with which it is stored in a massive collection of software and data known as the repository for that type and version of Linux, which is "mirrored" (copied) to many servers around the world on a daily basis. Before updating the local index, you would select the desired server (the default selection is probably adequate for most people - don't use servers that belong to small, exclusive organizations such as university departments without permission), the desired package-index sections (I'd select all of them except those which you definitely won't need), and the desired types of updates (select all types of updates because some application modules which you might need are classified as updates). To make these selections, use the software manager or an app designed specifically for making these selections, such as Software & Updates. The setup should include installing Apt-offline-gui, to make it more convenient to make future changes to the installation. For instructions on using Apt-offline, see AnAptOfflineBlog.blogspot.com. After performing the set-up, de-select the updates-sections of the package index, and set "Automatically check for updates" to Never, or the update-manager will constantly pester you to install hundreds of MB of updates which you don't need because the installation is being run on a secure PC. I effectively update my OS by replacing it in its entirety every couple of years with a newer version, and I've never had any problems as a result of not updating the OS frequently.
I also recommend installing Synaptic Package Manager (a non-dumbed-down software-manager GUI), assuming that it's not already installed, because even though you won't be able to use it to install software without connecting the installation to the internet, you can use it, for example, to learn what would be required to install some app of interest, or to learn about options that wouldn't normally be installed when using the terminal, Apt-offline, or some dumbed-down software manager. (For example, GIMP has many optional modules. If you use the terminal or Apt-offline to install GIMP, you'd never know about these other modules, but if you use Synaptic to obtain information about GIMP, all of the options will be listed and described, and they could be installed via the terminal or Apt-offline by adding their special names without caps or spaces (such as gimp-help-en for GIMP's English help module) to the list of modules to be installed.
Try to anticipate all of the software that you'll need so that you can install it while the installation is connected directly to the internet. As of this writing, Ubuntu doesn't include a desktop-notes-program by default (the designers probably assumed that a text file stored on the desktop would suffice). If you want a notes program, I suggest Gnote, which is overkill but the best choice I could find the last time I checked. Every Ubuntu derivative which I've tried includes a convenient notes-program, sometimes as a widget which can be added to the panel. It's just nice to have a desktop scratchpad, but I delete my notes frequently for security, and store bits of information that I want to keep in the equivalent of a text-file junk drawer which is backed up to multiple encrypted flash drives.
Creating encrypted flash drives
To create encrypted flash drives, I use the Disks program, which is included by default on many types of Linux, but not all. It can be installed under the name gnome-disk-utility. To create an encrypted partition, it seems to be necessary to first create a FAT partition with approximately the same size and location, and to then reformat it as a LUKS partition. Don't forget to write the password in a secure location before creating the encrypted partition. I save all of my old passwords, in case I forget to change the password on something and have to access it after I've forgotten its password.
Setting permissions on encrypted flash drives
The Linux file system's permission-scheme is quite complex, but fortunately you can get by with a simple set of permissions for your personal encrypted data drives, so that if your full installation fails (very unlikely, but possible), you can use your data drives with a live installation running on your secure PC until you get around to creating a new full installation. Unfortunately there is no single set of instructions for implementing this permission scheme on all types of Ubuntu, due to differences between the GUI's which are used for setting permissions. So, I'll describe how it's done on Ubuntu Mate, and you should be able to adapt the procedure to any other Ubuntu derivatives, or Ubuntu itself. Begin by opening the flash drive, and right-clicking on its top-level directory (not on anything in the directory), or on the drive's name above the file manager's main window. In the menu which appears, click on Properties, and in the window which appears, click on the Permissions tab. In the Permissions tab, set all three "Folder access" settings to "Create and delete files, and all "File access" settings to "Read and write." Then, if there are any folders or files in the top-level directory, click on the "Apply Permissions to Enclosed Files" button, and close the window. (Ignore the "Execute" setting, unless you need to give a shell script permission to run as a program, in which case you would begin by right-clicking on the shell-script, etc., and ultimately click on the Execute box so that there's a check-mark in it. A "-" sign indicates do nothing, and an empty box means to rescind an existing execute-permission.) So that's it - you should then be able to do anything to the flash drive using any Ubuntu installation, which can prevent some major headaches, but of course you wouldn't even unlock it on an unsecure installation.
Suggested data-backup system
In my backup system, I have a primary backup drive which I religiously maintain as a duplicate of the primary data drive (all data drives are encrypted). I also have a so-called "disseminate" folder on each of these drives, where I put a copy of every change made the primary drive, and which I copy weekly to several secondary backups, after deleting the previous copy. The disseminate-folder is a sort of fail-safe which would allow the primary data drive to be reconstructed from one of the secondary backups if the primary data drive and the primary backup both fail simultaneously, which is highly unlikely. If either the primary data drive or primary backup fails, I would immediately re-create it from the primary backup or primary data drive. Every few months, or if the Disseminate folder gets too big and takes a long time to copy to multiple secondary drives each week, I delete the Disseminate folder from the primary data drive, and then copy the remaining data to each secondary backup (after deleting the secondary backup's old data). I recommend hiding the secondary backups in separate places where they will remain cool, dry, and clean.
I also have a FAT drive that I use for downloading data from the internet, and a copy which I use as a pseudo back-up. Once in a while, I get rid of the downloads I don't want to keep, copy the primary FAT drive (FAT-1) to the secondary (FAT-2), and then copy FAT-2 to FAT-1 to refresh the data on FAT-1. I also copy the primary encrypted data drive's data, except for the Disseminate folder, to the primary backup, and then copy the primary backup to the primary data drive. The reason for copying these flash drives to each other is that flash drives need to be refreshed once in a while to ensure that the data doesn't fade away, although with big new flash drives, this probably wouldn't happen for years if the drives are kept cool. Each time data is written to a flash-drive memory cell, its retention decreases, and the retention-spec is based on the condition of a cell after a certain number of writes. But I'd rather be safe than sorry, so I refresh the data on my drives about twice annually.
NRAM
If NRAM ever becomes available, we won't have to worry about data fading away, or put up with flash memory's slow write speeds. NRAM would also revolutionize the distribution of digital audio and video, due to its phenomenal write-speed and retention characteristics. You could store all of your digital audio on an NRAM drive without having to worry about it getting wiped out by accidentally leaving it in a car in the sun during the summer.
Notes
Revisions
D - Tweaked first paragraph and added section on setting permissions for encrypted data drives.
11/1/19 - Added an explanation for the need to remove wireless circuitry from the PC (added to the first paragraph and to the section on recommended PC's). Also made various minor revisions. such as to add a suggestion to cover RF connectors with tape after detaching them from the small circuit board for wireless circuitry.
11/2/19 - Added details in the following locations: A) 2nd section B) "Creating live flash-drive installations" section C) Last two sentences in the 1st paragraph of the "Installation set-up" section D) to the first and second paragraphs of Note 1.
11/3/19 - A) Added details about security precautions in "Truly secure communications" section and in "Recommended type of mini-PC" section. B) Rewrote the "Creating live flash-drive installations" section, which was a mess.
11/7/19 - Mainly refined the 1st paragraph in the "Truly secure communications" section, but also made some other tweaks which I didn't consider worth mentioning specifically.
11/8/19 - Added a reference to AnAptOfflineBlog.blogspot.com in the last sentence of the 2nd paragraph.
[1]
A 4 GB flash drive is sufficient for live installation - I like Topsel FD's with caps for this purpose because of their low cost, no-nonsense physical design, and the fact that they have an LED which indicates when booting is completed. As of this writing, I'm not sure about their reliability, but reliability isn't crucial in this application. I've used similar drives by Kootion, and have found that the red ones are quite reliable, but that that blue ones have some problem which makes them unsuitable for live installations (I don't recall precisely what it was), and have a very high failure rate, although I don't know if this applies to all red and blue Kootions. Lexar makes a similar design, but the minimum size as of this writing is 16GB, they're considerably more expensive, and they aren't as easy to label.
The aforementioned Topsel drives can be labeled by simply marking them on both sides with a Sharpie, folding a piece of wide transparent tape over the drive, and then trimming the tape. To change the label, you'd have to peel off the tape (which can be a pain) and clean off the old label and adhesive, which can be done with nail polish remover (acetone). So, it's not easy to change the labels with this system.
If you want to be able to change the label easily, I suggest creating a window for holding a label on one side of the drive. To create such a window, I tape a piece of wide transparent tape, sticky side up, on top of some guidelines drawn with a Sharpie on a cutting-surface. (The guidelines consist of a 1-1/8"x2" rectangle with a line drawn across it at 90 degrees, 5/8" from either end.) I then apply a piece of regular-width (3/4") transparent tape, sticky side down, across the wide tape along the relevant guideline, and then use a straight-edge and something like an Xacto knife to cut the resulting combination along the aforementioned outline. The result is essentially a piece of transparent tape 1-1/8" wide and 2" long with a 3/4" non-adhesive section (window) in the middle. To apply it the drive, side the window across a relevant edge on the drive, until the adhesive catches on the edge. Then wrap that end of the tape around to the other side of the drive, and then the other end, but not so tightly that you can't insert a label under the window.
