Split LinuxThis week I want to talk about an unusual project I tried out recently called Split Linux. The project's website describes itself as follows:
Split Linux is a general operating system optimized for safely navigating hostile environments like the Internet and physical check points. Split Linux builds on tools that follow the UNIX philosophy and is based on the fast and independent Void Linux.
Digging a little deeper we can learn additional bits about Split Linux. The idea of Split is to run two or more operating systems on your computer. The first operating system is installed normally and can be any Linux distribution or other operating system that looks semi-familiar to the public. The first operating system is not used for anything important and is considered the "decoy".
We then set up a second volume which will be home to an encrypted volume we will fill with Linux containers. Each container has its own username and password, its own files, and its own programs. Network traffic is routed through the Tor network.
The computer cannot directly boot into this second partition and the boot menu does not even list it as an option. The second partition with our encrypted containers is not bootable. To access the containers we plug in a USB thumb drive that holds Split Linux. The computer boots off the thumb drive and, if we provide the proper username and password, we are granted access to one of the encrypted containers.
The idea here seems to be to provide multiple layers. If we are stopped at a border and asked to power on our laptop, the system will boot to the decoy operating system where nothing important is visible. Even if we boot the computer from our Split thumb drive, and are compelled to enter our password, we can choose which account to sign into. Since each account has its own container (which is isolated from the rest) this means we can have one innocent looking account, another for work, one for home, another for banking, and so on. Anyone inspecting the machine shouldn't be able to tell which container holds important information or even the number of containers present as they are all in one big, encrypted partition.
As mentioned above, Split Linux is based on Void and uses the lightweight musl C library. This means we are essentially running Void when we boot from the Split thumb drive and containers we make in the encrypted volume run a minimal version of Void by default.
Booting from the Split thumb drive brings up a menu offering to start in the distribution and run it from the USB drive or load the operating system into RAM before running it. The boot process produces a lot of output, mostly information on services starting, some networking data, and there is a blurb about default login credentials which goes by too quickly for me to read.
When I first booted Split it looked like the boot process had locked up. However, when I pressed the Enter key output scrolled up the terminal and I was shown a login prompt. After failing to guess the password three times, a message appeared to give me the login credentials and show me the login prompt again. We can sign in using "root" as the username and "voidlinux" as the password.
The first time we boot Split Linux we should follow the guide for setting up local partitions and an encrypted volume. Basically this involves creating a new partition, setting up encryption, and creating a logical volume on the partition. Apart from the initial device name for the partition, the install process can be completed by just copying a handful of commands from the documentation into the terminal. This seems like a series of steps which could be easily scripted to avoid typos or getting the instructions out of order. All the script would need to do would be to get our partition name, such as /dev/sda1 and then run the instructions listed in the documentation.
Once the steps of creating an encrypted volume and formatting it are completed we should reboot the computer, leaving the Split thumb drive in the machine. This time when the system boots Split detects the encrypted volume we just created. It is mounted and we can then continue following the aforementioned guide to set up one or more containers. Optionally, we can add additional software, such as a window manager, to the container. The guide recommends installing the Beast graphical environment and I gave this a try. We need to copy a long command into the terminal to install the Beast window manager and, again, this seems like a step which could be presented as an optional script to be run from the live media.
The container we create will, by default, run a minimal copy of the Void distribution, though I suppose we could install anything we wanted into a container should we prefer a different distribution.
After we set up one or more containers we can logout of the root account on the live media and sign into a container. How this works is we can use the name of a container as our username and its password (assigned during setup) to sign into the container's minimal operating system. By default we get a bare bones, command line distribution. Basically, it's Void running some command line programs with the XBPS package manager. Assuming we install Beast, the graphical environment loads by default.
The Beast desktop is very minimal and, unusually, appears to offer a very simple tiling window manager that is navigated almost entirely with keyboard shortcuts. I found it a bit tricky to get used to Beast, but it seems functional once you get to know the appropriate shortcuts.
Split Linux -- Running the Beast graphical interface (full image size: 89kB, resolution: 800x600 pixels)
Though the documentation guide does not appear to mention this in detail, the decoy partition (the one which is not encrypted) is to be setup and used separately. That is, we install any distribution we like on the decoy partition the way we normally would. It is intended to have a minimal operating system with its own applications and user account set up entirely separately.
Basically the idea is when we boot the computer normally we sign into the unencrypted operating system, whatever it is. The decoy system has a desktop, some apps, maybe some files, but nothing important or interesting. When we boot from the Split Linux live media, it detects the encrypted volume and mounts it. Each user account gets its own container on an encrypted volume. This way we can run multiple users (one for work, one for home, one for banking) and they are isolated from the other accounts and containers. The data is all encrypted and Split Linux doesn't boot without its live media so people doing a cursory inspection of the laptop only see the decoy operating system.
In other words, to access our important files, a person would need three things: Our encryption password, the name and password of our container, and a way to see (and access) encrypted partitions such as the Split Linux thumb drive. Plus they would need to ignore the decoy operating system that boots automatically.
Exploring Split, I found that the system was fairly light. Running one container with the Beast interface consumed 325MB of RAM. The live distribution itself is fairly small, under 700MB, so can be run from a CD, USB thumb drive, or DVD.
Each container, with a window manager installed, consumed about 2GB of my encrypted volume, prior to adding any programs or data files. I suspect that, for a basic installation with a desktop environment and web browser, each container would probably need about 8GB of space. This means if we wanted three isolated containers we would be looking at at least 24GB of drive space, plus any data files and swap space.
The distribution is fairly light and fast, staying true to its Void roots. I found it does not automatically integrate with VirtualBox, but then again it's not designed with virtual machines in mind. Its purpose is to help us secure physical devices, particularly ones we might take across borders, so virtual machine support is not a priority.
I was unsure about Split Linux at first. The project's website mixes some good technical information with some philosophy and tips on privacy, so I wasn't sure what kind of experience I was getting into at just by reading the website. I had a rough idea of what Split was trying to do (isolate and hide files), but not sure what that would look like or how much effort would be required to set it up.
On the positive side, Split's approach of having a decoy distribution on one partition and an encrypted partition full of hidden containers, each with their own files and login credentials, is a really great idea. This is a bit like Qubes OS in that both focus on security by isolation, but with much less resource overhead and a shorter setup time. However, where Qubes protects us mostly from outside (remote) attacks, Split is designed to protect us against attackers who have direct, physical access to the computer. The concept of Split seems to be solid and the installation went just as the documentation said it would.
There are two downsides as I see them for potential Split Linux users. The first is that the project is not at all user friendly yet. Setting it up takes a good deal of command line Linux knowledge and the Beast user interface is going to be completely alien to most computer users. This project could greatly benefit from an install script, some optional "install add-ons" scripts, and a more mainstream, yet light, desktop such as Xfce or LXQt.
The other potential problem I see is with maintenance. Setting up Split isn't bad, it requires technical knowledge of the command line and device names, but it's not a long process. The problem is we need to keep on top of maintaining each container and the decoy system if we plan to use it occasionally. People sometimes struggle to keep up with patches for one or two operating systems. With Split we might end up with the decoy operating system, plus an innocent/decoy container, a work container, and a home container. That is four isolated systems to keep patched for just one laptop. For people with more compartmentalized lives, I could see the maintenance time getting out of hand.
In short, I think Split has a lot of potential. I'd like to see the documentation fleshed out, some install scripts added, and a more friendly graphical window manager. I'm not sure I'd recommend it yet over something like Qubes, especially not for daily use. I think Split is best suited for short trips, like popping over a border for business, but then returning to another distribution after we get back home. I think juggling multiple containers and running the minimal operating system full-time would be more effort than it is worth, but I can see the benefit for people who want it for one-off jaunts into situations where they don't want the contents of their hard drive examined.