Ask HN: Building a secure laptop for sensitive work data
Due to recent events at my work I now have a need for a secure laptop for sending and receiving sensitive data to clients. I'm going to buy a laptop for use when working on sensitive data but I need help on setting it up with the right tools and configuration.
I've read a couple articles and done some preliminary research so I have some ideas. I'm not interested in trying to use TAILS. Here's what I have so far:
- Debian OS - Tor Browser - PGP encryption of all outgoing files and emails - some kind of full-disk encryption (Truecrypt?)
I have two questions as well: 1. If I travel with the laptop and airport security asks for my password to unlock FDE, is there anyway to protect against being forced to give them the key?
2. How should I transfer files to and from the laptop? USB key?
9 comments
[ 4.8 ms ] story [ 36.7 ms ] threadI've seen several variants of secure laptops. First one is no boot on the disk at all, just a full disk encryption and a bootable CD.
The alternative is generally just full disk encryption.
If you have a super secure laptop that your post leads me to believe you want, you don't want to write to USB ever. This is how data leaks if you ever have the laptop stolen. Instead, enable read-only on the USB ports (you can do this in Windows via regedit, haven't had to do a Linux laptop).
For traveling with secure devices, simply don't travel with the assembled device. Ship the laptop ahead of you, and only travel with the hard drive, which has the sensitive data. The laptop sans drive is mostly useless, and you're acting as the physical courier for the data. The Dell business laptops that only need 1 or 2 screws removed to take out the hard-drive work well for this.
Also use a SSD for FDE, it's just too painful on 5400 rpm.
So SSD is definitely the way to go if you want to encrypt the whole disk. If that's too expensive, get a 7200rpm laptop drive.
Also, the SSD firmware stores much more metadata about access patterns, which could revert your efforts at keeping your doings private.
When the virtual machine is powered down it can be configured so that any changes would be complete discarded. It also means that if your TOR browser got compromised, the VM would not actually know what its internet IP was (as it is routing through the virtual switch within the client-hypervisor).
Setting this up can be as simple or as complex as you wish. For the simplest installation just get Windows 8.1 Pro, install client Hyper-V (part of Windows), setup a virtual switch, configure it to do a differential, and then install the client OS/TOR (which can be "anything," Linux, Chrome OS, Windows, et al).
The only thing the physical laptop REALLY needs is a TPM chip, and not all consumer grade laptops have it. That's to store your FDE key(s).
As to files, I wouldn't travel with them. Most countries can force you to reveal an encryption key by law. I'd just heavily encrypt them and then place them on the internet during travel.
Just assume that the government will get ahold of them and make sure the encryption is 10+ years rated (elliptic curves are your friend).
I had set up your second partition (Ubuntu) full encryption, then true crypt the first one. the boot starts with the truecrypt validation, if you didn’t know to press escape you would not know that would result in the Ubuntu crypt validation.
https://github.com/grugq/PORTALofPi
1. You could for example create a mountable NTFS partition with seemingly personal sensitive information (a couple of pictures, some documents, a personal love letter, some false business documents, etc.) and have your data in a second partition.
2. Truecrypt was the only software the supported hidden volumes as far as I know, but this device is really amazing IMHO and you can do all sort of things.
[1] http://inversepath.com/usbarmory