Ask HN: Building a secure laptop for sensitive work data

2 points by eyeJam ↗ HN
Due to recent events at my work I now have a need for a secure laptop for sending and receiving sensitive data to clients. I'm going to buy a laptop for use when working on sensitive data but I need help on setting it up with the right tools and configuration.

I've read a couple articles and done some preliminary research so I have some ideas. I'm not interested in trying to use TAILS. Here's what I have so far:

- Debian OS - Tor Browser - PGP encryption of all outgoing files and emails - some kind of full-disk encryption (Truecrypt?)

I have two questions as well: 1. If I travel with the laptop and airport security asks for my password to unlock FDE, is there anyway to protect against being forced to give them the key?

2. How should I transfer files to and from the laptop? USB key?

9 comments

[ 4.8 ms ] story [ 36.7 ms ] thread
I've never considered Tor as a beacon of security, I believe it to be anonymity. If this is secure stuff, you probably want to VPN into a known good host using a hardware token device. Since this is a work thing, they should most likely host the VPN device in their server room with appropriate access to their file servers and intranet.

I've seen several variants of secure laptops. First one is no boot on the disk at all, just a full disk encryption and a bootable CD.

The alternative is generally just full disk encryption.

If you have a super secure laptop that your post leads me to believe you want, you don't want to write to USB ever. This is how data leaks if you ever have the laptop stolen. Instead, enable read-only on the USB ports (you can do this in Windows via regedit, haven't had to do a Linux laptop).

For traveling with secure devices, simply don't travel with the assembled device. Ship the laptop ahead of you, and only travel with the hard drive, which has the sensitive data. The laptop sans drive is mostly useless, and you're acting as the physical courier for the data. The Dell business laptops that only need 1 or 2 screws removed to take out the hard-drive work well for this.

Also use a SSD for FDE, it's just too painful on 5400 rpm.

How would FDE affect the SSD/HDD decision (in any way that could favor an SSD)?
Think of it this way, when you have a normal system, your write is flushed out to the disk as fast as possible. When you add in full disk encryption, you're going to have to encrypt on write. Your write won't be acknowledged until it's physically on the disk, so the faster your disk is, the faster your write will be acknowledged. Same thing with reads, the faster you can read, the sooner you can decrypt and return the data to the application.

So SSD is definitely the way to go if you want to encrypt the whole disk. If that's too expensive, get a 7200rpm laptop drive.

The amount of time and overhead you have when encrypting on write or decrypting on read is the same for an SSD or HDD. So you're adding the same time lag and CPU overhead in either case. Only with an SSD the time lag is a greater proportion of the total time lag. Also, encrypting a sector means that SSD firmware can't compress it, which some would do. The argument you gave just says... that SSD's are faster. That is not news.

Also, the SSD firmware stores much more metadata about access patterns, which could revert your efforts at keeping your doings private.

If it was me, I'd do it via a client-Hypervisor. Run a normal OS with full disk encryption, within that I would run a virtual machine which actually did the sensitive stuff.

When the virtual machine is powered down it can be configured so that any changes would be complete discarded. It also means that if your TOR browser got compromised, the VM would not actually know what its internet IP was (as it is routing through the virtual switch within the client-hypervisor).

Setting this up can be as simple or as complex as you wish. For the simplest installation just get Windows 8.1 Pro, install client Hyper-V (part of Windows), setup a virtual switch, configure it to do a differential, and then install the client OS/TOR (which can be "anything," Linux, Chrome OS, Windows, et al).

The only thing the physical laptop REALLY needs is a TPM chip, and not all consumer grade laptops have it. That's to store your FDE key(s).

As to files, I wouldn't travel with them. Most countries can force you to reveal an encryption key by law. I'd just heavily encrypt them and then place them on the internet during travel.

Just assume that the government will get ahold of them and make sure the encryption is 10+ years rated (elliptic curves are your friend).

I would do a dual boot with the default boot being dummy Windows XP without a password. Throw some "whatever" information on there. Put your secure OS on partition 2 and make it so you have to select it on boot to get into it.
Had something on an older machine once.

I had set up your second partition (Ubuntu) full encryption, then true crypt the first one. the boot starts with the truecrypt validation, if you didn’t know to press escape you would not know that would result in the Ubuntu crypt validation.

The other on my twitter stream appeared this awesome USB device[1] (usbarmory), which you can use in a variety of ways. You can deploy your own cryptographic scheme, which could be fairly unique and virtually impossible to hack and very easy to conceal.

1. You could for example create a mountable NTFS partition with seemingly personal sensitive information (a couple of pictures, some documents, a personal love letter, some false business documents, etc.) and have your data in a second partition.

2. Truecrypt was the only software the supported hidden volumes as far as I know, but this device is really amazing IMHO and you can do all sort of things.

[1] http://inversepath.com/usbarmory