

Ask HN: Building a secure laptop for sensitive work data - eyeJam

Due to recent events at my work I now have a need for a secure laptop for sending and receiving sensitive data to clients. I&#x27;m going to buy a laptop for use when working on sensitive data but I need help on setting it up with the right tools and configuration.<p>I&#x27;ve read a couple articles and done some preliminary research so I have some ideas. I&#x27;m not interested in trying to use TAILS. Here&#x27;s what I have so far:<p>- Debian OS
- Tor Browser
- PGP encryption of all outgoing files and emails
- some kind of full-disk encryption (Truecrypt?)<p>I have two questions as well:
1. If I travel with the laptop and airport security asks for my password to unlock FDE, is there anyway to protect against being forced to give them the key?<p>2. How should I transfer files to and from the laptop? USB key?
======
Someone1234
If it was me, I'd do it via a client-Hypervisor. Run a normal OS with full
disk encryption, within that I would run a virtual machine which actually did
the sensitive stuff.

When the virtual machine is powered down it can be configured so that any
changes would be complete discarded. It also means that if your TOR browser
got compromised, the VM would not actually know what its internet IP was (as
it is routing through the virtual switch within the client-hypervisor).

Setting this up can be as simple or as complex as you wish. For the simplest
installation just get Windows 8.1 Pro, install client Hyper-V (part of
Windows), setup a virtual switch, configure it to do a differential, and then
install the client OS/TOR (which can be "anything," Linux, Chrome OS, Windows,
et al).

The only thing the physical laptop REALLY needs is a TPM chip, and not all
consumer grade laptops have it. That's to store your FDE key(s).

As to files, I wouldn't travel with them. Most countries can force you to
reveal an encryption key by law. I'd just heavily encrypt them and then place
them on the internet during travel.

Just assume that the government will get ahold of them and make sure the
encryption is 10+ years rated (elliptic curves are your friend).

------
caw
I've never considered Tor as a beacon of security, I believe it to be
anonymity. If this is secure stuff, you probably want to VPN into a known good
host using a hardware token device. Since this is a work thing, they should
most likely host the VPN device in their server room with appropriate access
to their file servers and intranet.

I've seen several variants of secure laptops. First one is no boot on the disk
at all, just a full disk encryption and a bootable CD.

The alternative is generally just full disk encryption.

If you have a super secure laptop that your post leads me to believe you want,
you don't want to write to USB ever. This is how data leaks if you ever have
the laptop stolen. Instead, enable read-only on the USB ports (you can do this
in Windows via regedit, haven't had to do a Linux laptop).

For traveling with secure devices, simply don't travel with the assembled
device. Ship the laptop ahead of you, and only travel with the hard drive,
which has the sensitive data. The laptop sans drive is mostly useless, and
you're acting as the physical courier for the data. The Dell business laptops
that only need 1 or 2 screws removed to take out the hard-drive work well for
this.

Also use a SSD for FDE, it's just too painful on 5400 rpm.

~~~
SamReidHughes
How would FDE affect the SSD/HDD decision (in any way that could favor an
SSD)?

~~~
caw
Think of it this way, when you have a normal system, your write is flushed out
to the disk as fast as possible. When you add in full disk encryption, you're
going to have to encrypt on write. Your write won't be acknowledged until it's
physically on the disk, so the faster your disk is, the faster your write will
be acknowledged. Same thing with reads, the faster you can read, the sooner
you can decrypt and return the data to the application.

So SSD is definitely the way to go if you want to encrypt the whole disk. If
that's too expensive, get a 7200rpm laptop drive.

~~~
SamReidHughes
The amount of time and overhead you have when encrypting on write or
decrypting on read is the same for an SSD or HDD. So you're adding the same
time lag and CPU overhead in either case. Only with an SSD the time lag is a
greater proportion of the total time lag. Also, encrypting a sector means that
SSD firmware can't compress it, which some would do. The argument you gave
just says... that SSD's are faster. That is not news.

Also, the SSD firmware stores much more metadata about access patterns, which
could revert your efforts at keeping your doings private.

------
atmosx
The other on my twitter stream appeared this awesome USB device[1]
(usbarmory), which you can use in a variety of ways. You can deploy your own
cryptographic scheme, which could be fairly unique and virtually impossible to
hack and very easy to conceal.

1\. You could for example create a mountable NTFS partition with seemingly
_personal sensitive information_ (a couple of pictures, some documents, a
personal love letter, some false business documents, etc.) and have your data
in a second partition.

2\. Truecrypt was the only software the supported _hidden volumes_ as far as I
know, but this device is really amazing IMHO and you can do all sort of
things.

[1] [http://inversepath.com/usbarmory](http://inversepath.com/usbarmory)

------
sarciszewski
If you're going to build a secure laptop, why not go all out and remove your
WiFi and bluetooth cards and connect to a Raspberry Pi or old router running
PORTAL? :)

[https://github.com/grugq/PORTALofPi](https://github.com/grugq/PORTALofPi)

------
BorisMelnik
I would do a dual boot with the default boot being dummy Windows XP without a
password. Throw some "whatever" information on there. Put your secure OS on
partition 2 and make it so you have to select it on boot to get into it.

~~~
LarryMade2
Had something on an older machine once.

I had set up your second partition (Ubuntu) full encryption, then true crypt
the first one. the boot starts with the truecrypt validation, if you didn’t
know to press escape you would not know that would result in the Ubuntu crypt
validation.

