I run a dual-boot Debian + Windows 7 laptop, but my default position is to assume the Windows partition is exploitable, so for secure activities I boot Debian.
That boots using an unencrypted /boot partition, but everything else running on luks (one big partition, LVM'd down). I have a VeraCrypt partition which is for files that I want to work on from both operating systems. Works really well, crypted disks doesn't materially impact performance, and gives peace of mind.
The most likely scenario for theft is someone after the hardware, and they'll not spend much effort trying to break into the file system.
I'd be wary if the machine was stolen and then returned, but restoring mbr & /boot partition should be sufficient in that instance.
I've travelled to regions that I considered dubious, if not especially technically sophisticated. I haven't done this, however research suggested the best way of confirming your laptop hasn't been opened is to use a sparkling nail varnish. Dab a small amount on some or all of the case screws, take a close-up photo, store that photo somewhere safe. After the event, take photos of the screws again, and compare. The random patterns are effectively impossible to replicate.
Combined with disabling USB booting, and BIOS admin password, and keeping the OS in sleep -- it should be possible to prove your laptop hasn't been hacked via physical intrusion.
A lightly paranoid setup might actually only boot from a removable USB disc or SD Card instead of from the fixed HDD. The removable disc is kept on a necklace or whatever. The HDD is totally encrypted. A seriously paranoid setup might include manufacturing your own USB thumb drives.
I do this with the ExpressCard slot on my ThinkPad, not because I'm paranoid but because I like to experiment with many OSs and it's easier to manage than messing with partitions and bootloaders. I appreciate how the ExpressCard SSDs don't stick out of the laptop at all. I keep all my user data on the internal drive though (encrypted), so my risk to unattended laptop hijinks isn't much mitigated.
So: Your user data is on the HDD and encrypted AND you use a removable disc to boot your machine AND you have a "something you know" (password)
That looks quite secure to me, provided you look after your removable disc and password. I'm not familiar with IBM gear - is ExpressCard a removable disc? I tried to read the WP page on it but got confused.
I have one of these for my laptop - Dell Inspiron 17. It runs Arch Linux. I don't trust it at all (I'm CREST accredited) but I still use it.
I agree my setup is probably pretty secure, but not any moreso than a single os install with FDE, especially since I often leave an OS ExpressCard in the machine and the other ones I leave scattered around my desk...
The EOMA68 project is putting together an interesting variant on this approach. Instead of taking your hard drive with you, they are building computers with a mainboard on a PCMCIA card, so you can eject your entire system from its housing and take it with you. A small SSD is included, so you could literally bring your entire environment with you if you don't mind being limited to 8GB.
> but my default position is to assume the Windows partition is exploitable
In reality, as the article explains, the windows partition is basically invulnerable to this class of attacks if you take the 5 minutes to enable bitlocker. OTOH Linux systems have no effective defense.
BitLocker stores your encryption keys on a Microsoft server [1] and is a closed-source software, therefore by definition it cannot be trusted for encrypting anything important. (It is wrong even if your adversary is not a state, because that way you are getting used to a false sense of security that you don't actually have.)
It's an option to store your keys on their server, but not a requirement. At least not the last time I set up BitLocker. In fact that computer didn't even have the on board Secure Storage thing that it prefers, so I had to make a note of the recovery key on paper.
"Stores keys on someone's server" cannot be trusted, no matter what the copyright status is of the code running on the server.
Code licensing or copyright status isn't a form of security.
The issue isn't just that the remote server's code is impervious to scrutiny. A locally installed program that you can reverse engineer isn't automatically trustworthy because it is open-source, or even copylefted. Someone actually has to reverse engineer the binary and prove that it matches the source code. Many users of free software trust upstream binaries. (Even if they compile their own programs, they trust compiler binaries at some point.)
My primary concern - I should perhaps have spelled it out more clearly - is that the Windows partition is likely exploitable via Microsoft Windows.
Detecting data at-rest exploits such as described in TFA, and per my mitigation suggestions -- because they don't scale well -- implies that you're already of interest to your adversary.
That boots using an unencrypted /boot partition, but everything else running on luks (one big partition, LVM'd down). I have a VeraCrypt partition which is for files that I want to work on from both operating systems. Works really well, crypted disks doesn't materially impact performance, and gives peace of mind.
The most likely scenario for theft is someone after the hardware, and they'll not spend much effort trying to break into the file system.
I'd be wary if the machine was stolen and then returned, but restoring mbr & /boot partition should be sufficient in that instance.
I've travelled to regions that I considered dubious, if not especially technically sophisticated. I haven't done this, however research suggested the best way of confirming your laptop hasn't been opened is to use a sparkling nail varnish. Dab a small amount on some or all of the case screws, take a close-up photo, store that photo somewhere safe. After the event, take photos of the screws again, and compare. The random patterns are effectively impossible to replicate.
Combined with disabling USB booting, and BIOS admin password, and keeping the OS in sleep -- it should be possible to prove your laptop hasn't been hacked via physical intrusion.