Ask HN: Building a secure laptop for sensitive work data

2 pointseyeJam11y ago9 comments

Due to recent events at my work I now have a need for a secure laptop for sending and receiving sensitive data to clients. I'm going to buy a laptop for use when working on sensitive data but I need help on setting it up with the right tools and configuration.

I've read a couple articles and done some preliminary research so I have some ideas. I'm not interested in trying to use TAILS. Here's what I have so far:

- Debian OS - Tor Browser - PGP encryption of all outgoing files and emails - some kind of full-disk encryption (Truecrypt?)

I have two questions as well: 1. If I travel with the laptop and airport security asks for my password to unlock FDE, is there anyway to protect against being forced to give them the key?

2. How should I transfer files to and from the laptop? USB key?

Ask HN: Building a secure laptop for sensitive work data

2 pointseyeJam11y ago9 comments

I've read a couple articles and done some preliminary research so I have some ideas. I'm not interested in trying to use TAILS. Here's what I have so far:

- Debian OS - Tor Browser - PGP encryption of all outgoing files and emails - some kind of full-disk encryption (Truecrypt?)

I have two questions as well: 1. If I travel with the laptop and airport security asks for my password to unlock FDE, is there anyway to protect against being forced to give them the key?

2. How should I transfer files to and from the laptop? USB key?

9 comments

8 comments · 5 top-level

caw11y ago· 2 in thread

I've never considered Tor as a beacon of security, I believe it to be anonymity. If this is secure stuff, you probably want to VPN into a known good host using a hardware token device. Since this is a work thing, they should most likely host the VPN device in their server room with appropriate access to their file servers and intranet.

I've seen several variants of secure laptops. First one is no boot on the disk at all, just a full disk encryption and a bootable CD.

The alternative is generally just full disk encryption.

If you have a super secure laptop that your post leads me to believe you want, you don't want to write to USB ever. This is how data leaks if you ever have the laptop stolen. Instead, enable read-only on the USB ports (you can do this in Windows via regedit, haven't had to do a Linux laptop).

For traveling with secure devices, simply don't travel with the assembled device. Ship the laptop ahead of you, and only travel with the hard drive, which has the sensitive data. The laptop sans drive is mostly useless, and you're acting as the physical courier for the data. The Dell business laptops that only need 1 or 2 screws removed to take out the hard-drive work well for this.

Also use a SSD for FDE, it's just too painful on 5400 rpm.

SamReidHughes11y ago

How would FDE affect the SSD/HDD decision (in any way that could favor an SSD)?

caw11y ago

Think of it this way, when you have a normal system, your write is flushed out to the disk as fast as possible. When you add in full disk encryption, you're going to have to encrypt on write. Your write won't be acknowledged until it's physically on the disk, so the faster your disk is, the faster your write will be acknowledged. Same thing with reads, the faster you can read, the sooner you can decrypt and return the data to the application.

So SSD is definitely the way to go if you want to encrypt the whole disk. If that's too expensive, get a 7200rpm laptop drive.

1 more reply

BorisMelnik11y ago· 1 in thread

I would do a dual boot with the default boot being dummy Windows XP without a password. Throw some "whatever" information on there. Put your secure OS on partition 2 and make it so you have to select it on boot to get into it.

LarryMade211y ago

Had something on an older machine once.

I had set up your second partition (Ubuntu) full encryption, then true crypt the first one. the boot starts with the truecrypt validation, if you didn’t know to press escape you would not know that would result in the Ubuntu crypt validation.

Someone123411y ago

If it was me, I'd do it via a client-Hypervisor. Run a normal OS with full disk encryption, within that I would run a virtual machine which actually did the sensitive stuff.

When the virtual machine is powered down it can be configured so that any changes would be complete discarded. It also means that if your TOR browser got compromised, the VM would not actually know what its internet IP was (as it is routing through the virtual switch within the client-hypervisor).

Setting this up can be as simple or as complex as you wish. For the simplest installation just get Windows 8.1 Pro, install client Hyper-V (part of Windows), setup a virtual switch, configure it to do a differential, and then install the client OS/TOR (which can be "anything," Linux, Chrome OS, Windows, et al).

The only thing the physical laptop REALLY needs is a TPM chip, and not all consumer grade laptops have it. That's to store your FDE key(s).

As to files, I wouldn't travel with them. Most countries can force you to reveal an encryption key by law. I'd just heavily encrypt them and then place them on the internet during travel.

Just assume that the government will get ahold of them and make sure the encryption is 10+ years rated (elliptic curves are your friend).

atmosx11y ago

The other on my twitter stream appeared this awesome USB device[1] (usbarmory), which you can use in a variety of ways. You can deploy your own cryptographic scheme, which could be fairly unique and virtually impossible to hack and very easy to conceal.

1. You could for example create a mountable NTFS partition with seemingly personal sensitive information (a couple of pictures, some documents, a personal love letter, some false business documents, etc.) and have your data in a second partition.

2. Truecrypt was the only software the supported hidden volumes as far as I know, but this device is really amazing IMHO and you can do all sort of things.

[1] http://inversepath.com/usbarmory

sarciszewski11y ago

If you're going to build a secure laptop, why not go all out and remove your WiFi and bluetooth cards and connect to a Raspberry Pi or old router running PORTAL? :)

https://github.com/grugq/PORTALofPi

j / k navigate · click thread line to collapse