I am planning on buying a 13.3 - 15.6 laptop that I will specifically use for running qubes, and containing lots and lots of highly sensitive files.
I will also be using tor allot, and for me the main things I care about is being able to get my setup as secure as possible.
Things i've thought about so far;
OPAL SED SSD for HW based drive encryption. (Second FDE ofcourse)
USB PGP-Key for authentication and stuff., also contains (hidden) storage.
Keypad encrypted USB for hardware encrypted USB with bootfiles/keyfiles etc.
Now for the laptop itself;
Is
TPM worth it? Im hearing mixed opinions... Also, I definately do not
want to put all my eggs in one basket, so would using TPM be possible in
a way that it is just one of several parts of the whole security-chain ?
I would hate it if someone has a TPM backdoor and compromises my whole
system that way, any way to design something with 2 or better yet; 3 way
authentication ?
What about the processor and bios? Are there any secure/open bioses that work with recent intel processors?
As
for the processor; are the SGX and other new features that skylake
CPU's offer any good? Would it be possible to make use of these features
in Qubes?
If not, what processor would you guys recommend? I
guess Intel right? Are there any laptops out there that have onboard
security-hardware that offers any real solid security benefits? I've
read allot of posts from Joanna where she kinds of debunks the Cortex
M-3 security chip, so I am wondering; are there any other chips like
these that are truly open source, and really add some security?
What
kind of laptop comes to mind when I'm asking for this kind of features?
I'm having a very very hard time finding a laptop that I can setup in a
way that would make me feel truly secure. I hope you guys can share
some advice on these matters.
P.S.
I'm using the PGP-key
stick, and USB-keypad-usb as my "extra security-weapons" are there any
other reliable open source hw-security devices out there that you guys
would recommend?
Would it be possible to add say some biometric
security hardware and then have the full disk encryption work in such a
way that 3 way authentication would be needed ?
Also, we have the
software based full disk encryption, and also the HW based OPAL full
disk encryption, even though I trust the software based one the most, I
would still like to also maximize the security of the samsung SED based
one. Would it be possible to have 3-way authentication for both, while
having unique keys each?
What would be the best way to implement
3-way authentication? Most people advise me on using the combined output
of all 3 hw keys, maybe even with some mechanism which unlocks a
keyfile or something like that. But to me these things sound like they
are not really thought trough; there has to be a better way to implement
3-way (or even 2 way) authentication, at-least for the software based
FDE, and maybe even for the samsung OPAL one , right ?
Also, what would you guys recommend me to use as encryption method? LVM-LUKS won't let me encrypt the boot partition, and it wont really allow me to use 2-way authentication aswell.
What would be the best way to go about encrypting my drive using the hardware available? (PGP-key, USB-keypad, "addyourown"
I
really hope we can start a discussion on these topics that will lead to
a general what-should-I-buy advice when one wants maximum security from
COTS hardware, and open software.
- HQE
probably a unicorn, but if you can find a laptop with the ram and/or drive soldered into the motherboard,that also raises the bar on offline attacks. ironically, the only laptops ive found with soldered in ram are macbooks.
--To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/f058dceb-11b4-4d9f-8e90-2809ade40d3a%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.