Ohai. I was thinking about how I would secure sensitive data while traveling without inconveniencing myself, of course. I figured it would be an interesting thought to share, to see if anyone wanted to comment on it.
- Data is secure in transit
- Cannot be feasibly coerced into providing access to data
- Able to get up and running quickly after border crossings
- Chromebook (Intel x86_64, with TPM)
- USB Flash Drive or Portable SSD
- VeraCrypt (Or your choice of disk/volume encryption software.)
So, this is how it would work, before you travel:
- Create an encrypted volume/partition on your mass storage with VeraCrypt and use the Mooltipass to create a long, secure password.
- Create a copy of your Mooltipass's card and back up the mooltipass's database (binary). Store these safely before you travel. Write the incorrect PIN on the back of both cards.
- The Mooltipass allows three attempts at entering a pin (each digit is 1-F), and if you can't get in by then it erases the card which makes that card unable to decrypt your database.
- When you back up your mooltipass's binary, the database is still fully encrypted and needs to be loaded onto a mooltipass and access with the correct card in order to access them again.
- Back up your crouton chroot to your VeraCrypt protected portable storage. Put in anything else you'll need with you on there at the same time.
- Powerwash your Chromebook. In the help article, do it through the settings menu.
- ChromeOS encrypts its drive by default and stores the encryption keys in the Trusted Platform Module (TPM). When you Powerwash, it deletes the keys in the TPM, making it impossible (within reason) to decrypt the drive and recover files from the previous installation.
- Log into your Chromebook with a management account. It shouldn't be a completely clean account, but an account with no access to any important files or tied to any of your other devices.
So, at this point you have a clean device, a USB drive, and a Mooltipass and its card. If you are stopped at the border, the only way for anyone including you to access the encrypted data you are traveling with is to use the Mooltipass. You can give them the wrong pin or enter it incorrectly, and now nobody can access the encrypted data.
In order to get back up and running once you've crossed the border:
- Powerwash the chromebook again, just in case.
- Log into your chromebook with whatever account you want to use.
- Install crouton and create a temporary chroot.
- Download/install veracrypt into your chroot, decrypt your portable storage.
- Restore your previous chroot from your backup.
Now you're back up and running and you can continue on without any hassle. All you have to do now is backup your chroot again before you cross another border, powerwash your chromebook again, and you're ready to go.
All in all, this basically just saves you time when you are setting up your environment at your destination. You can also just backup your chroot to storage online and pull it back down at the destination, but this is definitely faster than that (and can be done offline).
Support the Author
Devon Taylor (They/Them) is a Canadian network architect, security consultant, and blogger. They have experience developing secure network and active directory implementations in low-budget and low-personnel environments. Their blog offers a unique and detailed perspective on security and game design, and they tweet about technology, security, games, and social issues. You can support their work via Patreon (USD), or directly via ko-fi.