I’ve recently become interested in reducing the amount of data readily available on my laptop. The threat model I’m concerned about is that someone gets access to my laptop when it is unlocked, i.e., I’m logged in. More specifically, the two situations are (a) someone snatched the laptop from me during a moment of inattention and (b) authorities compel me to unlock digital devices for search.
Up to now my motto with personal devices has been to keep the max amt of information at my fingertips. Given the evolution of storage devices I can readily keep more than a decade of email, photos, etc. However, during recent int’l travel I realized I need to radically change my approach and only have what I really need at the moment and somehow store the rest in a safer place!
One concrete exercise I did is to try to figure out how to sanitize my laptop for travel, i.e., remove everything personal I didn’t need for the flight. I came up with a bunch of actions as well as hurdles. I’m hoping that sharing what I did and encountered can help others as well as spark some discussion on what I missed or better ways of doing things.
What I did:
created a snapshot backup of the btrfs @home subvolume using btrfs send and uploaded that to my home server (I do incrementals for backup already, so it wasn’t that big an upload)
created a new user with home directory in / (not /home) and initialized that user with a selection of my dot files
logged in as that user and ensured I could access what I needed, such as web sites with flight status info
(by deleting @home I deleted my keepass password store as well as the creds to connect to my home VPN or SSH home)
reboot
The result was not a laptop with no personal info as there’s bound to be some stuff laying around, but at least I no longer had a decade of personal data there.
Some things that didn’t go the way I had hoped:
checking and double-checking all the actions took a long time and was quite some work
restoring took a long time since that’s not incremental
the temp user was pretty messed-up, maybe I need to pick up storing dotfiles in git again
I didn’t double-check that /tmp was cleared nor that other locations didn’t have copies of my data
I did read about btrfs deleting files, TRIM and SSDs and such to convince myself that barring chip surgery the data was gone but I did not do any spot checks to verify
the resulting laptop was clearly not “normal looking”, although by the time one runs garuda & hyprland a line has been crossed in that respect…
if my flight had had a problem and landed in some remote airport I wouldn’t have been able to get to my passwords to, for example, easily book a hotel or a flight (arguably credit card and plain phone are sufficient)
I did all the above in part as an exercise: I’ve always valued my privacy and taken measures to protect it and I wanted to see how this would pan out. If you are interested in this type of stuff I highly recommend the exercise! Some further thoughts:
if you really must ensure none of your personal data can be retrieved from your laptop then you must construct a clean laptop from scratch and not try to sanitize like I did (no surprise), I just realized that doing it properly “only” costs having a second SSD if you can swap that out easily, not a full second laptop
one of the most tricky parts is how to end up with a travel laptop that smells normal, i.e., doesn’t arouse suspicion resulting in further inspection, while having a minimum of personal info visible
btrfs subvolumes seem to be a great unit for protection in that they can be dumped and restored cleanly
I don’t know how to think about encryption and threat situation (b): encrypting data (say all photos) is only really useful if you truly don’t have the key with you but I’m not sure how to arrange the practical matters around that
Overall what’s clear to me is that I need to change storage strategy and by default move everything off devices that can leave the home. Not sure yet about exact next steps though. I’d love to hear about experiences or technical ideas focused on garuda linux!
I don’t know your threat model, but the effort you’ve gone through would be too much for me. For me, a second device or even a second SSD containing the data I need while traveling would suffice.
You can encrypt the system to prevent theft. You can also carry passwords on a piece of paper that doesn’t contain the passwords in plain text, but rather as “encrypted” text. For example, you could add one or two characters after every third character that are not part of the actual password. There are certainly many ways to protect against “normal” thieves.
However, it’s a different matter against state actors. You could be forced to hand over your access and passwords through imprisonment or torture. In that case, I would rather use Tails and memorize my passwords. But even that would probably be ineffective in such a situation.
Buying a second device is not just expensive it is also quite a maintenance task. Ensuring you have the data you need on it takes effort, plus ensuring the config matches your other device so you can work comfortably.
But at some level it doesn’t matter whether it’s two devices or one. If I want to automate the maintenance in effect I need two things:
verify that none of my private info is found outside of my home dir (or of /home perhaps)
whitelist the portions of my home dir that can be sync’ed from my primary device to my travel device
The difference between having one device or two is whether the whitelisted stuff gets copied to the second device vs. the non-whitelisted gets deleted (after backup) from the one device.
One thought I had is to use a subvolume for each activity, for example one for my media files, one for my embedded systems coding projects, one for 3D printing, one for trip research, etc. Then I could whitelist the subvolumes I want on my laptop and make the others disappear (or not synced). The main catch I’m finding is that it’s pretty unpredictable what apps leave in .cache, .local, .config and other dotfiles.
An assumption I’m making is that it’s fine to have all my apps on the device. E.g., it’s OK to have OrcaSlicer visible, I just don’t want my 3D models to be present/accessible.
Well, there is actually no personal data outside of /home. You can see which programs are installed, but who cares or what use is it for anyone to know this?
In my opinion, it is not unpredictable that programs store files in the 3 folders you mentioned. You just have to check. You have to whitelist some files in .local and .config anyway if you want to work “comfortably” with let me call them approved programs. This would exclude the other undesirable candidates. You can delete caches or not even take them with you.
It’s not that difficult. Configure an rsync command line once and you’re done. Since you seem to want it to be perfect, you won’t be able to avoid creating a list for it.
Personal data lives wherever you save it. It could very well be outside of /home.
Also, it can be in a swap partition or swapfile.
You can also have personal data in /tmp, especially if it isn’t mounted on a tmpfs.
.cache can have it’s own subvolume and you can not sync it. The rest is more problematic. You need to look at it app by app. The biggest issue is locally collected telemetry which needs consideration on an app by app basis. That being said, I don’t think many apps collect the kind of data you are concerned about leaking. Disabling tracking recently opened files might be a good idea though if you care about that.
Does your laptop support having two SSDs? This seems like the obvious solution. Just pull the second one before you leave.
It is easy to write a service to delete your swap file(s) before you suspend or shutdown. I’ve used my own service to sweep clean many different things like the browser cache, thumbnails etc etc when the computer was unattended.
That was really just more of of an excercise to expand my knowledge of writing systemd services. You can do a lot with services once you’re familiar with how they work. I never really ran it for long because in the end I never had any fear that my data was in jeopardy from nefarious threat actors.
Of course, personal data can be anywhere if I deliberately store it outside of /home. It should also be clear that there are some in swap and /tmp. The TO has already dealt with the topic in more detail, so I didn’t think it was worth mentioning given the TO’s existing knowledge.
Instead of deleting @home entirely and creating a user with non standard home directory, consider full disk encryption as others suggested, and also getting in the habit of shredding personal files that are no longer needed on the OS drive. For example, I have: alias shredx='shred -uvzn4' #powerful shred and delete