For those of you who are using linux: Are you using secure boot? I.e. is your bootloader configured to only decrypt your disk and boot your OS, while blocking all “booting from USB stick” and such?
I’m asking because i’m considering a very specific attack vector, through which a sufficiently skilled agent (e.g. FBI, CIA) could install a keylogger into your OS and get access to your sensitive data that way, even when your disk is encrypted and without your knowledge.
Keep your OS updated, make regular backups, use full-disk-encryption, and nuke and pave whenever things get cluttery. You’ll be alright.
Were it me and I just went through a TSA screening and they took it and returned,… I may nuke the laptop.
If I had that sort of threat model and let the government get their hands on my computer, I would never trust the hardware again. Too many components with their own SoCs containing firmware blobs where an exploit could lurk and reinfect even after a ‘nuke.’ GPUs, disk controllers, WiFi chips, etc.
A partial solution to this evil-maid attack vector is Heads firmware (a replacement for the bios/uefi itself), which lets you sign the contents of your unencrypted boot partition using a gpg key on a hardware token, and verify the integrity of the firmware itself using a totp/hotp key stored in the tpm.
All the benefits of secure boot, but you get to control the signing keys yourself instead of relying on a vendor. It’s great stuff.
this is exactly what i was looking for.
If someone can plant a camera somewhere that they can see your keyboard, they can probably obtain your password.
