Travel (Linux) laptop setup

The Linux Foundation Open Source Summit is happening in Beijing next week, and some of the topics I've had to cover in my capacity as "the security person" were from members of the IT staff asking my advice about the best strategy for bringing laptops and being able to do work while in China. This is a quick write-up covering my recommendations that others can hopefully benefit from. It is not too China-specific and can be used for any other international conference travel.

China's special case

China is not signatory to the "Personal Use Exemption" when it comes to encrypted devices, so bringing a laptop with encrypted hard drive with you is not technically legal. If the border officer does not like you for some reason and has grounds to suspect you are not being truthful about your stated reasons for entering China, you may be asked to decrypt your devices for a search. Failure to do so may result in unpleasantness, and you may be detained or fined merely on the grounds of having an encrypted device when entering the country. (As opposed to, for example, entering a country that is signatory to the personal use exemption, where just having an encrypted device is not grounds for any action. That said, it is never in your interest to make the border officer not like you for some reason. Until you are admitted to the country as a legal alien, the Geneva Convention and the Universal Declaration of Human Rights are pretty much the only legal frameworks protecting you as a person against foreign government action.)

It is important to point out that you are extremely unlikely to be penalized for bringing in an encrypted laptop with you to China, as any kind of widespread zealous application of such practice would quickly shut down any business travel to China -- and this is definitely not in the government's interest.

Easiest: bring a ChromeBook

My simplest recommendation when going travelling is to buy or loan a ChromeBook. ChromeOS has some of the best boot-level and runtime security protections on the sub-$1000 market, and will perform most of your computing needs admirably.

ChromeOS user storage is encrypted, so the best course of action is to do a full "factory wipe" of the ChromeBook and only set it up after crossing the border -- except this doesn't work very well in China where Google is pretty much unusable. One option is to log in to your account, set up a VPN service that is reliable in China (ExpressVPN has a good record), and then do a full shut down before you cross the border. Note that merely logging in to your ChromeBook will create an encrypted user storage directory, so if you want to be 100% compliant with the "no encrypted devices" policy, you don't want to do this.

The other option is to find someone at the conference who has already set up VPN and ask them to share a wifi hotspot with you, allowing you to set up your Chromebook. I am also told that foreigners' mobile roaming traffic is not subject to filtering, so tethering via your mobile phone (with a non-Chinese SIM card) is also an option for setting up your ChromeBook, but may be expensive depending on your roaming data plan.

Perform a factory wipe again before crossing the border on your way home. Then, depending on your level of paranoia, give the ChromeBook away to what is likely to be a very thankful kid/student, or keep it for future travel.

Chromebook and ssh

If you need to be able to use SSH during your trip, you will need to install the Secure Shell Chrome extension. You can import your keys or generate a new keypair just for travelling, and use it to access a trusted "jumpserver" that will act as your "$HOME away from home."

If you do set up such jumpserver for yourself, I also highly recommend setting up Mosh on it and installing the Mosh for Chrome client that will allow you to much better withstand shaky conference/hotel networking -- I'm yet to travel to a technical conference where wifi is good for any ssh work that isn't an exercise in frustration.

Setting up a ssh jumpserver

I recommend picking a cloud provider that offers VM hosting in the general geographical area where you will be travelling and picking the smallest VM they offer. All you'd need is ability to ssh in and run some basic shell apps (plus mosh). Having this jumpserver located close to where your conference is taking place will help reduce some of the latency you are likely to see.

If you are going to China, then AWS Singapore, Rackspace Hong Kong, or Packet Japan should be good candidates for such a jumpserver. I heartily recommend using Packet, as their pure-hardware hosting will mean that your ssh keys (or PGP subkeys, see below) aren't floating in the hypervisor RAM alongside other VM tenants.

If Chromebooks aren't good enough for you

If you are not comfortable with a ChromeBook or can't use one for some reason, you can bring a loaner laptop or get a cheap lightweight netbook just for travel. Since our IT team has a strong requirement that all our SSH keys must be stored on PGP smartcards, I can't actually use ssh on Chromebooks, so I have a cheap Acer netbook that cost me $350 back in 2013 that will continue to serve me until it falls apart (I'm afraid not for much longer).

Here's my strategy when travelling internationally.

  1. Before you leave, download and prepare your favourite distro's install media. Test that you can still use it by reinstalling your laptop (without choosing to encrypt your disk if you're going to China). This is an important step that lets you make sure that your hardware is still good and is supported by the install media you are bringing with you -- and also because you do not want to travel with a laptop you cannot boot on demand. Seriously, you do not want to tell the border officer that your laptop cannot be booted because this will look extremely suspicious and guarantees bad time. Have it installed and configured to the point where you can use wifi and bring up a browser (in fact, "can I still use wifi" should be part of your install test before you leave).

  2. Prepare your travelling home directory plus an ansible (chef/puppet/salt/whatnot) playbook that will quickly configure your system for how you want it post-install. If you're old-school, just write a shell script full of dnf install and cp foo.conf /etc commands.

  3. Tar up your travelling home directory (with the above playbook in it) and symmetrically encrypt it using a good long passphrase:

    gpg2 -c home.tar.xz
    (you will be prompted for the passphrase)
  4. Upload the resulting home.tar.xz.gpg file into some public location where you'll be able to get it over the web once you arrive to the conference. It doesn't matter where, since it's encrypted -- as long as it's accessible from your target country. You may want to rename the file to conference-slides.ppt depending on how paranoid you are. :)

  5. Bring your fully bootable laptop and distro installation media with you on the trip.

  6. Once you're at the conference, fully reinstall your laptop (with disk encryption this time), then download your symmetrically encrypted homedir file and decrypt/untar it into /home:

    gpg2 -d conference-slides.ppt > home.tar.xz
    (you will be prompted for the passphrase)
    tar xf home.tar.xz
  7. Run your playbook script to get your system quickly configured for how you need it.

  8. Reinstall the laptop again before you head out (you can even do this at the airport while you wait to board your flight home). You want to get it to the point where you can boot it up for the border crossing officer, should they ask you to do it.

Again, depending on your level of paranoia, once you get back home, you can either sell or give away that laptop or keep it until your next international travel.

Using short-lived PGP subkeys for travelling

It is a good idea to keep your master PGP key away from your travel laptop. I recommend keeping your PGP subkeys on a smartcard device like NitroKey Pro (open-source) or a Yubikey (proprietary), but if this is too much hassle for you, you can also create temporary short-lived subkeys that you can store directly on your laptop and use to sign your emails or git tags while you are travelling.

To do so, just follow the Debian Subkeys guide and when you create the subkey using the addkey command, set up the expiration date shortly after you expect to return home (not on the exact date your flight is scheduled to get back, but a week or two past that just in case you get delayed). You should only need to create a Sign (S) key, as attempting to use short-lived Encryption (E) keys will be frustrating both to you and people you'll try to communicate with.

Make sure you upload your updated key to the keyservers, otherwise nobody will be able to verify the signatures created with your temporary subkey:

gpg2 --send-keys YOURKEYID

Follow the procedure described in the Debian wiki to copy ONLY your temporary subkey to your travel laptop (or into the encrypted directory tarball you are preparing).

If you are taking a ChromeBook with you and are setting up a jumpserver (see above), you can use this procedure to put your temporary Signing subkey onto it as well, just in case you need to send signed email or sign some git tags.

Laptop use while at the conference

Best recommendation is to always keep your laptop within your reach and never leave it unattended -- especially in your hotel room. If you have SecureBoot or other boot-time security protections (as offered by ChromeBooks, for example), then you might consider leaving your laptop at your hotel unattended if you see no other option. After all, there are easier ways of gaining access to your secrets than physically defeating SecureBoot (and attackers who want that bad enough can usually afford to send operatives to some location where you least expect it).

If you are done with your laptop for a while, remember to fully shut it down and not suspend to RAM -- especially if you do leave it unattended.

Pay especial attention to any browser warnings or any reported key mismatches while you're using your system. The wifi network at technical conferences is an attractive target for attackers, as it would allow stealing a lot of valuable secrets at once. Malicious attacks on the conference wifi have happened in the past and will likely happen again in the future.

Do set up VPN and do use it, as it will help mitigate some of the local wifi attacks, but this comes at the cost of extra connection instability.

In conclusion

I understand that this is way too paranoid for most people (and not nearly paranoid enough for some others -- as I like to say, IT security is just like driving on the highway in the sense that anyone going slower than you is an idiot, and anyone going faster is clearly a maniac). Whether this guide is of any use to you is entirely your call, but I hope I gave you some good ideas to help secure your digital life next time you are away from the comfort of your home or office.