Hi all, I am planning on buying a 13.3 - 15.6 laptop that I will specifically use for running qubes, and containing lots and lots of highly sensitive files.
I will also be using tor allot, and for me the main things I care about is being able to get my setup as secure as possible. Things i've thought about so far; OPAL SED SSD for HW based drive encryption. (Second FDE ofcourse) USB PGP-Key for authentication and stuff., also contains (hidden) storage. Keypad encrypted USB for hardware encrypted USB with bootfiles/keyfiles etc. Now for the laptop itself; Is TPM worth it? Im hearing mixed opinions... Also, I definately do not want to put all my eggs in one basket, so would using TPM be possible in a way that it is just one of several parts of the whole security-chain ? I would hate it if someone has a TPM backdoor and compromises my whole system that way, any way to design something with 2 or better yet; 3 way authentication ? What about the processor and bios? Are there any secure/open bioses that work with recent intel processors? As for the processor; are the SGX and other new features that skylake CPU's offer any good? Would it be possible to make use of these features in Qubes? If not, what processor would you guys recommend? I guess Intel right? Are there any laptops out there that have onboard security-hardware that offers any real solid security benefits? I've read allot of posts from Joanna where she kinds of debunks the Cortex M-3 security chip, so I am wondering; are there any other chips like these that are truly open source, and really add some security? What kind of laptop comes to mind when I'm asking for this kind of features? I'm having a very very hard time finding a laptop that I can setup in a way that would make me feel truly secure. I hope you guys can share some advice on these matters. P.S. I'm using the PGP-key stick, and USB-keypad-usb as my "extra security-weapons" are there any other reliable open source hw-security devices out there that you guys would recommend? Would it be possible to add say some biometric security hardware and then have the full disk encryption work in such a way that 3 way authentication would be needed ? Also, we have the software based full disk encryption, and also the HW based OPAL full disk encryption, even though I trust the software based one the most, I would still like to also maximize the security of the samsung SED based one. Would it be possible to have 3-way authentication for both, while having unique keys each? What would be the best way to implement 3-way authentication? Most people advise me on using the combined output of all 3 hw keys, maybe even with some mechanism which unlocks a keyfile or something like that. But to me these things sound like they are not really thought trough; there has to be a better way to implement 3-way (or even 2 way) authentication, at-least for the software based FDE, and maybe even for the samsung OPAL one , right ? Also, what would you guys recommend me to use as encryption method? LVM-LUKS won't let me encrypt the boot partition, and it wont really allow me to use 2-way authentication aswell. What would be the best way to go about encrypting my drive using the hardware available? (PGP-key, USB-keypad, "addyourown" I really hope we can start a discussion on these topics that will lead to a general what-should-I-buy advice when one wants maximum security from COTS hardware, and open software. - HQE -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/a9ec006c-b2b0-4b99-8573-9db5a237cab5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
