03 Nov 2017

For the past nine months, I have been engaged with work. I have not had a chance to complete my Kinetis Deep Dive series, but I do intend to write more articles on this topic shortly.

In a couple of weeks, I will be traveling abroad. As someone who pays attention to tech news, I am concerned by recent reports by people who have been asked for laptop login credentials by customs officers during border crossings. While I have nothing to hide, I also firmly believe in the right to privacy. Unfortunately, in certain countries, it is illegal to refuse to provide passwords and keys when lawfully demanded by authorities. This is even true in certain federal court districts, where case law has favored the right of the state to demand this information without warrant. Suffice it to say that this does not sit well with me. However, how can I effectively defend what I believe to be a perfectly reasonable desire to not turn over my personal files to the state?

My plan is to take a special “travel” laptop with me abroad. This laptop runs the latest version of OpenBSD with full disk encryption. In order to ensure that I cannot be compelled to turn over the encryption key for this laptop, I travel with this laptop completely shut down. The only way to boot this laptop is with an external hardware key, which is not in my possession during border crossings. Instead, when I arrive at my destination, I’ll have a friend send me an electronic copy of this key, which I will decrypt and then burn to hardware. As an added benefit, when I am not in physical proximity to my laptop, I can remove the key and carry this with me. If my laptop is stolen or if someone attempts to physically access my laptop when I am elsewhere, they will see a hard-drive full of seemingly random gibberish.

The first step in this process was to find a sacrificial laptop running a copy of Linux and with a GRUB bootloader. First, I partitioned a USB thumb drive with an MBR and a single partition taking up the full disk. I created this as an OpenBSD data partition, but I honestly don’t think the partition type matters so much for this. I downloaded the latest OpenBSD full installation ISO, which I then copied to this partition using dd. In this case, the laptop assigned the USB thumb drive to /dev/sdb, so the first partition is /dev/sdb1:

sudo dd if=install62.iso of=/dev/sdb1

I then rebooted into GRUB, and hunted around to find the ramdisk kernel. Dropping down to the GRUB command-line, I set the root to the USB thumb drive, and then told it where to find the OpenBSD kernel:

set root=(hd1,1)
kopenbsd /6.2/amd64/bsd.rd
boot

From here, the OpenBSD kernel will boot with the ramdisk file system. This will start the installer. I type dvorak, so I’ll start the installation process long enough to change the keyboard layout, and then enter ! at the next prompt to break out to the root shell. The very first thing we want to do is fill the entire laptop hard drive with random data. This will make it harder for forensic investigators to find out how large the filesystem images are on the disk, which will make it harder to find purchase for breaking into the system.

dd if=/dev/urandom of=/dev/rsd0c bs=1m

Grab some coffee, as this will take a while…

Next, we want to create a boot record for this hard drive.

fdisk -iy sd0

Next, we create a RAID partition for this hard drive. Internally, OpenBSD uses the RAID driver to perform full disk encryption.

disklabel -E sd0
Label editor (enter '?' for help at any prompt)
> z
> a a
offset: [1024] 
size: [500117105]
FS type: [4.2BSD] RAID
> w
> q
No label changes.

Before continuing, we are going to need to make more device nodes. OpenBSD’s ramdrive has a minimal number of nodes predefined. The following command sequence solves that:

cd /dev
sh MAKEDEV sd1
sh MAKEDEV sd2
sh MAKEDEV sd3
cd /

Now, we need to initialize the key drive. In this case, I am using a microSD card and a simple tiny microSD-to-USB adapter that fits on my keychain. When I arrive at my destination, I can purchase a microSD card at any electronics store, and then proceed to recreate this key. For now, we need to create the initial key. As before, we make use of fdisk and disklabel to do the heavy lifting. In my case, the microSD USB adapter shows up as /dev/sd2. We want to create a 1 megabyte RAID partition for the key.

fdisk -iy sd2
disklabel -E sd2
Label editor (enter '?' for help at any prompt)
> z
> a a
offset: [1024] 
size: [3910593] 1m
FS type: [4.2BSD] RAID
> w
> q
No label changes.

Now, we will use bioctl to initialize both the keydisk and the encrypted hard drive. The -c C option indicates that we wish to implement a crypto discipline, -k sd2a sets up the first partition on sd2 as our key partition, and -l sd0a sets up the RAID partition on sd0 as our encrypted volume.

bioctl -c C -k sd2a -l sd0a softraid0
softraid0: CRYPTO volume attached as sd3

Finally, we can exit the shell and continue with installation to sd3.

exit

There are plenty of articles on how to install OpenBSD from this point forward. Just treat the encrypted volume as the main installation disk. The initial bootup will be slow, because the boot loader has to load the kernel from the encrypted drive. Once the kernel is loaded into RAM, however, the bootup sequence should only take a few seconds on modern hardware. Once satisfied that OpenBSD is installed and boots correctly, I tried removing the encryption key. The boot loader was not able to load the kernel, and I was stuck at the loader prompt. This is precisely what I wanted. I now have a mechanism to render this laptop completely inoperable just by pulling out a small microSD card.