Be grateful for any ideas about this.
I'm responsible for the laptop of a not very technical person. The laptop has all kinds of sensitive personal information on it, and the owner travels around the UK, it gets left in a suitcase in the luggage shelves at the entrance to train carriages, gets carried around in a luggage trolley on the underground and buses. So I have tried to find some way of securing it that is not too onerous.
What I came up with is to have an encrypted partition, and to have the really critical files on an encrypted usb stick that is carried separately. Its running Linux Mint. There are shortcuts to the usb files on the desktop, but of course they only work when the usb stick is inserted and mounted.
This works, and I think its pretty secure, but it does involve the user in keying in long secure passwords several times.
So recently I came on instructions in anonguide. These are meant for installing whonix. But the first part of them seems to be adaptable to my case.
What you basically do is install Debian on an encrypted hard drive, putting the /boot folder on a USB stick. You set it up with a passphrase, and then after the installation is complete, you make an encrypted keyfile, move it to the stick, and delete the passphrase.
The idea is that the machine will only boot using the stick (I suppose you clone it, to be safe) and will use the very long and secure keyfile to decrypt.
I am not clear why you need to create a passphrase at all if its going to be deleted. And another oddity is that there seems to be only a root and swap partition. I am of course used to having a separate /home partition like everyone. But I can find my way through these things.
The rest of the long anonguide manual goes on to talk about installing whonix and tor which isn't part of my problem. My user is not bothered about anonymity, just wants not to have to worry about having a machine stolen which is fairly readily accessible with all kinds of personal info on it.
The potentially nice thing about this method is that you just insert the stick and boot and log in. No more messing with repeatedly typing in long and hard to remember passphrases.
What do you all think about it? Have you tried this? And how do you secure laptops?
Al