Hi all, we are hiring a remote worker and will be supplying a laptop to them. The laptop will be running a Debian variant of Linux on it.
We are a small shop and this is the first time we have entrusted somebody outside of our small pool of trusted employees.
We have sensitive client data on the laptop that they need to access for their day-to-day work.
However, if something goes wrong, and they do the wrong thing, we want to be able to send out some kind of command or similar, that will completely lock, block, or wipe the sensitive data.
We don’t want any form of spying or tracking. We are not interested in seeing how they use the computer, or any of the logs. We just want to be able to delete that data, or block access, if they don’t return the laptop when they leave, or if they steal the laptop, or if they do the wrong thing.
What systems are in place in the world of Linux that could do this?
Any advice or suggestions are greatly appreciated? Thank you.
I’m not the most up to speed on TPM’s, but does it have the capability to directly do network access in order to pull the key? Otherwise, you’re going to need the regular OS to get it to the TPM somehow, in which case that’s the weak link to pull the key instead of ripping it from the TPM itself.
And once they have the key once, how do you enforce them having to re-request it? Is there a reason that that point they couldn’t just unplug from the Internet (if even necessary) and copy the entirety of that drive/partition somewhere else?
No, that’s why signed kernel+initramfs+LUKS+dm-verity: protect the boot process all the way into userspace where you do have network access. From there you can request the TPM signs messages with a preloaded key it will only allow using it if you went through the whole secure boot process. It’s exactly what Android does with Play Integrity and the strong integrity flag.
That way you can prove to the server that the computer is still secured and untampered with up to that point, which means the script that deals with the periodic checkin should be running untampered as well. If you’ve secured down the Linux install appropriately, it should be impossible for the user to gain enough privileges to request the key again from the TPM or extract the data key out of the mounted filesystem. That also means you can trust the system to block mounting any drives, force VPN on, make sure your MDM runs, all that stuff.
You can reset the BIOS, boot from USB, all that stuff still, but then it would also wipe the TPM and so the OS no longer bootable, and obviously no signed TPM messages either so even if you find the script and how it works, at that point you don’t have the ability to sign the messages so the server won’t give you the data partition’s key either. The moment you tamper with it, it breaks the trust chain and the keys are gone. Can’t flip a single bit on the system and boot partitions without the checks failing.
It’s not bulletproof, some laptops you can sniff the TPM bus in minutes due to design flaws, but in theory as long as the hardware holds it’s pretty secure. And obviously you can always just take a picture of the screen, no avoiding that. But it puts enough hurdles it’ll stop most opportunistic exfiltration. One bad move and you wipe the keys, so you better know exactly what you’re dealing with or you have one embarassing and incriminating email to write to IT to have them reprovision the keys.
Ah, gotcha, I was thinking more in terms of software attacks than hardware, and that some vulnerability would come up at some point for them to get root access, at which point I think they’d be able to get the key one way or another. I’d imagine it also depends on how locked down the system can be based on the nature of their duties; arbitrary internet access makes shipping it off somewhere a bit easier. Another consideration would be that the drive could also be imaged, and if the key were ever recovered at a later date through whatever method/mistake/etc. the entirety of the data could be recovered.
But, yeah, definitely agree that that’s all moving well outside the bounds of disgruntled/opportunistic employee and more into the persistent adversary realm.