Installation of safer operating system

Hey folks

Looking for some help/reassuring really.

About 6 months ago i used the Installing a safer operating system guide by Patrick, part of which requires installing whonix.

When installing, I opted for the installing it on the internal hard drive of the laptop, and using an encrypted USB stick as a ‘key’ to start the while system up.

My question is this:

If the laptop belonged to my workplace, and I returned it WITHOUT the usb stick, would the I.T department be able to access any of the information on the hard drive?

I also had the BIOS password protected, but I’ve been called in regarding the laptop on Monday morning, and fair to say, I’m shitting myself. I had kali linux, and a whole other range of ‘penetration tools’, as well as viruses and guides etc etc.

It is not very clear to me. What guide are you talking about? Could you provide a link? Is the laptop internal hard drive encrypted? If yes, how was it encrypted?

If the hard drive is NOT encrypted, then of course anybody with physical access to the laptop can access the hard drive content. I can’t see how you could prevent that if it is not encrypted.

EDIT: are you talking about this guide?

Yes that’s the one I was talking about

Did you encrypt the laptop hard drive?

I followed every step in the guide

The guide only supports full disk encryption. So my bet is that if you followed the guide faithfully, your laptop internal hard disk should be fully encrypted. Which means, no one can access it and read its content without the right passphrase, unless you chose a stupidly easy passphrase that could be easily bruteforced.

When you used the laptop, did you remember having to enter a passphrase just after the bootloader screen (GRUB)? Something like this (screenshot taken from a previous version of the guide):

If yes, then you have nothing to fear if your passphrase was strong enough.

EDIT: the guide is not available anymore here

but a previous version involves replacing the passphrase by an encrypted keyfile located on the /boot partition of your USB key, which is supposed to be even more secure.

Hi there, yes when I booted the laptop, I had to enter a passphrase which I created using 14 words with random Uppercase and numbers

That guide was written by Tempest, not Patrick. Patrick is the lead developer of Whonix, the guide Tempest wrote is independent of the Whonix project. In the 6 months since you used the guide, quite a bit of the guide – Email configuration etc – has been added (or is in the process of being added) to the Whonix wiki. This is all thanks to Tempest, for writing the content and allowing it to be added to the wiki and torjunkie, for transcribing, formatting and editing it.

Normally I would say you will be OK but the problem is I.T may have installed software on the laptop that you don’t know about. Accessing the laptop would require the pass phrase (or encryption key) but its not out of the realm of possibility that there is some software on there that could sniff and store those for an I.T. admin. Then the admin can retrieve those at a later date. I’m not sure how likely that would be for your company but something similar to that could be possible.

It will take about 10 seconds to reset the password once they have access to the motherboard. Most have a little switch that resets the bios password.

Apologies for crediting the wrong person, I do apologise. I’m silently hoping there isn’t software on there, I did wipe it before installation though?

No worries. :wink:

It would be very unlikely that there is. So don’t sweat it. Some companies monitor their employees activities when using company owned electronic devices. So its something to think about the next time you have use of a company laptop.

Smart thing to do. You may also want to consider other employees may have used that laptop. God knows what they did with it. BIOS could have been infected with malware etc. Wiping hard drive alone would not help. I would be very cautious about putting anything personal/sensitive on a computer not owned by yourself.

  1. The whole point of encryption is to make it extremely costly to decrypt without the secret key.

  2. Given that the laptop belongs to your employer, they may be able to make it extremely costly for you not to decrypt the contents voluntarily.

You’ll need to contact legal experts in your jurisdiction for advice.

1 Like