Laptops, privacy and airport security

2 minute read
June 22, 2013

Ever run into a situation that security guys at airport want to have access on your laptop? Well, I have not but I have heard that some people have. That is, security guys except you to disclose your password to them. And if you do not, you will not pass the security. Even though you had “nothing to hide”, it may be awkward situation when somebody is watching your home videos or private photos. For your security, of course.

There are a couple of ways to avoid these situations. One, and definitely safe way, is to keep all the sensitive data on network storage which is accessible only through encrypted network connection. Thus, your travel-laptop is always “clean” and it is not a problem to let somebody explore it. Once you are at your destination, you may download the data through network.

However, the problem is that network connections are limited. Especially when travelling, Wi-Fi hotspots or UMTS/LTE connections may become rather slow for downloading gigabytes of stuff. Hence, another option is to keep all sensitive data encrypted. And of course hide those encrypted partitions/disks to such degree, that a random security guy at airport can not find anything suspicious.

Step-by-step example (Linux/UNIX-like operating systems)

  1. Partition your hard disk: create a relatively small partition where you can install main operating system (i.e. /dev/sda1) and leave rest of the disk to encrypted data (/dev/sda2).
  2. Do a normal OS installation to first partition. Do not use your second partition for anything and do not auto-mount it.
  3. Write your second partition full of random data:
dd if=/dev/urandom of=/dev/sda2
  1. Now, bind /dev/sda2 to loop device through encryption.
losetup -e aes /dev/loop0 /dev/sda2
  1. Now you can make filesystem to /dev/loop0, mount it manually and use that device as “safe data storage”.
mkfs.ext4 /dev/loop0
mount -t ext4 /dev/loop0 /home/foobar/data

Now everything on device /dev/sda2 is encrypted. Even filesystem.

I prefer to do the whole operation such a way that it is not traceable afterwards. It is recommended to store virtual machine images to your encrypted space, instead of plain files. When you need your “sensitive data”, just boot the corresponding virtual machine and access the files. Otherwise some log file will probably reveal that you have opened/read files that do not exist.

The main purpose of this idea is to keep encrypted area “hidden” so that it seems that the computer contains nothing interesting. Of course an advanced user will easily find out that you have a partition full of random data, but it is very difficult to prove that it is actually an encrypted partition instead of just random data, if there is no password request forms on boot process, and no log files pointing out that you have accessed that partition.

I am not saying this is a perfect system: the sensitive data is temporarily stored in RAM memory and possibly also in swap space. But I believe that this might help people to pass airport security without revealing personal data. Even though the “suspicious partition” was detected, they can not be sure whether it is really an encrypted partition, or just unused space.

Leave a Comment