Hi all, we are hiring a remote worker and will be supplying a laptop to them. The laptop will be running a Debian variant of Linux on it.

We are a small shop and this is the first time we have entrusted somebody outside of our small pool of trusted employees.

We have sensitive client data on the laptop that they need to access for their day-to-day work.

However, if something goes wrong, and they do the wrong thing, we want to be able to send out some kind of command or similar, that will completely lock, block, or wipe the sensitive data.

We don’t want any form of spying or tracking. We are not interested in seeing how they use the computer, or any of the logs. We just want to be able to delete that data, or block access, if they don’t return the laptop when they leave, or if they steal the laptop, or if they do the wrong thing.

What systems are in place in the world of Linux that could do this?

Any advice or suggestions are greatly appreciated? Thank you.

  • Tobias Hunger
    link
    fedilink
    191 month ago

    If you find a reliable way to allow for people to use data without being able to copy it: Patent it right away, the entertainment industry will be paying big time for it.

    Same for erasing the laptop: You can only erase something as long as you can talk to the machine in some way to instruct it to clean itself up. The guy with the machine in hand can just turn off wifi to stop it from receiving the message…

    • Max-P
      link
      fedilink
      71 month ago

      That’s why I focused on platform security. You can’t fully eliminate the possibility, but you can make it as hard as possible to pull off. TPM+dm-verity is to make it hard for the user to even look at how it works and prevent filesystem modifications that would give them root access to intercept the key loading mechanism.

      The part where the laptop continuously check and refreshes the key is to address the second part about just turning off WiFi: make it so if you do that, you have N hours to break the system open before it reboots itself and you’ve lost access to the key for good. This can also depend on hardware-backed checks like TPM measurements and signature, to make sure the data key is only handed over to the expected environment.

      It’s the same fundamental principles as Android and Play Integrity: use the security processor to attest the state of the device before the server agrees to send you stuff over. It’s been worked around via leaked keys mostly because Google is lenient for older devices, but the actual secure enclave hasn’t been broken yet.

      The point is for the security to hold long enough the key’s gone before they can get it, and without the key the laptop is effectively wiped. That’s plenty for the overwhelming majority of “employee got fired and is pissed off and wants to retaliate”, and the best that can be done without going remote desktop/VDI.