Our valued sponsor

Seeking Expert Advice for Securing My New Lenovo Laptop

I've happily used Linux Mint for many years. I recommend it for anyone who has some tech knowledge and is willing to learn. Buy a laptop with Linux Mint pre-installed. (I usually install Linux Mint on cheap refurbished laptops but that's not for beginners.) You could use it as a second computer and play with it until you are ready to make it your number one computer. Avoid dual booting because it adds complexity. Encrypting a whole disk adds complexity. You may wish to consider using a tool to protect only your key files on the hard drive. Anyway, you still don't want to risk loss or theft of your laptop. Even if your info is protected, replacing the laptop would be highly inconvenient and expensive.

Reality check: getting scanners to work with Linux was problematic and may still take extra effort though it is doable. That's why I also have at home an older Windows 10 desktop with scanner attached that I use occasionally for some purposes where Windows is easier. I use it less and less. It will be my last Windows computer. I will never upgrade to Windows 11 for reasons of both privacy and security.

My biggest step in minimizing reliance on Windows was selecting a personal financial software application for Linux to replace Quicken on Windows. I finally switched to Gnucash which is acceptable for personal finance. Gnucash is a bit clunky for managing anything more than basic investments or basic small business. For OCT readers, Gnucash handles multiple currencies well, much better than Quicken.
 
There's a disk encryption system that's been around for a very long time but it never gained the popularity of VeraCrypt or Truecrypt which came before and that's because it's not free.

It's a professional solution, I find in life you tend to get what you pay for. You can 'tune' the hash algorithm, iterations and parameters if you want as well.

It does full volume encryption - which is full disk encryption in plain English.

Company : Jetico
Product : BestCrypt volume encryption and Bestcrypt container encryption or 'Suite' which contains both of them plus a couple of others.

Not free, they've been around a very long time and they really know their stuff.
 
OPAL SED is nominaly good. But, their firmware may be a problem as we detected on our internal network used for IPMI management a traffic apparently related to certain vendor. As a lucky moment, we don't use them for production servers.
elaborate please, what vendors and exact models you use, what kind of traffic you saw, are you sure it was coming from HDDs and not from other peripherals?
and are you sure it was not an infected (or backdoored straight from the factory) IPMI itself?

if interested I can recommend (don't know the forum rules whether I'm allowed to) an exceptional and affordable dedicated server (and other services) provider in the UK
please share.

as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself
and the worst part is that Lenovo has a long history of installing backdoors...

@EliasIT I did not read the thread thoroughly and possible have missed it, but I did not see your threat model.
please describe what you want to defend from and we might give you some better advise.
 
  • Like
Reactions: mraleph
P.S. I do confirm some of the posts above: biometric auth is a bulls**t; Lenovo is an utter crap, Dell and HP despite also being a crap are a little bit less shittier than Lenovo; you should use a native Microsoft Defender plus install a firewall, a third-party firewall is much more important than a third-party antivirus;
and I will specifically quote this post as it gives the most correct information:
1. If someone has physical access to your computer and plans and wants to steal your data , they will . So best not to leave your computer unattended .
2. General rule of thumb is that Linux is best.
3. More secure almost always equals less comfort so you have to understand the level of risk you’re in decide what you want and who you want to protect yourself from.. isp , government etc or thieves and hackers…

He also said that generally iPhone + Mac is much better then android and windows , and that it is enough for most people with basic privacy settings..
(except the 2nd one, Linux sucks in terms of security and malware protection but if we start to discuss that it really will be the longest topic in OCT history; the Mac OS will perfectly do the job for the majority of users and uses)

@EliasIT I did not read the thread thoroughly and possible have missed it, but I did not see your threat model.
please describe what you want to defend from and we might give you some better advise.

I think I found it:
Protection against strangers, hackers and others that would use a 5 minute window to access the laptop while I'm away.

if they target you specifically and your laptop is turned on then you are fucked, no exceptions.
if they are just a random thieves and might want to scan your drives for sweets before exchanging laptop for drugs then a full disk encryption will save you. but FFS do not save the encryption key in the TPM, use password.
 
Last edited:
It's going really well with the newly purchased hardware and all the great advice from this thread. I teamed up with an IT specialist to handle much of what I couldn't manage or understand and turn it into reality.

At this point, my laptop is as secure as it can be, with local backups stored on a NAS solution, which then sends data to a backup server with RAID 5 at a hosting center.

The drives are encrypted with BitLocker, the laptop has been cleaned of everything Lenovo-related and other unnecessary stuff. It's super fast, and everything is running smoothly.

The help and advice shared here have been incredibly useful.
 
First things first, debloat windows 11. Microsoft has lost their mind with the amount of bullsh*t preinstalled. [1] For this you can use GitHub - Raphire/Win11Debloat: A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, remove Bing from Windows search as well as perform various other changes to declutter and improve your Windows experience. This script works for both Windows 10 and Windows 11.. There are a lot of other scripts, but this one did not break any useful system functionality for me.
this one is really good, thanks man.. it removes tons of stuff from my pc and made it even faster. It also removed skype but I can reinstall it :D

Thanks a ton........
 
  • Like
Reactions: 0xDEADBEEF
I have just ordered the latest and largest laptop from Lenovo - it comes with fingerprint security and is also supposed to be able to scan your eyes before granting access to the valuable stuff on the PC.

It’s coming directly from China to me. I assume there are no authorities or anyone else who can tamper with the PC before I receive it. Therefore, one should be able to assume that this piece of hardware is untouched!

What would you do first? Windows 11 is a must for me, unfortunately, I’m not a techie and can’t install Linux or anything like that.

My plan is, of course, to set up a VeraCrypt-protected drive and activate both fingerprint and eye scan. Additionally, I’ll be using NOD32 for antivirus and firewall protection.

But I’m sure all of this can be completely torn apart by the tech gurus here at OCT - I’d greatly appreciate your input!
Just ensure it didn’t go via Israel and you are good to go
 
  • Like
Reactions: 0xDEADBEEF
elaborate please, what vendors and exact models you use, what kind of traffic you saw, are you sure it was coming from HDDs and not from other peripherals?
and are you sure it was not an infected (or backdoored straight from the factory) IPMI itself?

Sorry for late reply. Saw your post in another thread and remembered the SED question. Nothing much to say at this moment.

You may be right - we do assume that IPMI/iDRAC is not secure - for that reason, ethernet ports for LOM are disabled in ToR switches. Perhaps, the iDRAC itself has a trigger once SED is in system.

As our IPMI/fleet management network is a monitored and an isolated one, we concluded that it may have been related to SED drive - DELL 345-BFYY (Intel should be an OEM vendor) - as that is the only novel variable. The duty officers aren't script kiddies and I've confidence in their knowledge and abilities.

The server machine is DELL EMC R960 with PERC H965i; iDRAC enterprise, apart from https & ssh/sftp everything else referring to remote management was/is nominally disabled. Incident occured during console sessions and after O/S booted - while LOM was active. Anyway, we're introducing that server machine in production and will have further test. Will share publicly the findings once we confirm them.

May interpret it as odd - as we still can't find anything while combing thru docs and forums.

We might prefer SED in time to come considering threat model - as DEK & KEK is not passed thru CPU & RAM - but beside a confidence moment, there is another factor in play.

Notwithstanding the above, we are reluctant to implement SED in production as their deployment requires disabled UEFI secure boot, at least for the time being.

We use RAID 6 / 6 + 0, hypervisor Linux O/S w/ LUKS with encrypted boot volume and enabled secure boot.

Even if we adopt SED in production - if secure boot became available, we'll continue to enforce LUKS w/ encrypted boot volume.
 
Last edited:
this is very interesting observation, I'm eager to see more details. did you record any information about the traffic? raw dump or at least IP addresses and ports?
BTW I saw some network functions in the firmware of older PERC cards, don't know about this new model. maybe this was the source of that traffic?

LUKS with encrypted boot volume and enabled secure boot.
this is a good approach. I hope you've installed your own Secure Boot keys and use LUKS2 argon2id?

P.S. I would not trust any kind of a closed source and vendorlocked encryption such as SED anyway, highly likely it has backdoors.
 
this is very interesting observation, I'm eager to see more details. did you record any information about the traffic? raw dump or at least IP addresses and ports?
BTW I saw some network functions in the firmware of older PERC cards, don't know about this new model. maybe this was the source of that traffic?


this is a good approach. I hope you've installed your own Secure Boot keys and use LUKS2 argon2id?

P.S. I would not trust any kind of a closed source and vendorlocked encryption such as SED anyway, highly likely it has backdoors.

Yes, our IOC is recording everything on management network. The historical parallel to those network functions and a fact that those SED were the only novel variable led to an assumption about potential compromise.

As you know, encrypted boot volume is a complicated approach - but offers unprecedented level of security.

Yes, that is the reason why we insist on a SB. In our use case, boot volume is encrypted with LUKS2 - not LUKS1 - we have our Linux derivative KVM hypervisor O/S.

Most probably, SED is not to be trusted as only solution - for that reason, we insist on a LUKS as well. For server or workstation.

Let's be a little bit more cautious not to go completely off-topic in this thread :cool:
 
  • Like
Reactions: clemens
No relationship to these guys aside from being a satisfied customer, but I'd probably start my search for a laptop here: Nova Custom Laptops

If you already have a laptop, you need to determine if you want the machine to be (1) Secure, (2) Private, or (3) Both. There are many commercial providers of "secure" technology solutions where the solution being offered is one where they are the only ones who reserve the right to profit off the data they harvest from you but attempt to prevent access by malicious actors. "Privacy" on the other hand should protect you from all intrusion.

If you must have Windows 11, you'll never have a "private" machine due to what Microsoft has built in at the operating system level but you can have a "secure" machine. The solutions for that have been outlined above.

If you want a private machine, you'll need to get a machine that offers it at the hardware level like the ones above, and then choose a non-Ubuntu Linux distribution and either air gap it, or then use some combination of a VPN and browser security tools without connecting to your home internet service.
 
  • Like
Reactions: 0xDEADBEEF
Nova Custom Laptops
this is just yet another company that flashes Coreboot on laptops made by Clevo.

scr.webp


I've seen like a dozen of companies doing very same, how does Nova differ from System76, Viking Computer, ThinkPenguin and all other "privacy friendly" resellers of Clevo?
Purism at least tries to build their own laptops, not simply resell the chinese ones.
 
  • Like
Reactions: DomOCT