Introduction

So, I was waiting for Stalker 2 to download (154 GB, btw—WTF!) while ADHD kicked in, and I had a new idea. I had an old laptop lying around that I wanted to do something with. This is when I got the idea of trying to make it as private and secure as possible.

I already have some experience with privacy-focused operating systems, having used both Qubes OS and Tails. Now, I wanted to explore what I could do at the hardware level to upgrade my old laptop security.

The goal of this post is to create a simple guide on how to set up a cheap and old laptop that could be thrown out without fear in the most secure way possible. However, this is still an entry-level guide. There is no need to flash a new BIOS or solder anything. The goal is to keep it simple. I plan on doing a more advanced and detailed guide later on, but this one has been sitting in my draft folder for too long.

In this guide, we’ll mostly go from one hardware component to the next, thinking about what we can do to improve security at each step.

Removing the disk

So when thinking about the disks I think there is three choices :

• Security: Remove the disk entirely from the laptop and operate the OS from an external disk or USB drive.
• Deniability: Keep the disk in the laptop but install only random, non-sensitive files and programs. Avoid using it for your “secure” operating system.
• Simplicity: Use the integrated disk as the main operating system disk while using full disk encryption.

For my specific use case and threat level, I chose to remove the disk entirely for two key reasons:

1. If I want a disposable laptop, I don’t want to have to reinstall the disk setup every time (as in Setup 2 or 3).
2. I do not want to take any chances with logs or data being saved on the disk (as in Setup 2).

This means that we will need to use an operating system installed on an external USB, disk, or SD card. But first, if this is your only computer, you might want to install your operating system of choice on the external disk. For that I would recommend tails official guide guide : here or qubes here. See the later chapter “OS choice” for which OS I chose and why.

Certain laptops might have the disk soldered to the motherboard in which case this is out of the scope of this simple tutorial as I don’t have any such laptops to experiment with.

If that is not the case then you probably just have to open the back of your laptop and remove the disk. How it looks will depend on the type of disk there is inside. For me there was only a 2.5 disk that was easelly removed.

Removing the camera and microphone

Most laptops have the microphone and webcam wired together. In my case, I just had to remove the screen bezel by slipping something between the screen and the back of the laptop. After that, I found myself lucky because the mic and webcam could be disconnected with a simple ribbon cable removed on the top of the screen. If yours is not like that you could either try to find the cable on the motherboard to disconnect it or straight up cut it.

As an alternative, if you want a simpler way to do it you might be able to disable both the webcam and the mic in your bios. In my most modern laptop I do have this as an option. This is not that bad as an alternative because one would need to have access to your bios to be able to reactivate the mic and webcam which seems pretty secure to me.

Also, if you remove your mic you might want to also remove/disconnect your speakers. Those could technically be used as microphones. This is if you have an extreme threat level, for most peoples I don’t think this should be a threat.

OS choice

Here I have two main choices I would consider if your goals are security and privacy :

• Tails -> Ideal when you want to leave no trace after use
• Qubes OS -> Easier to use for complicated tasks and ideal if you want to keep your configuration, apps, and files after a reboot. However, Qubes OS requires a laptop with a significant amount of RAM (at least 16GB) due to its use of virtual machines. While RAM is cheap nowadays, your old laptop CPU might not support adding a lot of RAM. If you choose Qubes OS, you might want to consider using one of those expensive, purpose-built laptops from brands like Purism, NovaCustom, or System76, which often come with Intel ME disabled.

For a more detailed breakdown of these two operating systems, I would advise doing your own research, as they are quite opposites in how they work, the objectives they pursue, and the threat models they serve.

Anti-Tempering

I will explore here some methods that can be used to protect your laptop from being opened or at least warn you if it happens. This can prevent unauthorized modifications or backdoors from being installed on your laptop while it is away.

The most common method that even some laptop manufacturers now provide as an option is to paint the screws of your laptop with glitter. Each glitter pattern is completely unique and cannot be reproduced making it a simple and trustable visual indicator of compromise. However, the downside of this method is that it makes opening the laptop more difficult in the future.

To make hardware modifications and routine hardware checks easier, you might want to try a different approach. I believe a better way to do it is to follow mullvad recommendation, here, which involves putting stickers over the screws then painting the borders of those stickers with glitter. This approach makes tampering with your laptop easier to detect while still allowing for easier access when needed.

After applying the glitter, you should take high-definition, top-down photos of each screw. These photos should then be cryptographically signed. This allows you to compare the original images with the current state of the screws to check for any signs of tampering. You can do it visually or use a tool such as mine (warning : github link).

Wifi and Bluetooth

For more advanced threat levels, I would also recommend removing the Wi-Fi and Bluetooth cards from your laptop and using only Ethernet, with or without an external router. Bluetooth is a significant source of vulnerabilities. While Wi-Fi vs. Ethernet can be more of a sigint consideration, it’s worth noting that Wi-Fi MAC addresses can and often are spoofed by operating systems. In contrast, I believe it is much more difficult to change the identifiers of an Ethernet card.

Kill-Switch

If you are using Tails, you will only need a lanyard for this step. If you are using a disk with Qubes OS, you might need both a lanyard and a USB key. Simply plug your USB key into your computer and attach it to the lanyard. If you are running Linux, you can easily create a small script (or use one from GitHub) that will shut down your computer and encrypt the persistence when the peripheral is removed. The lanyard ensures that if you are forcibly separated from your computer, the disk will automatically shut down, keeping your disks encrypted at rest and/or losing persistence in the case of Tails.