I need to create a boot that is “air gapped”. Meaning, it never connects to the internet, nor could it ever.
Prior to Librem hardware, I didn’t think this was possible, without a stand-alone computer dedicated to the task. But with a Librem hardware key to protect the Bios, and with the hardware switch is it possible now?
If I partition the drive, and install an OS, that never connects to the internet while booted to that drive, do I have the same level of protection as an air-gaped computer?
Is there any way key logged data on the OS could get leaked out to the network once booted to another OS that boots?
verify that the hardware switch actually, physically disconnects power to the network card
use the hardware switch every time you boot
then that should provide almost the same level of protection as airgapping.
In a highly unlikely, but theoretically possible, scenario, software could mount and write to your other OS’s partition. A sophisticated enough attack could schedule an upload for the next time you boot your second OS.
The way around this is to encrypt each partition separately. Your OS1 partition would have a different password than your OS2 partition. Also, any storage media used on the “pseudo-airgapped” OS couldn’t be used on any other non-airgapped OS, which includes your non-airgapped OS2. Even if you take these pains, malware on OS1 could conceivably write to unallocated space on your hard drive, which malware on OS2 could then read.
To combat that option, you could physically switch out your hard drive between OS’s. That leaves the issue of undocumented chips on the board which could be storage devices. You’d need to go through every chip on the motherboard - including x-ray scanning to make sure there’s not a chip embedded in the PCB - to make sure there wasn’t such a device hidden on the motherboard. Somewhere else on the forums, this process has been estimated at tens of thousands of dollars.
So, TL;DR: No if you’re ever going to turn the hardware switch back on, even on another OS, or Yes if you always keep it off no matter what.
Even though pureboot protects you quiet well it does not hinder anybody to use your boot partition to exchange data with your “air-gapped partion”.
While running your connected OS it is possible to attack your other encrypted partition containing the “air-gapped partition”. Relevant is that LUKS stores the (one and only) encryption key in a well known place. To attack that key would be very much more efficient extracting the encrypted encryption key and only some data to check (partition headers are also well known plain text) and process it outside your computer.
In the end there are probably a good number of alternative methods to overcome that “not-really-air-gap” we couldn’t think of yet and that will be found by your enemy the evil genius.
Depending on your use case it might be enough getting some SBC that does not contain any wireless or ethernet port or at least make sure by hardware (ethernet covered by case, case made from metal to prevent bluetooth or wifi) that it won’t be able to connect.
The simplest approach would be to remove the bottom screws on the Librem laptop and disconnect the WiFi card. If you combine that with an OS like Qubes that isolates USB devices to their own VM, even an attacker who shows up at the computer w/ a USB WiFi or ethernet card wouldn’t be able to get it to connect to a network as long as the desktop environment was locked. (A regular desktop Linux OS might helpfully try to set up a USB ethernet card automatically if someone inserts it, even when the desktop is locked.)
You could go a step further and paint the center bottom screw of the laptop w/ glitter nail polish (like we do with our anti-interdiction service) and take a picture of it, to frustrate an attacker who might try to remove the bottom case to add a WiFi card.
I read this as: “I want to use the same hardware for a connected and an ‘air-gapped’ computer”.
My answer is focused on the situation that you, @Emily, want to run a dual boot system. Is that what you meant?
@Kyle_Rankin, I understand your post in a way that you make suggestions to convert a Purism notebook into the possibly best air-gapped computer running one system. In your scenario the notebook never gets connected to the internet and is a single boot system.
It’s possible I missed something in the question. I was describing how to use a Librem laptop as a stand-alone air-gapped system. Making an air-gapped system dual-boot, with one side talking to the Internet, does defeat a lot of the protections from true airgapping.
I suppose if you do want to be somewhat less secure, you could use Librem hardware running PureBoot and Qubes to approximate it, but Qubes also warns against dual-booting to protect the Qubes system from vulnerabilities in the other system you boot.
That said, having PureBoot protect the shared /boot and the boot firmware, along with using encrypted root partitions, would make it much more difficult for an attacker to persist an attack, especially one that would cross to a different OS. So you might be able to get away with having Qubes be your “airgapped” system by isolating all of the network devices to the sys-net VM and configuring the rest of the VMs to not use any VM for network so you can leave sys-net powered off.