Overview

For the purpose of offline key generation and other operations that require an air gapped machine, the following procedures can be used to harden the system. In this example, the demonstration machine is a Thinkpad T Series laptop.

Comments on or additions to these procedures are welcome.

Checklist

BIOS

  • Power on the machine, enter BIOS (Thinkvantage button)
  • Config
    • Intel (R) AMT -> disabled
  • Security
    • Password
      • Hardware password manager -> disabled
      • Supervisor password - set and enable
      • Lock UEFI BIOS settings -> enabled
      • Password at unattended boot -> enabled
      • Password at restart -> enabled
      • Power on password - set and enable
    • Virtualization
      • Intel (R) Virtualization Technology -> enabled (optional)
      • Intel (R) VT-d feature -> enabled (optional)
    • I/O port access
      • Ethernet LAN -> disabled
      • Wireless LAN -> disabled
      • WiMAX -> disabled
      • Wireless WAN -> disabled
      • Bluetooth -> disabled
      • USB port -> disabled (optional)
      • Express card slot -> disabled
      • Ultrabay (HDD/optical) -> enabled (optional)
      • eSATA port -> disabled
      • Memory card slot -> disabled
      • Integrated camera -> disabled
      • Microphone -> disabled
      • Fingerprint reader -> disabled
    • Anti-theft
      • Intel AT module activation
        • Current setting -> permanently disabled
      • Computrace
        • Current setting -> permanently disabled

Physical

  • Remove camera/microphone module, cut leads
  • Remove WiMAX SIM card
  • Remove WiFi/Bluetooth NIC, cut leads
  • Epoxy unused ports
  • Secure chassis screws
  • Remove HDD

Usage

  • Temporarily enable the export method (e.g. USB) in the BIOS
  • Boot from a Live CD
  • Generate keys
  • Export keys
  • Disable the export method