[guardian-dev] Fwd: NitroPad: Secure Laptop With Unique Tamper Detection

Abel Luck abel at guardianproject.info
Wed Mar 4 09:11:36 EST 2020


Looks like the Nitropad x230 just got Qubes certification! Congrats to
NitroKey.

https://www.qubes-os.org/news/2020/03/04/nitropad-x230-qubes-certification/

My old librem only accepts 16GB RAM, and it is very very difficult to
use it as my daily development workstation. 32GB is also a practical
minimum for me when running so many VMs.

I'm not traveling as much these days, so my desktop is working fine.
Would definitely snap up a Nitrokey model with 32GB+ RAM though,
especially if it was Qubes certified. I'd definitely prefer buying from
a "local" EU vendor.

~abel

Devrandom:
> Agreed, ergonomics are definitely not top-notch, and I hope there's an
> iteration that improves things.  However, for development and Qubes I
> need 32GB.  That, together with the freedom aspect trumps other
> considerations.
> 
> On Thu, Jan 16, 2020 at 2:29 AM Hans-Christoph Steiner
> <hans at guardianproject.info> wrote:
>>
>>
>> I hear you, and I've similar things from others. Fairphone is in a
>> similar boat.  I think we need to compare apples to apples here: what
>> Nitrokey, Librem and Fairphone are trying to do is important, no other
>> providers are doing those things better.  Things like:
>>
>> * true free software support
>> * hardware switches
>> * repairability
>> * conflict-free minerals
>>
>> .hc
>>
>> Abel Luck:
>>> I have a Purism Librem v3 (the 13" model) and I have to say I am not
>>> very happy with it.
>>>
>>> From a privacy pov, it's nice. ME can be disabled manually. The hardware
>>> switches are very handy. Rather than ship binary blobs for the bluetooth
>>> driver, they left that feature out, not compromising. Which I like.
>>>
>>> However from an ergonomics/usability pov, I am quite dissatisfied. When
>>> I say the keyboard is bad, I'm not a keyboard snob. It truly is just a
>>> bad keyboard, I really dread having to go on the road and use the
>>> keyboard for any length of time. The trackpad quality is also very low.
>>>
>>> Also the laptop comes with a usb c port, which is basically useless as
>>> it doesn't support thunderbolt, which means no adapter for ethernet or
>>> external displays. Waste of a port!
>>>
>>> I wouldn't buy another Librem :/
>>>
>>> That NitroPad looks interesting, but the deal breaker for me is the
>>> 1366x768 px screen. So small! 1920x1080 is the minimum I would ever get
>>> in a laptop again.
>>>
>>> ~abel
>>>
>>> Devrandom:
>>>> This is a Lenovo.  The Purism laptop goes to 32GB and has hardware kill
>>>> switches.  It also has secure boot with the Nitrokey and the TPM option,
>>>> but I didn't try it (yet).
>>>>
>>>> On Wed, Jan 8, 2020 at 4:19 AM Hans-Christoph Steiner <
>>>> hans at guardianproject.info> wrote:
>>>>
>>>>>
>>>>> Looks like quite a nice laptop setup for privacy:
>>>>>
>>>>>
>>>>> -------- Forwarded Message --------
>>>>> Subject: NitroPad: Secure Laptop With Unique Tamper Detection
>>>>> Date: Tue, 7 Jan 2020 10:25:13 +0100
>>>>> From: Nitrokey <info at nitrokey.com>
>>>>> Reply-To: Nitrokey <info at nitrokey.com>
>>>>> To: Hans-Christoph Steiner <hans at guardianproject.info>
>>>>>
>>>>> Deutsche Übersetzung ist hier:
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/d891PlpQflj763CzcTeLrLCQ/2drgzRE7oneOhHNyMnMe8g
>>>>>
>>>>> Dear Nitrokey supporters!
>>>>>
>>>>> Do you think your computer hardware is secure? Can you rule out that in
>>>>> your absence no one has manipulated your computer? In a world, where
>>>>> most users do not have any real control over their hardware and have to
>>>>> blindly trust the security promises of vendors, NitroPad unlocks a
>>>>> refreshingly new security experience. NitroPad X230 [1] is significantly
>>>>> more secure than normal computers. With NitroPad, you'll have more
>>>>> control over your hardware than ever before while maintaining ease of use.
>>>>>
>>>>> Features
>>>>>
>>>>> Tamper Detection Through Measured Boot
>>>>>
>>>>> Thanks to the combination of the open source solutions Coreboot [2],
>>>>> Heads [3] and Nitrokey USB hardware, you can verify that your laptop
>>>>> hardware has not been tampered with in transit or in your absence
>>>>> (so-called evil maid attack). The integrity of the TPM, the firmware and
>>>>> the operating system is effectively checked by a separate Nitrokey USB
>>>>> key. Simply connect your Nitrokey to the NitroPad while booting and a
>>>>> green LED on the Nitrokey will show that your NitroPad has not been
>>>>> tampered with. If the LED should turn red one day, it indicates a
>>>>> manipulation.
>>>>>
>>>>> Deactivated Intel Management Engine
>>>>>
>>>>> Vulnerable and proprietary low-level hardware parts are disabled to make
>>>>> the hardware more robust against advanced attacks.
>>>>>
>>>>> The Intel Management Engine (ME) is some kind of separate computer
>>>>> within all modern Intel processors (CPU). The ME acts as a master
>>>>> controller for your CPU and has broad access to your computer (system
>>>>> memory, screen, keyboard, network). Intel controls the code of the ME
>>>>> and severe vulnerabilities have been found in the ME enabling local and
>>>>> remote attacks. Therefore ME can be considered as a backdoor and has
>>>>> been deactivated in NitroPad.
>>>>>
>>>>> Preinstalled Ubuntu Linux With Full-Disk Encryption
>>>>>
>>>>> NitroPad ships with a preinstalled Ubuntu Linux 18.04 LTS [4] with
>>>>> full-disk encryption. Ubuntu is one of the most popular, stable and
>>>>> easiest to use Linux distributions. Switching from Windows to Linux has
>>>>> never been easier.
>>>>>
>>>>> Optional: Preinstalled Qubes OS For Highest Security Requirements
>>>>>
>>>>> Instead of Ubuntu Linux, on request you can get your NitroPad with
>>>>> preinstalled Qubes OS 4.0 [5] and full-disk encryption.
>>>>>
>>>>> Qubes OS enables highly isolated working by means of virtual machines
>>>>> (VM). A separate VM is started for each application or workspace. This
>>>>> approach isolates applications and processes much more than conventional
>>>>> operating systems. Qubes OS keeps your system secure, even if a
>>>>> vulnerability has been exploited in one of the software applications
>>>>> used. Example: If your PDF viewer or web browser has been successfully
>>>>> attacked, the attacker cannot compromise the rest of the system and will
>>>>> be locked out once the VM is closed.
>>>>>
>>>>> In addition, separate virtual workspaces can be used, such as an offline
>>>>> workspace for secret data and an online workspace for communication.
>>>>> NitroPad with Qubes OS is technically similar to SINA clients (for
>>>>> governments), but remains transparent thanks to open source. Qubes OS is
>>>>> for users who want maximum security.
>>>>>
>>>>> Keys Under Your Control
>>>>>
>>>>> All individual cryptographic keys are generated directly on the NitroPad
>>>>> exclusively during installation and are not stored by us. However, all
>>>>> individual keys can be replaced by you. Unlike "Secure Boot", the keys
>>>>> for securing the operating system remain under your control and do not
>>>>> depend on the consent of the vendor.
>>>>>
>>>>> Nitrokey USB Key Included
>>>>>
>>>>> NitroPad comes with a Nitrokey Pro 2 [6] or a Nitrokey Storage 2 [7].
>>>>> Their security features include for example email encryption (PGP,
>>>>> S/MIME), secure server administration (SSH) and two-factor
>>>>> authentication through one-time passwords (OTP). The Nitrokey Storage 2
>>>>> additionally contains an encrypted mass storage with hidden volumes.
>>>>>
>>>>> Professional ThinkPad Hardware
>>>>>
>>>>> Based on Lenovo ThinkPad X230, the hardware finish and robustness meet
>>>>> professional quality standards. The famous ThinkPad keyboard with
>>>>> background lighting and TrackPoint allows comfortable working. The used
>>>>> laptops have been refurbished.
>>>>>
>>>>> Out-of-the-Box User Experience
>>>>>
>>>>> With NitroPad, you don't need to take care of opening the hardware
>>>>> casing to flash the BIOS chip, installing and configuring Linux, or
>>>>> pairing the Nitrokey Pro/Storage. We do this work for you. The Nitrokey
>>>>> is already configured with your NitroPad so that it can be used for
>>>>> tamper detection without any further configuration effort.
>>>>>
>>>>> Security Conscious Shipping
>>>>>
>>>>> To make it more difficult to intercept and manipulate your NitroPad, the
>>>>> NitroPad and the Nitrokey USB key can be shipped in two separate
>>>>> shipments if desired.
>>>>>
>>>>> Use Cases
>>>>>
>>>>> For Everyone
>>>>>
>>>>> NitroPad enables you to detect hardware tampering. For example, if your
>>>>> laptop is being inspected while crossing the border or if you leave your
>>>>> device unattended in a hotel or during travelling, you can check the
>>>>> integrity of your NitroPad with the help of the Nitrokey.
>>>>>
>>>>> For Enterprises
>>>>>
>>>>> NitroPad can serve as a hardened workstation for certificate authorities
>>>>> and other use cases requiring high-security computers. On business
>>>>> trips, the NitroPad protects against evil maid attacks while the
>>>>> computer is unattended in a hotel or baggage.
>>>>>
>>>>> For Governments
>>>>>
>>>>> Governments can use NitroPad to protect themselves against advanced
>>>>> persistent threats (APT) without relying on foreign proprietary technology.
>>>>>
>>>>> For Journalists
>>>>>
>>>>> If you as an investigative journalist are serious about protecting your
>>>>> confidential sources, NitroPad helps you getting there.
>>>>>
>>>>> NitroPad X230 is now available in our Online Shop [1].
>>>>>
>>>>> More details are available in the product factsheet [8].
>>>>>
>>>>> Kind regards,
>>>>> your Nitrokey team
>>>>>
>>>>> [1]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/jZaFd1lbEdmWO6EYOcLzDQ/2drgzRE7oneOhHNyMnMe8g
>>>>> [2]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/YFe1znalGDB8Ua763Ggu9RKw/2drgzRE7oneOhHNyMnMe8g
>>>>> [3]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/cZ8CHlfV3cxRZgMwQJk6fQ/2drgzRE7oneOhHNyMnMe8g
>>>>> [4]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/UXFKS892rBzNshvgAM3iX7Sw/2drgzRE7oneOhHNyMnMe8g
>>>>> [5]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/D8RUORLEDmVGkJAOqOZ12w/2drgzRE7oneOhHNyMnMe8g/
>>>>> [6]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/3NM892YvQl3nQBfzax83fVdg/2drgzRE7oneOhHNyMnMe8g
>>>>> [7]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/892ZG8927tvGnlab4KjZMl8lQg/2drgzRE7oneOhHNyMnMe8g
>>>>> [8]
>>>>>
>>>>> https://sendy.nitrokey.com/l/DYw4PK9oeKpCQ4HCJ3sHVA/ITDgVP8lO6ZSALVagGX892vw/2drgzRE7oneOhHNyMnMe8g
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
>>>>
>>> _______________________________________________
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
>>>
>>
>> --
>> PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
>> _______________________________________________
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> 


More information about the guardian-dev mailing list