OK let me tell you my story:<p>My Mac was stolen, and I used Find My Phone to lock it immediately. A week later, the thief opened the device, and sure he can't access it.<p>After two weeks, I lost my hope, sure I won't be able to get it back, so I decided to activate the Eraser.<p>Just an hour ago, I received the notification that the device erasing process has started.<p>I lost my device and all my data but not my privacy. And I found on Apple support forums that the device will remain locked as long as it still listed in my Find My Phone.<p>Now I'm planning to buy an x220 and get back to Linux. I was wondering how can I secure a Linux laptop and make it (somehow) harder for the thief to access my stolen device just like Apple did.<p>Do you have any experience with this? Do you mind to share?
Long time Ubuntu user here.<p>The solution to your problem is data encryption. On Linux, there are different levels of data encryption, whether you want to encrypt the whole hard drive or only the /home partition (where all of your private files will be stored).<p>The ArchLinux Wiki has a very detailed page [1] about all the available options for disk encryption.<p>Regarding Ubuntu, when you install it on your system, it will ask if you want to encrypt your /home partition [2] or your whole disk [3].<p>I got my laptop stolen in France last summer, and as much as this was a pain in the ass, at least I didn't have to wonder if the thief had access to my private data (photos, documents and the like) since the /home partition was encrypted. Hell, the thief probably had a WTF moment when (1) he discovered it was not a French version of Windows but an English version of Ubuntu running and (2) when he discovered it was a Taiwanese laptop with this keyboard layout [4]. Good luck to sell that on the French black market :)<p>[1] <a href="https://wiki.archlinux.org/index.php/Disk_encryption" rel="nofollow">https://wiki.archlinux.org/index.php/Disk_encryption</a><p>[2] <a href="https://www.howtogeek.com/wp-content/uploads/2012/06/ximage83.png.pagespeed.gp+jp+jw+pj+ws+js+rj+rp+rw+ri+cp+md.ic.Q3l_7oXwbw.png" rel="nofollow">https://www.howtogeek.com/wp-content/uploads/2012/06/ximage8...</a><p>[3] <a href="http://www.tecmint.com/wp-content/uploads/2016/02/Ubuntu-16.04-Installation-Type.png" rel="nofollow">http://www.tecmint.com/wp-content/uploads/2016/02/Ubuntu-16....</a><p>[4] <a href="https://c1.staticflickr.com/8/7501/16104079539_00c39c200d_b.jpg" rel="nofollow">https://c1.staticflickr.com/8/7501/16104079539_00c39c200d_b....</a>
Sorry for your experience.<p>One standard approach is to set up full disk encryption. A common setup would encrypt every partitions but your /boot partition, so a thief would be unable to access your system if it were powered off. (If you're especially cautious, you can do tricks to protect your /boot partition too, to guard against tampering, but that's beyond the scope of protecting against theft.)<p>The catch is if the thief steals your powered-on laptop, the system's still decrypted (meaning, the decryption key is still in memory). I'd guess locking your machine is a partial guard (and is what I rely on), but I'd be interested in learning if there's a better method of protection.<p>ArchWiki has a pretty good overview: <a href="https://wiki.archlinux.org/index.php/Disk_encryption" rel="nofollow">https://wiki.archlinux.org/index.php/Disk_encryption</a>. I'm happy to try and answer any questions you have.
Why an x220? That's a six-year old device that predates many modern security features. Secure Boot isn't evil, works just fine with Linux, and TPMs are useful, too. But the most important thing to do is encrypt your drive, which you can do with an x220 just as well (just make sure you get one that supports AES-NI, I believe the ones with a Core i3 don't).<p>In any case, if you're coming from a MacBook, you're going to hate the x220's display. It's atrocious, with terrible colours and brightness. It's also a SATA2 device, so a modern SSD won't be able to reach anywhere near its full performance. Unless your budget is around $200 I wouldn't recommend such an old machine. But if you do go down that route, you might like r/thinkpad on reddit. Plenty of people there who mod these old devices and have advice on modernising them.
Side remark: All the methods exposed here requires you to have a good password. In my case, I am using a Yubikey set with a single long fixed password on it + the normal password I can remember.<p>So, to login/unlock, I type in my password, plug the Yubikey and press the button. This ensures I have a really strong password.<p>Because if your password is "1234password", all the provided solutions are of no real use.
The interesting part in Apple's FileVault (plus UEFI password) is a Guest access called Safari Only Mode.
This mode starts special macOS distro from unencrypted boot partition and allows to run only Safari.app (also terminal.app) The main idea is that thief log in as Guest, connects to WiFi and you can locate your device in Find My Mac. But this mode just allows you to trace device via IP geolocation since macbook never had GPS module like iphones do, so this geolocation is not accurate enough and not useful. You will just see the city or district located from ISP. The real useful information will be WiFi AP MAC addresses (BSSID) located nearby the stollen macbook. Having this information you can quite accurate locate your stolen device and return it!<p>But I can't add my custom shell script into Safari Mode because of macOS SIP (system integrity protection) that I don't want to disable. Also every major update overwrites changes on boot partition.<p>I would appreciate for any help with this project. My goal is to build some kind of computrace for macbooks that will be much useful that current Find My Mac.
Have a look at <a href="https://www.preyproject.com/" rel="nofollow">https://www.preyproject.com/</a><p>Open source, cross platform.
Set up your Linux laptop's filesystems to use LVM and LUKS encryption, and just encrypt the whole darn thing. Works with hybernation, too. Here's Slackware's simple guide: <a href="http://ftp.slackware.com/pub/slackware/slackware-14.1/README_CRYPT.TXT" rel="nofollow">http://ftp.slackware.com/pub/slackware/slackware-14.1/README...</a><p>If you want to be super paranoid, add a keychain usb stick as a required key to decrypt the filesystem so you get 2-factor authentication.
Make sure you get a laptop with a self-encrypting SSD that supports TCG OPal. This will give you maximum speed sector-level encryption. Read this post on my nerd-blog: <a href="https://vxlabs.com/2015/02/11/use-the-hardware-based-full-disk-encryption-your-tcg-opal-ssd-with-msed/" rel="nofollow">https://vxlabs.com/2015/02/11/use-the-hardware-based-full-di...</a> (no ads, no referrals, really just info) which explains at a high level how SSD-based encryption works.<p>The open-source msed tool has now been renamed to sedutil see <a href="https://github.com/Drive-Trust-Alliance/sedutil" rel="nofollow">https://github.com/Drive-Trust-Alliance/sedutil</a> but it still works the same way.<p>It would still be possible for a sufficiently advanced thief to secure erase the drive (they need to know how to use TCG Opal to do that), but they will never see your data.
Choose a disk that supports Full Disk Encrpytion. Lenovo has this - <a href="http://www.lenovo.com/support/fde" rel="nofollow">http://www.lenovo.com/support/fde</a>. This way the encryption/decryption is done by the chip inside HDD and there is no OS security issue that can compromise the data or performance hit on the main cpu. Don't forget to set the HDD password in the BIOS. Everytime system boots, it should ask you for the disk password as first step. If it does not ask the password, then you have not set it up right.<p>On the Linux OS itself, follow good personal security practices - use strong password, use 2FA (see FIDO devices like YubiKey), disable unnecessary services, install software downloaded from trusted, well-reviewed sources only etc. If you did the HDD encryption above, there is no need to do filesystem encryption again in Linux.
The X220 comes with CompuTrace and Intel Anti-Theft, which provide the same features on Windows.<p>One big feature: They also backdoor any new Windows installations on the same device, so if your hacker wipes or removes your hard disk, his new replacement install will be bricked as well.<p>As such, step one will be hard disk encryption (as mentioned by others) so thieves can't access your data. Step two, if that's not enough for you, is activating either of the two anti-theft measures to brick the device if the hacker tries to reinstall Windows.
<a href="https://github.com/cgarduno1garduno/Macbook-Security/blob/master/README.md" rel="nofollow">https://github.com/cgarduno1garduno/Macbook-Security/blob/ma...</a><p>I found this issue a while back on Macbooks. I'll update my github soon with more details and some images to demonstrate the process. I read this post and I figured I could whip something together and see what people think.
As long as you had FileVault enabled (& good password management), that's basically all you needed.<p>Without FileVault, you can totally still access the laptop and data. Sadly Macs do not have anywhere near the device protection that iPhones do - even the new ones. But data encryption is what you need.<p>You can do that same in the installer for Ubuntu Linux. I personally prefer the encrypt home directory option over the full disk option, but there are trade-offs.
My laptop was stolen last Friday.<p>I don't need to be concerned about the thief accessing sensitive documents as I setup full disk encryption (dm-crypt & LUKS) with this kind of scenario in mind.<p>The only negative I can think of is that I cannot make use of tracking software like Prey due to the entire drive being encrypted. A trade-off that I'm happy to live with.
Full Disk Encryption is the answer for you.<p>A side question (sorry):<p>So if you ever buy any mac device, will wiping it (reinstall from USB disk) remove it from the Find My Phone system, or does the previous owner (if they set it up) keep the option of locking the device remotely and holding it to ransom?
I remember seeing apps that silently take photos with the webcam and upload them to a location only you can access, every time someone opens the laptop's lid and at regular intervals. May even be trivial to write such an app.
If remote wipe is not possible in Linux,
Maybe we also need the feature to automatically "destroy all data" when the laptop hadnt been logged in for too long.
Can't comment on Linux - but curious if the location was discovered as well if the erase process had started? And if so, did you report it to the police?
Intel's management engine can do this sort of thing (at a level below the bios), but I think it can only be activated as part of enterprise tools.