Heads question

Hi, im considering a safe laptop like NovaCustoms, NitroPad and so on.
Im considering adding Heads, my question is: I don’t like depending on a device to decrypt a drive.

Does anyone know how to set it up so you don’t need the device to decrypt the drive? The drive is a portable drive that is already encrypted, I don’t want to do anything about that, that’s just already set. So how do I integrate this drive in the Heads valid status check and also do not require the Heads device to decrypt it? I just want the check to see that nothing was tampered with. And I need to add two different portable drives that I use with the laptop. There’s this tutorial but it says something about encryption so I think this setup is to require the USB device to decrypt.

If anyone knows please let me know.

Just to check persistent of encryption is not enough to validate data confidentiality and integrity.

Heads handle your OS drive, not portable one.
With Heads you can check:

1. HOTP that indicate bios integrity.
2. GPG signature to indicate boot sector integrity
3. Counter of interaction with your nitrokey, may indicate confidentiality
   In QubesOS:
4. you can set MFA in login process

By violate your statement, you can store in TPM very long encryption password for your drive and use pin code to access it when need.

To encrypt and manage portable drives take a look on tools like veracrypt.

Solution should include encryption and signature.

I don’t get it. You cannot use Heads with a portable USB drive? Why not?
If I plug the same drive on the same computer, then the check status would be the same.

If you unplug and plug something on the USB Heads detects it as tampered with? that is just annoying. I need to use a portable USB, because important data must be accessible fast, and a portable USB drive is better than depending on carrying the entire laptop if there is an emergency of sorts for instance. Plus if you want to cross an airport or something it’s better to carry the drive in your pocket than have the laptop and then they force you to decrypt the laptop which I have heard before.

Heads does an integrity check of your BIOS/heads as well as your /boot/ partition and can then optionally unseal your disk decryption key based on the results (the latter step can be opted out from via dialogs during setup).

I’m not sure whether it supports having the /boot/ partition on an external drive - I never tried that.
IIRC they don’t load USB drivers for security reasons, so possibly no.

If you just wish to keep some data (i.e. not /boot/) on an external drive, heads sure doesn’t need that drive to continue.

It’s also debatable whether you need /boot/ on an external drive as it is integrity checked via heads anyway and if the check fails and you suspect tampering you can restore /boot/ from public sources by reinstalling the OS (assuming heads was still OK and you don’t need to replace the entire machine).

Btw there was another thread on airport security with various suggestions in the past.

The Heads-compatible USB security token does not decrypt LUKS partitions by default.

You may or may not be required to decrypt your USB drive at international borders.