Adding Biometric Security to an Existing Laptop?

008 asks: "My work requires me to travel to some harsh climes with my laptop and other equipment, and the data I collect there is potentially very sensitive. Currently I use the PGP family to secure my drives, but my paranoia always demands more. IBM's biometric-ready Thinkpad really piques my interest, but getting one isn't feasible for me because it's too wimpy for the physical stress I'd inflict on it. I'd much prefer a way to biometrically lock a computer I already have. What options are out there?"

Don't bother

[swillden]

From a security perspective, it's probably not worth the effort. The circumstances in which a biometric authentication actually adds to your security are surprisingly restricted. Mostly, biometrics increase security by providing a convenient but weak authentication tool for situations in which the alternative is no authentication at all. The old saw about "something you know, something you have and something you are" presumes that the attacker actually has to "be" the "something you are" and can't simply bypass the authentication. That's hard to achieve in the real world.

No, if you want to protect sensitive data on your computer, the main thing you need to do is to encrypt it, and then store the keys somewhere an attacker can't get them. If the keys are stored on the computer, then an attacker can probably get them. Keys stored in your head are safe, and keys stored in an external device which stays with you, not with the laptop, are also safe. Best is to use both.

The best you can do presently, IMO, is to:

1. Use an encrypting file system that allows you to store the keys on an external security token -- a smart card. Note that Microsoft Windows provides smart card support and encrypted file system support, but you can't encrypt your files with keys on the card. That's supposed to be fixed in Vista. At present, Linux and the *BSDs are the only way I know of to fully achieve this, and it's non-trivial.
2. Use a boot password, and power your machine off whenever you're going to be separated from it. On most laptops today, the boot password is actually implemented by the hard drive firmware. Without the correct boot password, the drive will refuse to operate. To work around it, the attacker would actually have to replace the PCB on the hard drive -- a non-trivial operation. This is surprisingly good security. Getting it requires that you shut down your machine, though, not just suspend it.
3. For the times when you don't shut your machine down, use a smart card for login, disable password-based login (so the OS *requires* the card) and make sure that your screen saver will come on and lock whenever the card is removed -- requiring the card and PIN to unlock it. This ensures that an attacker will (probably) have to shut the machine down before he can try to get at the data, and he'll run right into your boot password. Oh, and never leave the smart card with the machine.
4. Finally, make sure that your machine isn't wide open to network-based attacks which would allow an attacker to trivially bypass all of the rest. Also, be very careful where you get software from to avoid trojans. Make sure USB devices and other peripherals don't get to run software upon insertion, either.

In practice, 2 and 3 are pretty easy to do, and the result is fairly decent security. 1 is very good, but as I said it's not really easy to implement. 4 is critical and pretty hard to be certain you've done unless you simply disable network, USB etc. devices.

If you have a laptop with a Trusted Computing TPM in it, there are some other options that may theoretically provide assurance levels that are almost as good as a smart card, but I'm not sure if the tools exist to make using those options practical, much less easy. I've been fiddling with using the TPM in my Thinkpad to bind the keys used for a dm_crypt encrypted file system.