What do you want advice about?
I’m an expat with a soon-to-be expired visa. I will be doing a visa run into a neighboring country (country 2) in order to extend my stay (in country 1). Given some unique circumstances, there’s no guarantee that I’ll be able to return to my residence in country 1, so leaving my devices behind during the border crossing is not an option. I need some advice about what steps I can take to protect my data during this process.
What have you considered or looked at already?
My phone is a Pixel 3a with–hold your nose–with GrapheneOS. Unfortunately, my phone still suffers from the recently discovered Android lock screen bypass. Currently, I am unable to upgrade to a different phone. My laptop runs Fedora 37, is encrypted with LUKS, and has a locked BIOS and boot loader. Lastly, I have an external SSD (also encrypted via LUKS) that I use for backups.
My current plan is to power all my devices down and trust the encrption, but that doesn’t help if I’m asked to turn my passwords over. I have considered wiping all devices and performing a backup at a later date, but that plan still relies on not having to give over the password to my SSD.
In brief, tell us about your privacy threat model?
I am willing to sacrifice usability and convince in order to protect my data from immigration officers.
Backup everything and save the encrypted backup on cloud storage, then factory reset/reinstall all your devices. When you get to your destination, you download the backup and restore the original state of your devices.
It protects your data, but it also protects you from any software that could be installed if you are forced to reveal your password.
That seems like it will work. The only issue is that I have to figure out a work around for the 2FA for the cloud storage service. Any suggestions?
i’m assuming you use a password manager. So your password is safe for the cloud storage you are planning to use.
Store your 2FA backup codes in a txt file, and don’t label them. Also, encrypt the file. If you’re asked to turn over your encryption password, the border officers can see the txt file. But since you didn’t label which service the codes are for, they don’t know its the codes for your cloud storage service. And they don’t have your password for the cloud storage service.
If your cloud storage service supports 2FA via SMS or email, you could enter the email address or phone number of a family member you trust. When you reach your destination, you can use an app like Signal to contact your family member and ask for the 2FA code to login .
So I use KeePass as my password manager. My plan is to create a new profile on my NextCloud instance without 2FA that only has access to a copy of my database. I can login to this profile, download my database, and access my passwords.
I’m storing my backups in my ProtonDrive. Would it be a bad idea to store all my 2fa backups in ProtonDrive and keep an encrypted copy of ProtonDrive’s backup code in my NextCloud instance that way there’s nothing on my phone at all?
Or what about having my database and 2fa codes in a shared folder on ProtonDrive that’s protected with a password. This way everything is in one place and I just have to remember the password to the public folder.
If you have enough space to save the backup on proton drive you can make a dummy e-mail account without 2FA and send it the download link, as long as the backup itself is encrypted it should be safe.
The dummy e-mail account could work well. I’m thinking about just leaving my laptop with a trusted party in country 1 while I do the visa run. Are there any good mobile solutions to encrypt the files before I upload them to proton?