So its already second hand. Im not sure if thats a fail
I need it secure because I need to save some home made “video” on it, and I cant let it get out, also financial details etc (really important financial details I keep off any computer obviously but some just has to be on a lap top because there’s too much and I need to access it often)
I wont ever connect it to the internet so that makes it alot easier
I was thinking a fresh installation of windows, some anti virus, and never connect it to the internet, and thats enough security, what do you guys the experts think of this plan?
Airgapping the machine, i.e. never connecting to the internet, is only one inportant step. Although I’d say you can probably connect it safely before you put any sensitive data on it, e.g. to make sure the system is updated.
Full disk encryption (Bitlocker on Windows, LUKS on Linux, other systems have equivalents) should be used to avoid the possibility of the data being in danger if the laptop or its disk should get stolen.
In my opinion, Windows is too popular, and exposes you to unnecessary risk. Unless you need to use any software on this machine that does not have equivalent/alternative software for other systems, I’d evaluate using Linux, or even OpenBSD or NetBSD.
If your data is important enough that state actors, or private actors with lots of money/resources will be after it, most security measures will be useless anyway. You can’t control your computer’s firmware (beyond BIOS updates), and there are most likely backdoors in it that state actors could exploit. That said, if your computer happens to be compatible with LibreBoot, that would be a small win.
I dont understand how you could possibly hack a computer that isnt connected to the internet, I mean its hard for it to get a virus to start with, then the virus has to be sophisticated enough to log itself into wifi (it probably wont get that virus as its much more rare it will probably get an ad spam virus if im very very very unlucky ), and then it doesn’t know the wifi password anyway, please tell me how on earth its possible!?
Tell noone about the laptop, the contents of the laptop, or where you store secure things.
Disable the WiFi module and all other hardware modules from the BIOS
Encrypt the contents of the harddrive - store the encryption key on paper
If possible, fill the USB and external ports with epoxy.
Superglue the back plate and strip the screws
Only use the laptop when absolutely necessary, and do not use the laptop unless necessary.
Access the laptop only from a secure location. (ideally offsite of the storage location)
Lock the laptop in a secure location when not in use.
Commit the password to memory and don’t use it for anything else
Check your surroundings
The tricky decisions: Install Windows only if you must - otherwise go with Linux. For either OS, perform STIG configurations. The configuration is outside the scope of this question.
Beyond this, keeping a laptop that you only use for reference secure isn’t that difficult. Keep some things in mind:
What happens if you put all your jewels in a safe then you lose the key?
What happens if you put all your documents in a safe, and the house catches fire?
Why not keep all of that data on an external encrypted drive? Then store drive somewhere safe and remote and access it only when needed from laptop secured as per comments above.
What you or I might think impossible is just a challenge to someone else with the right skills and levels of curiosity/motivation. This is what makes security such a fascinating space. Technical skill and/or social engineering will get you most places.
Have a google of ‘hack air gapped computer’ and either scare yourself or be fascinated.
Consider using something like QubesOS but that is a bit too extreme.
For a laptop with limited resources, I would just use something like the more generic Linux. Fedora Silverblue comes to mind, specifically. In their settings, there is an entry for Device Security. Aim for a higher HSI score in their device security when you can by modifying your BIOS settings. HSI 3 may be the one that you want considering the contents that you are describing.
Also update your BIOS firmware to the latest version, especially if it has an urgent security update. Also I’ve learned recently that not all brands are good. Apparently MSI lost their firmware signing key in a recent breach and that means that hackers that stole it can issue a “valid” firmware update to maliciously weaken your security.
