Secure setup for clients who need to take their work or private devices to Mainland China
Edit me

Setup Checklist for Clients Travelling to China

Secure setup for clients who need to take their work or private devices to Mainland China

Body

Dear [xxxxx],

Following up on our conversations on your upcoming travels, I’m sending you this checklist with tips for improving your digital security before you leave.

  1. Back up all sensitive data from the devices you will carry with you to an encrypted external storage media that you will leave at home. Then delete this data from the device you will be carrying with you. [If necessary, insert instructions for secure file deletion. For Windows, we can point them to this guide.]

    If you need any of this data while travelling, you can upload an encrypted folder to a cloud storage service, download it when you’re in the country, and then delete it again before you leave. We can help you set up a trusted storage service.

  2. Enable full-disk encryption with a strong password/passphrase.

    [For recommendations on full-disk encryption, see Article #166: Full-Disk Encryption (FDE)]

  3. Enable the Firewall (with so-called ‘stealth mode’, which does not reply to pings).

    [Depending on the client’s operating system, we can send them the following links:

  4. Make sure that the devices only connect to trusted, password-protected Wi-Fi networks. If connecting to an open Wi-Fi network (which should generally be avoided), you should always use a trusted VPN.

  5. Set a PIN or passphrase to access any mobile device you have and switch it off (not put it to sleep) when you are not using it. Also, keep the device with you whenever possible and lock it in the hotel safe when you cannot take it with you. Please note that hotel staff could have a way of opening their safes: if you can, never leave your device unattended.

  6. Disable location services.

  7. Install Chrome and addons for secure browsing.

    [Suggest the client to review their security hygiene, based on Article #212: Safe Browsing Practices and Plugins.]

  8. [If the client requires access to a video chatting service, which will probably not work anyway due to the restrictions China imposes on traffic from outside the country] For video chat, you can bookmark Calyx’s Jitsi Meet server

  9. [If the client requires access to encrypted email while traveling] Install Thunderbird with Enigmail with a temporary email account created for this case. If using a Chromebook, Mailvelope should be installed instead.

    9.1. Generate a PGP key pair for the new email account. [We can link this guide for Windows, Mac, or Linux.]

  10. Install and set up end-to-end encrypted messaging tools such as Signal, Wire, etc.

    [Telegram is very popular in China, but apparently, as of November 2017, it is being blocked, just as WhatsApp].

Please, feel free to get in touch with us if you have any doubts or questions on how to implement the above points.

Best regards,

[Incident handler’s name]