I currently have a Dell laptop that runs Windows for work. I use an external SSD via the Thunderbolt port to boot Linux allowing me to use the laptop as a personal device on a completely separate drive. All I have to do is F12 at boot, then select boot from USB drive.
However, this laptop is only using 1 of the 2 internal M.2 ports. Can I install Linux on a 2nd M.2 drive? I would want the laptop to normally boot Windows without a trace of the second option unless the drive is specified from the BIOS boot options.
Will this cause any issues with Windows? Will I be messing anything up? For the external drive setup, I installed Linux on a different computer, then transferred the SSD to the external drive. Can I do the same for the M.2 SSD – install Linux on my PC, then transfer that drive to the laptop?
Any thoughts or comments are welcome.
Edit: Thank you everyone! This was a great discussion with a lot of great and thoughtful responses. I really appreciate the replies and all the valuable information and opinions given here.
Forget the technical details. I work in a corporate security department and if yours finds out what you’re doing there’s high odds they would absolutely hate it. I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.) But not everyone over security is so rational and there are edge case attacks which may even trouble more sensible individuals. Either get permission, expect to do this in secret, or better yet just don’t.
Not to mention you really can’t hide that other drive from windows, and I’m sure a lot of the security tools would start screaming about new storage added when not expected. Data Loss Prevention is a big deal and random storage showing up doesn’t often mean the user has good things planned.
Exactly. This is a terrible idea. I’m fairly certain that anyone caught doing this would be immediately fired at some companies.
Yeah… I really don’t see the motives to do this either. Possibly:
-
I guess if you’re traveling and you have to bring 2 laptops.
-
Or you can’t afford a PC with the same specs as your work laptop.
Both of those situations don’t warrant booting work laptop to external personal HD though.
-
I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.)
Data loss/leak prevention would vehemently disagree. It’s a potential exfiltration point, especially if the org is blocking USB writes.
Networking might have a thing or two to say about it as well, as it is essentially an untrusted setup on company networks
(assuming they’re using bitlocker appropriately etc.)
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Stop using work devices for personal business
Yes, and especially don’t fuck with the hardware or core boot/OS configuration. That’d the kind of stuff that can get you fired in most orgs I’ve been in.
Is Linux likely to mess up the stuff in Windows: probably not? It does require you to do likely-unauthorized things to the device to install, including potentially circumventing some controls required in the work device.
Whether it causes issue or not, circumventing those policies or controls is not going to land well if you get caught at it.
Nah, it’s just like shitting on work hours
Your point is valid but the IT department isn’t tracking your shits
Or maybe they are if you work for amazon
Like disassembling the sink and shitting down the pipe maybe
Sure, people should not use their work computer for personal use.
However, I would say the majority of people absolutely do use it for occasional personal use. Checking your personal email at work? Googling driving directions to the dentist? Using the pdf editor to fill out a form? Searching for a flight during your lunch break? I would say everyone I see at work does this, and I would bet that when they take their laptop home they would not hesitate to boot it up for personal use. And the people working remotely I would wager use it even more.
I’m not saying it’s right, but I do think using a completely separate SSD and OS is way more responsible from a security perspective.
There is a difference between using software on a work computer for private purposes and installing another OS on a work computer, don’t you think?
and I would bet that when they take their laptop home they would not hesitate to boot it up for personal use. And the people working remotely I would wager use it even more.
Are you willing to bet your job or career on this? If so, proceed. Otherwise, I would heed the multiple warnings given in this thread. But then again, you might just be one of those fuck around and find out types. If so, be sure and drop in here and let us know how well it went.
If you have a job that gave you a computer you can probably afford to go buy your own.
Depending on the org this is a fireable offense, and at the very least highly suspect, so just be aware.
Just because people do it doesn’t mean you should.
Using a separate SSD and OS might work fine for protecting your data from company monitoring software, but it doesn’t protect company data from your rogue OS. If your company has a dedicated security team, your head will roll when they find out you put the company at risk. And if they don’t, you better hope IT is either apathetic or incompetent.
It’s not worth the risk of losing your job for being a liability. They might not be able to tell future employers why you are no longer employed with them, but “we would not hire {you} again if given the opportunity” speaks for itself.
Just buy a shitty laptop and use that.
There’s a difference between using a web browser to access certain websites, which still use the sandboxing and safe environment that the company has set up, and running your own OS which has unrestricted hardware access to everything.
IT likely knows that people will use their laptops for personal use, but probably trust that browsers are good enough at sandboxing that is not a concern. They can also tweak settings in whatever Windows management thingie they’re using to ensure that everything is up to date and all the programs you are running are safe.
However, running your own OS is very different. They can’t trust the browser sandbox or OS any more. They can’t trust that you’ll only run safe software. They can’t trust that you’ll not install malware that will infect firmware or your Windows install (which will steal company secrets).
If I were running an IT department I’d 100% lock down the efi and require a password. I’d try to make it as frictionless as possible if you wanted a certain distro for work reasons, but ultimately I’d like to know what’s going on.
Sure, people should not use their work computer for personal use.
This isn’t great. But what you’re wanting to do will get you fired.
I feel like 10-15 yrs ago, you’d be absolutely right here, but not now. Everyone I know, even less technical folks, keep it separate simply because they do that stuff on their phone instead.
Simple question: what would your employer say if you asked them?
My contract has a standard “no using company computers for personal business” clause. However I feel entirely confident that my employer doesn’t mind me using it to do personal errands using the web browser (on my own time). And I know they have no problem with me using Zoom or Teams to join meetings for non-work things in the evening. How do I know this? Because I asked them…
I’ve never asked them “can I install a new hard drive in my laptop, install an OS I downloaded off the internet, and boot into that OS to do things which I’d rather you not be able to track like you could on the main OS”. But I’m completely confident I’d know what the answer would be if I did ask.
If you think installing a new SSD etc. is acceptable, ask them. If you’re not asking them because you’re worried they’d say “no”, then don’t do it.
Try asking them instead if you can use your laptop to look up directions to the dentist on Google Maps. See if you get the same answer.
Danger Will Robinson! Do NOT fuck with company hardware!
You are going to potentially set off a shit ton of alarm bells, and risk your job, by even attempting this.
First of all, almost all such devices come with a BIOS lock. You’d need to get the password before you could even begin this (again, do not do it!)
Secondly, they’ll be able to tell something is up from the foreign UEFI entries.
Thirdly, if that doesn’t expose you, Intel IME will. Doesn’t matter what operating system you’re running.
And you’re going to create some royal fucking headaches for a lot of people in your company.
Let’s start with security. Remember when I said you’ll set off alarm bells? Well, I mean some mother fucking alarm bells. Security will have a god damn aneurysm over this, and they will believe you may be doing this to bypass security, possibly for nefarious reasons. A foreign hard drive with its own OS looks shady as shit.
Then there’s the regular tech people. You’re going to cause various headaches for them too. Not least because under many service agreements, the company itself may not be authorised to open up the workstations themselves. Many workplaces rent their workstations nowadays, and it is not uncommon to see this language in their SLAs.
Then there’s the fact that the OS image on the original drive potentially cannot be trusted any more, so they have to wipe the fucker clean and do a fresh image install.
TL;DR, You are giving your company several solid reasons to fire you for cause by doing this.
He already boots linux via USB drive on it, I guess the difference to booting from PCI/M.2 drive would not be that different, in terms of security, or did I miss something?
The security implication from a USB boot are probably more severe but also more the fault of the people configuring your work machine. It is expected that people will plug things like pen drives in, to a degree. It is your job to block it with configurations.
The real problem is that once you start adding or removing internal hardware, that configuration no longer stays a trusted one because they’ve meddled with the components.
On top of all that, most hitting contacts I’ve seen contain language saying that if you use company resources to make a thing, that thing, the company owns that thing. Seems likely that in addition to firing they could compel you to turn over the drive and wipe it.
I was thinking about the technical details and didn’t stop to consider the implications, nice answer.
Also unexpected lost in space reference.
If I even tried to plug a USB into my laptop security would be down on top of me like a ton of the proverbial … the same way that the only true way to be secure is don’t plug into the internet the only way not to piss off corporate is don’t f*ck with their stuff.
I have a recommendation, buy a personal laptop that isn’t tied to your company.
You shouldn’t do this. Why would you do this
Want to elaborate on why it’s such a bad idea? I’m curious now
Provided the user doesn’t put their windows password in, then things should not be accessed.
You run the risk of getting your ass fired. It’s not your property, you’re not supposed to mess with it, let alone installing additional hardware and another OS which could then lead to issues with the work side of things.
So you’re saying it will mess with the other partitions?
This is essentially OPs question, but I didn’t see you answer it in that way.
Less that it can mess up the other drive.
More the “it’s not your property don’t fuck with it”
OK… Which doesn’t satisfy OPs aim of the post. Check other replies to see the technical side of things.
Well for one thing the laptop doesn’t belong to OP so it’s not their’s to mess with.
I was more looking for a functional reason, not just a “cos I said so” from the employer.
I thought maybe some of you work in cybersec had a real answer or a cve/attack vector etc.
If OP, freed from the confines of the corporate security suite, happens to get infected with a firmware or boot partition malware…
And by the way kids, lets just say he causes a breach in some way, shape, or fashion, this could go from him just trying to get to the internet on his work provided laptop to him facing jail time. Depending on the nature of his work and the data they have, it could be a law that ends up broken and he could face the consequences. None of that is worth it when he could literally buy a new laptop for cheap. I bet it’s less than the hourly rate for the lawyer he might need.
One doesn’t need to work in cybersec to know that the vast majority of attacks work because the targeted users have personal dum-dum moments.
You might need to, to know the windows partition has bitlocker (if the cybersec is worth their salt) of which is opened at windows login with a password.
So again, how is this accessed by the Linux partition?
Really just wanting to know how you see this happening… Presumably info being leaked from the work partition…
Here’s a scenario for you. His laptop running his linux os gets hacked. Said hacker discovers another drive with windows or an encrypted partition. Now he could sit there and try and de-encrypt it, or if he has the time and inclination just completely overwrite it with whatever he wanted. OP finishes what he is doing and reboots back into what he expects to be his work provided Windows OS, and sees some error message, or maybe nothing at all. In the background the hackers OS which is now running just leads him on while it’s doing what it needs to do, like scanning the network it might be connected to. Or prompting him for a id/pw.
Regardless, the linux os will have access to the drive the Windows os is loaded onto. Now what happens to it may or may not be relevant, but it will be a writeable drive, therefore it will be suspect to manipulation.I’ll come along with your scenario just for fun.
-
the decrypt part. Yes granted! But heavy workload
-
the overwrite stuff. Yes could be dd’d but this is like an nvme drive frying itself by itself. Not uncommon, eg a user spills coffee on the machine.
-
writeable. AFAIK with bitlocker they are hashed and salted and therefore would be corrupted if you opened again with manipulated data.
-
the phishing os, yes a possibility, but would need to be very spear fishing orientated to get the same profile photo, username etc, and then it would still be empty.
-
if you connect to wired company network, totally compromised. I am 100% remote so this one skipped me, but yes this one is completely cooked.
Thanks for saying an actual scenario also, most were like hurr dürr, don’t do it.
-
Excuse my lack of cybersex knowledge, but if you plug in an infected appendage to a hub, then can’t that hub become infected as well and pass along the STI to any other appendage plugged in?
Far as I remember, wearing a condom isn’t a guaranteed protection against infections.
I get what you’re asking, but this seems akin to stealing an ATM and then when the bank calls the cops you ask “but how would I even get inside? This is thick steel, there’s no way to get the money out of there without using my debit card anyway so idk what the big deal is.”
Like you’re not entirely wrong, but for one thing the bank has every reason to suspect you might try to break in anyway. But more importantly, stealing it is a crime in and of itself. So the “because the employer said so” angle is absolutely valid here and more than enough reason to not do this because trying to load a separate OS that will give you root privileges to the device is shady af and will 100% violate whatever contract OP had to sign before they were given that laptop unless their IT dept is completely incompetent.
This likely breaks your company’s terms of use. This can definitely lead to termination, especially since the other OS would likely not be monitor-able by them (opening them up to potential liability, along with the myriad of other issues)
IDK about other places, but the document we make our users sign make it clear that modifying the internal hardware is a fireable offense.
The laptop isn’t yours, use a personal device for personal stuff, and work device for work only.
The answer here is very simple. Your employer will find out what you’re doing.
So obviously you should be asking them, if anyone. Not us Lemmings.
No they will not?
If they have no secureboot (it seems) and no locked down Bios (for whatever reason) if the person can use the laptop at home and use it with another OS that is fine.
Using it in the company is something different.
You might be surprised how much Intel corp security teams have.
Mind to elaborate?
But are companies using that? Or is it just something intel may use for creepy shit?
So you’re reading this as Intel built a way to spy on literally everyone as opposed to Intel built a feature for corp security teams? Interesting.
I just never thought of that. But yeah true point, ME neutering is a blessing and you shouldnt just put Linux on random spyware hardware and think it is private
Coreboot is a blessing
@3mdeb@fosstodon.org
apparently you are unaware of how much monitoring goes on in corporate IT. you’re lucky they haven’t already found the mac address yet booted with a different os, or maybe they’re already onto you.
I would stop doing what you’re doing immediately and hope it’s not too lateI had a work laptop and did the “external USB” thing. One day, at work, I’m messing with my Linux on a public wifi, having unplugged from the corporate LAN.
A co-worker walks by, sees the Network cord unplugged, plugs it in. I am oblivious in the washroom.
Corporate security got to my laptop before I did.
I didn’t get fired.
I don’t work there anymore, though.
Yeah, this is just a terrible idea. The risk is far greater than any potential reward you might be getting.
The big takeaway is that you do not own this computer. It is not yours, it is being lent to them for a very specific purpose. And what you want to do, hell what you’re already doing, is way outside of that purpose.
How would you feel if you lent a friend your conputer to check their email and found out they had bypassed a lot of your security mechanisms (passwords) to set up their own admin account?
What about when you begrudgingly get a MFA app on your personal phone because your employer’s too cheap to shell out for a yubikey or hardware token? How would you feel if their app also rooted your phone just for shits and giggles?
What you’re proposing is not only dangerous to your career, it’s also potentially illegal. And also just downright unethical.
I understand the rationale behind you doing this, I’ve done it myself.
Your company sends you abroad for a week or two. You want to access your Netflix account but don’t want to do it on the company computer. On the other hand you don’t want to carry two laptops with you.
As others have said, tampering company hardware can get you in trouble with the IT department, and it’s enough to get you fired in some cases.
If you value your job get permission to do it or get yourself a tablet.
DO NOT install a second M.2
Use the external drive
If the internal drive is in there, you could be asked at work to turn it in. It is not a good look to ask to remove an internal drive.
deleted by creator
Any thoughts or comments are welcome
If this is a corporate decide your cyber security team have really dropped the ball by enabling you to change the boot order.
If the second internal ssd is there when windows boots, it will leave a trace. IMHO booting off the external drive is the best option if you want it to leave no trace on the windows partitions.
Also, it’s possible any booted device will leave a trace in the bios or uefi boot logs, which your corporation may have configured to ship to their audit logs or something similar.
Thanks for the information. And good point - I will check to see if there’s any logs in the BIOS. Is there any way to know if boot logs are being sent? Is that a BIOS setting, or something that would be configured in Windows?
I’m not familiar with windows so I don’t know exactly how to tell if the logs are being sent to a central log store. My assumption about how it would work is windows would have a capability that reads the UEFI boot logs and sends them with other windows system logs to a central log store. This feature is almost certainly built into windows. You may be able to open up a log inspection tool of some sort and search them. I’m really just guessing about these details from first principles though.
IT will ask you the next day what you did to thier computer.
From a technical perspective I’m curious - how would they know a drive has been added without physically inspecting the laptop?
Microsoft system administrators have full access to any physical device information, this includes a report on new internal devices or changes. Your company may not be so serious about security, but why on earth are you willing to risk your livelihood on this?
Not just Windows sys admins … I have this access to MacBooks, tablets, and phones in my company.
Windows, MacOS, Linux, iOS, Android … If it’s in use in an enterprise environment that knows what they’re doing, they have full access to the device.
Intel IME can snitch on this kind of thing. Completely independent of the OS too.
The drive is visible to the OS so if they have any kind of management software in place which looks for hardware changes it will be noticed.
Quite interesting. Thank you for the information!
CPU/BIOS-level system management engines such as Intel IME/vPro or AMD Secure Technology give device access to IT even if the OS is replaced or the system is powered off.
If your IT staff isn’t utilizing that technology, then when you boot into a corporate-managed OS, they can see any hardware that is currently connected to the system.
If they’re not doing any monitoring at all, you’re fine (but the viability of the business is in question). If they’re doing OS-level monitoring, stick with the USB thing and leave it unplugged when booted into the corporate OS. If they’re doing CPU-level monitoring, you’re already likely flagged.
If you’re unsure how much monitoring they’re doing, attempting to find out may also be a resume-generating event (RGE). Cheers, and good luck!
I’m glad you asked, people provided some great answers.
Good rule of thumb is just don’t mess with company property at all, cuz they’ll know. For example I simply turned a wall TV on one weekend so my skeleton crew had something to do, and I was asked why a few days later. If it’s electronic they can track it.