Use work laptop as personal device by dual booting on a separate internal drive?

I currently have a Dell laptop that runs Windows for work. I use an external SSD via the Thunderbolt port to boot Linux allowing me to use the laptop as a personal device on a completely separate drive. All I have to do is F12 at boot, then select boot from USB drive.

However, this laptop is only using 1 of the 2 internal M.2 ports. Can I install Linux on a 2nd M.2 drive? I would want the laptop to normally boot Windows without a trace of the second option unless the drive is specified from the BIOS boot options.

Will this cause any issues with Windows? Will I be messing anything up? For the external drive setup, I installed Linux on a different computer, then transferred the SSD to the external drive. Can I do the same for the M.2 SSD – install Linux on my PC, then transfer that drive to the laptop?

Any thoughts or comments are welcome.

Edit: Thank you everyone! This was a great discussion with a lot of great and thoughtful responses. I really appreciate the replies and all the valuable information and opinions given here.

phanto,

I had a work laptop and did the “external USB” thing. One day, at work, I’m messing with my Linux on a public wifi, having unplugged from the corporate LAN.

A co-worker walks by, sees the Network cord unplugged, plugs it in. I am oblivious in the washroom.

Corporate security got to my laptop before I did.

I didn’t get fired.

I don’t work there anymore, though.

astraeus,
@astraeus@programming.dev avatar

Yeah, this is just a terrible idea. The risk is far greater than any potential reward you might be getting.

astraeus,
@astraeus@programming.dev avatar

I have a recommendation, buy a personal laptop that isn’t tied to your company.

VelociCatTurd,

You shouldn’t do this. Why would you do this

beeng,

Want to elaborate on why it’s such a bad idea? I’m curious now

Provided the user doesn’t put their windows password in, then things should not be accessed.

BiggestBulb,
@BiggestBulb@kbin.run avatar

This likely breaks your company's terms of use. This can definitely lead to termination, especially since the other OS would likely not be monitor-able by them (opening them up to potential liability, along with the myriad of other issues)

UntouchedWagons,
@UntouchedWagons@lemmy.ca avatar

Well for one thing the laptop doesn’t belong to OP so it’s not their’s to mess with.

beeng,

I was more looking for a functional reason, not just a “cos I said so” from the employer.

I thought maybe some of you work in cybersec had a real answer or a cve/attack vector etc.

thecrotch,

If OP, freed from the confines of the corporate security suite, happens to get infected with a firmware or boot partition malware…

FigMcLargeHuge,

And by the way kids, lets just say he causes a breach in some way, shape, or fashion, this could go from him just trying to get to the internet on his work provided laptop to him facing jail time. Depending on the nature of his work and the data they have, it could be a law that ends up broken and he could face the consequences. None of that is worth it when he could literally buy a new laptop for cheap. I bet it’s less than the hourly rate for the lawyer he might need.

Lath,

One doesn't need to work in cybersec to know that the vast majority of attacks work because the targeted users have personal dum-dum moments.

beeng,

You might need to, to know the windows partition has bitlocker (if the cybersec is worth their salt) of which is opened at windows login with a password.

So again, how is this accessed by the Linux partition?

Really just wanting to know how you see this happening… Presumably info being leaked from the work partition…

Lath,

Excuse my lack of cybersex knowledge, but if you plug in an infected appendage to a hub, then can't that hub become infected as well and pass along the STI to any other appendage plugged in?
Far as I remember, wearing a condom isn't a guaranteed protection against infections.

FigMcLargeHuge,

Here’s a scenario for you. His laptop running his linux os gets hacked. Said hacker discovers another drive with windows or an encrypted partition. Now he could sit there and try and de-encrypt it, or if he has the time and inclination just completely overwrite it with whatever he wanted. OP finishes what he is doing and reboots back into what he expects to be his work provided Windows OS, and sees some error message, or maybe nothing at all. In the background the hackers OS which is now running just leads him on while it’s doing what it needs to do, like scanning the network it might be connected to. Or prompting him for a id/pw.
Regardless, the linux os will have access to the drive the Windows os is loaded onto. Now what happens to it may or may not be relevant, but it will be a writeable drive, therefore it will be suspect to manipulation.

beeng,

I’ll come along with your scenario just for fun.

  • the decrypt part. Yes granted! But heavy workload
  • the overwrite stuff. Yes could be dd’d but this is like an nvme drive frying itself by itself. Not uncommon, eg a user spills coffee on the machine.
  • writeable. AFAIK with bitlocker they are hashed and salted and therefore would be corrupted if you opened again with manipulated data.
  • the phishing os, yes a possibility, but would need to be very spear fishing orientated to get the same profile photo, username etc, and then it would still be empty.
  • if you connect to wired company network, totally compromised. I am 100% remote so this one skipped me, but yes this one is completely cooked.

Thanks for saying an actual scenario also, most were like hurr dürr, don’t do it.

FigMcLargeHuge,

writeable. AFAIK with bitlocker they are hashed and salted and therefore would be corrupted if you opened again with manipulated data.

No problem. This part right here might be enough to cause concern. Lets say it isn’t a hacker, but just someone dicking around with his linux os, and manages to accidentally write to the bitlocker drive. I don’t know enough about bitlocker, but writing random data to an encrypted file is a great way to corrupt it. So if nothing else he could possibly corrupt his work os. And then hope that they buy the old “I don’t know how it broke.”

When I was making this all up in my head, I was thinking that if I was a hacker and wanted to just mess with people, I wouldn’t need to write a huge os, just overwrite his os with something like a DBAN iso. Something small, but again any tampering with the drive would likely invalidate the bitlocked os. So even just a dd if=/dev/zero of=/dev/{os drive} and that’s all she wrote.

beeng, (edited )

It’s all true, but the deleting of data is so common from the simple coffee on laptop trick that you’d think if your work was that important you’ve already got it setup with Dropbox/one drive on My Documents for the non-eng types and git for the rest.

Can’t lose too much.

I was more worried the data would get out, not corrupted.

Borkdornsorkpor,

I get what you’re asking, but this seems akin to stealing an ATM and then when the bank calls the cops you ask “but how would I even get inside? This is thick steel, there’s no way to get the money out of there without using my debit card anyway so idk what the big deal is.”

Like you’re not entirely wrong, but for one thing the bank has every reason to suspect you might try to break in anyway. But more importantly, stealing it is a crime in and of itself. So the “because the employer said so” angle is absolutely valid here and more than enough reason to not do this because trying to load a separate OS that will give you root privileges to the device is shady af and will 100% violate whatever contract OP had to sign before they were given that laptop unless their IT dept is completely incompetent.

fuckwit_mcbumcrumble,

You run the risk of getting your ass fired. It’s not your property, you’re not supposed to mess with it, let alone installing additional hardware and another OS which could then lead to issues with the work side of things.

beeng,

So you’re saying it will mess with the other partitions?

This is essentially OPs question, but I didn’t see you answer it in that way.

fuckwit_mcbumcrumble,

Less that it can mess up the other drive.

More the “it’s not your property don’t fuck with it”

beeng,

OK… Which doesn’t satisfy OPs aim of the post. Check other replies to see the technical side of things.

hashferret,

Forget the technical details. I work in a corporate security department and if yours finds out what you’re doing there’s high odds they would absolutely hate it. I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.) But not everyone over security is so rational and there are edge case attacks which may even trouble more sensible individuals. Either get permission, expect to do this in secret, or better yet just don’t.

pivot_root,

(assuming they’re using bitlocker appropriately etc.)

Yeah, about that…

jecht360,
@jecht360@lemmy.world avatar

Exactly. This is a terrible idea. I’m fairly certain that anyone caught doing this would be immediately fired at some companies.

youngGoku,

Yeah… I really don’t see the motives to do this either. Possibly:

  1. I guess if you’re traveling and you have to bring 2 laptops.
  2. Or you can’t afford a PC with the same specs as your work laptop.

Both of those situations don’t warrant booting work laptop to external personal HD though.

andrew,
@andrew@lemmy.stuart.fun avatar

Not to mention you really can’t hide that other drive from windows, and I’m sure a lot of the security tools would start screaming about new storage added when not expected. Data Loss Prevention is a big deal and random storage showing up doesn’t often mean the user has good things planned.

520,

I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.)

Data loss/leak prevention would vehemently disagree. It's a potential exfiltration point, especially if the org is blocking USB writes.

Networking might have a thing or two to say about it as well, as it is essentially an untrusted setup on company networks

General_Shenanigans,

As many companies now use Bitlocker encryption, you’ll probably Bitlock your work partition by trying to install the second drive internally. IF YOU MUST boot to another drive, keep it external. And DO NOT unlock or mount your work partition in your personal OS. Really, though, you shouldn’t do this at all.

mvirts,

🙃

How badly do you need your job?

Kangie,

Any thoughts or comments are welcome

If this is a corporate decide your cyber security team have really dropped the ball by enabling you to change the boot order.

LoveSausage,

Damn my laptop has secure boot and extra on top , I believe the usb ports are physically disabled.

I assume everything is watched on what I’m doing. Can’t remember the wording but i can’t do shit without getting in a heap of trouble.

Browser add-ons are like a 2 week process to get approved

KarnaSubarna,
@KarnaSubarna@lemmy.ml avatar

In most cases, work laptops have software(s) installed to automatically keep track of these activities, and flag it to security team of your organization. At that point, it will either lead to a formal warning to you, or termination/forced resignation.

From organization point of view, this is to avoid any accidental (or intentional) leak of confidential data, and/or accidentally (or intentionally) infecting your (work) system with malware/ransomware.

The latter had happened in one of my previous organizations, and the person responsible was terminated from job immediately.

acockworkorange,

You can buy a used ThinkPad T480 for like $75 on ebay. A lot cheaper than having to explain your shenanigans to Maude from HR.

fpslem,

Honestly, this is good advice. It’s much better to keep personal computer activity on a personal device, whether that’s on a ThinkPad or anything else.

naonintendois,

I knew someone who did this but swapped out the physical hard drive each time. I wouldn’t dual boot because then it’s much more obvious to IT what you’ve done.

This is only realistically feasible though if the hard drive is easily accessible. If it’s something like a Mac or soldered in dual booting is your only choice. As others have said, this could get you in a lot of trouble with your company. Check the docs you’ve signed

Omgboom,

I work in IT and that’s what I do lol

1995ToyotaCorolla,
@1995ToyotaCorolla@lemmy.world avatar

IDK about other places, but the document we make our users sign make it clear that modifying the internal hardware is a fireable offense.

The laptop isn’t yours, use a personal device for personal stuff, and work device for work only.

Pantherina,

I think this is a good idea. You may want to use a different MAC on Linux, true.

Also only use the personal drive at home if you fear being spied on.

The chance that your company embeds spyware in the BIOS is like 0%. If you can press F12, Windows is off and you will not be spied on.

Otherwise make sure to do real reboots and use this shutdown command to really turn off windows, as otherwise it hibernates only.

savvywolf,
@savvywolf@pawb.social avatar

For anyone wondering about the security issues caused by this, even if the windows partition is encrypted, it’s still possible to get secrets from the Windows install.

If you have root access to a Linux machine, you can easily replace the Windows kernel loader with one that looks just like Windows, but does nothing other than steal your encryption password on login/boot.

Secure Boot/TPM would protect against this, but Linux users (especially those that are more lax about security) tend to disable it as part of installing Linux.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • linux@lemmy.ml
  • cubers
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • Durango
  • osvaldo12
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • ngwrru68w68
  • kavyap
  • modclub
  • tacticalgear
  • JUstTest
  • InstantRegret
  • anitta
  • cisconetworking
  • everett
  • khanakhh
  • ethstaker
  • tester
  • GTA5RPClips
  • provamag3
  • Leos
  • normalnudes
  • megavids
  • lostlight
  • All magazines
    •