The Border Crossing Tech Checklist I Run Before Customs
Three months ago I landed at JFK after six weeks in Eastern Europe. CBP pulled me aside, asked for my laptop, and escorted me to a secondary inspection room that smelled like overworked server racks. The officer was polite. The questions were polite. The forensic image they took of my NVMe drive would not have been. Luckily, everything on the machine looked clean: travel profile, decoy workspace, no sensitive data. That wasn’t luck—it was the result of a checklist I now run before every border crossing.
48 Hours Before Departure: Digital Triage
I schedule a two-hour block in my calendar titled “Border hardening sprint.” Coffee, noise-cancelling headphones, and the following tasks:
1. Archive and Purge Client Projects
- Sync active repos to my Synology DS923+ at home via Tailscale.
- Export encrypted tarballs (
tar --use-compress-program=pbzip2 -cvf project.tar.bz2 project_dir; gpg --symmetric project.tar.bz2). - Delete local copies using
srm -rf(Secure Remove) so recovered files are gibberish.
2. Rotate Password Manager Vaults
- 1Password → enable Travel Mode (shows only “Border Safe” vault).
- Bitwarden shared vault → export and move to Veracrypt container stored in
~/Vaults/archive-2025-07.hc. - Hardware keys (YubiKey 5C NFC) labeled by location. Primary on lanyard, backup taped inside toiletry kit.
3. Update Device Firmware
- Framework 13" BIOS 3.06 via FW updater.
- iPhone 15 Pro → iOS 17.5.1. Disable Face ID temporarily; border agents can’t compel passcodes as easily.
- GL.iNet Slate AX router → latest firmware (check
System > Upgrade).
4. Confirm Travel Profiles
I keep a dedicated macOS user account named TravelOps. It contains:
- Minimal apps (Arc, Obsidian, Mullvad, Proton Mail).
- No client repos.
- Browser profile with zero autofill and cleared history.
I log out of the primary account, test TravelOps, and wipe the login history.
Day Before Departure: Physical Prep
| Item | Action | Why | | --- | --- | --- | | Framework NVMe secondary drive | Remove and store in Pelican 1010 case | Contains research archives not needed on trip | | SanDisk Extreme SSD | Fill with decoy documents (public speaking notes) | Appease cursory inspections | | iPad Air | Enable Guided Access with code; disables app switching | Prevent shoulder surfing | | Travel router | Preload Mullvad WireGuard configs (Amsterdam, New York) | Quick pivot if airport Wi-Fi is hostile |
I also laminate a device manifest: list of serial numbers, owner details, and warranty contacts. It reassures officers that I know my gear, and it helps me file claims if something breaks.
Airport Routine: Before Security
- Last moment on home Wi-Fi: run
sudo fdesetup statusto confirm FileVault is On. - Sync Raivo OTP backups to iCloud (encrypted) so I can restore 2FA if something gets wiped.
- Power down devices completely—no sleep mode.
- Tape a card inside the laptop sleeve that reads: “Contact: legal@pixeltechnologyllc.com for business continuity.” It signals there is a process if they need deeper access.
During Inspection: Staying Calm & Compliant (Enough)
When I get the famous “please step this way,” my playbook kicks in:
- Ask for a receipt. CBP Form 6051D documents items they take. It’s your serial number proof.
- Use the travel passcode. My devices use a unique 16-character passcode (
N4-Travel-2025!). After the trip, I switch back to the daily driver password. - Enable USB restricted mode on iOS (
Settings > Face ID & Passcode > USB Accessoriesoff). Stops data exfil if they plug into a forensic box without unlocking. - Note badge numbers. I jot them in Standard Notes on my Apple Watch (no one asks to unlock the watch). Helps when reporting overreach to counsel.
After Release: Restoration
- Change device passcodes immediately.
- Reboot into primary macOS account, disable Travel Mode on 1Password, re-download critical vaults.
- Inspect
Console.appfor suspicious system log entries between confiscation and return (look forlog show --last 1h | grep -i "unlock"). - Run Malwarebytes and KnockKnock to ensure no persistence implants.
Tools Worth Keeping in the Kit
- Veracrypt hidden volumes for carrying sensitive data that you can reveal under duress without exposing the real vault.
- Faraday pouch for phones (Mission Darkness). If confiscated, place the powered-down device inside to avoid remote access attempts.
- Legal contacts: I keep the Electronic Frontier Foundation’s traveller hotline + my attorney on a laminated card.
FAQ I Keep Getting From Friends
Q: “Can’t I just refuse?” A: Depends on country. In the U.S., citizens can refuse to unlock, but devices may be seized. In some countries (Australia), refusing can trigger heavy fines. Know local laws.
Q: Should I travel with a blank laptop? A: If you can. I maintain a Framework expansion card with a bare-bones Pop!_OS install. For high-risk trips (research in Hong Kong), I boot from that drive only.
Q: What about cloud wipe from a distance? A: iCloud and MDM can issue remote wipe, but only if the device is online. Border machines often block network access. Better to pre-sanitize than rely on remote nukes.
TL;DR Checklist
[ ] Archive sensitive projects to encrypted storage
[ ] Enable Travel Mode / minimal vaults in password managers
[ ] Update firmware + security patches
[ ] Remove unnecessary drives; prepare decoy data
[ ] Power down devices prior to inspection
[ ] Carry legal contact card + device manifest
[ ] Restore normal profiles after crossing; rotate passcodes
The goal isn’t to be adversarial. It’s to arrive prepared so an inspection becomes an inconvenience rather than a breach notification. The more you practice the ritual, the less intimidating the secondary screening room feels. Chilled fluorescent lights or not, you’ll walk out knowing your data stayed yours.