Building a Pre-Trip Security Audit Routine

Two years ago I landed in Tbilisi and realized my 2FA backup codes were sitting in a desk drawer in Lisbon. When my authenticator app glitched during a SIM swap, I spent four hours locked out of email, banking, and my password manager. That mistake—and a dozen smaller ones across three continents—taught me that security isn't something you fix when things break. It's a ritual you perform before wheels-up, every single time.

Photo: Unsplash / Glenn Carstens-Peters

Why Pre-Trip Audits Matter

Travel exposes you to risks that don't exist at home: hostile Wi-Fi, opportunistic theft, border searches, lost devices, forgotten passwords. A two-day audit window gives you time to patch vulnerabilities, test failsafes, and document recovery paths before you're troubleshooting from a hostel at 2 a.m.

The goal isn't paranoia—it's resilience. I want to know that if my laptop disappears in transit or my phone dies mid-flight, I can still access critical accounts, meet deadlines, and contact emergency services.

My 48-Hour Pre-Departure Checklist

T-Minus 48 Hours: Device Hardening

Full system updates

• macOS: softwareupdate -i -a
• iPhone: Settings → General → Software Update
• Linux laptop (backup machine): sudo apt update && sudo apt full-upgrade -y

I run updates two days out so if something breaks (kernel panic, boot loop), I have time to troubleshoot or revert.

Verify disk encryption

• macOS FileVault: fdesetup status (should return "FileVault is On")
• Linux LUKS: confirm /boot is unencrypted, root is encrypted
• External drives: VeraCrypt containers for sensitive client files

In Bogotá, a colleague's unencrypted backup drive was stolen from checked luggage. The data leak cost him two contracts.

Enable firmware password (Mac) / BIOS password (ThinkPad)

• Prevents booting from USB or single-user mode
• Set with firmwarepasswd -setpasswd or in BIOS setup

Review installed software

• Uninstall tools I won't need (old VPN clients, trial apps)
• Audit browser extensions: disable anything sketchy or unused
• Check for outdated packages: brew outdated and upgrade selectively

Last year I found a deprecated npm package with a known RCE. Would've been bad to discover that in a Cairo airport lounge.

Firewall + network rules

• macOS: enable firewall, block all incoming by default
• Linux: ufw enable, whitelist only SSH from Tailscale IPs
• Test that laptop doesn't respond to pings from LAN

T-Minus 36 Hours: Credential Rotation & Backup Codes

Password manager audit

• Export vault to encrypted USB stick (VeraCrypt container)
• Verify master password works, print emergency kit, seal in tamper-evident bag
• Store physical copy in home safe or with trusted contact

I use 1Password. Emergency kit goes in a fireproof pouch at my parents' house. If I lose everything, I can call them and regain access.

Rotate high-value passwords

• Email accounts (Gmail, Proton)
• Banking and payment apps
• Cloud providers (AWS, Hetzner, DO)
• Password manager master password (if I haven't changed it in 6+ months)

New passwords are 20+ characters, randomly generated. I don't reuse anything.

2FA backup codes

• Download fresh codes for every service (Google, GitHub, Stripe, etc.)
• Store in 1Password and print on paper
• Seal printed codes in envelope, pack in carry-on interior pocket

After Tbilisi, I started emailing encrypted backup codes to a trusted friend. If my phone dies and I lose the paper copy, I can ask them to forward the message.

Test recovery paths

• Simulate losing phone: can I regain email access from laptop alone?
• Simulate losing laptop: can I log into accounts from phone + 2FA?
• Worst case: if I lose both, can I reach support and verify identity?

I once locked myself out of AWS because I'd enabled MFA but never saved the recovery key. Testing prevents that.

API keys and tokens

• Rotate any long-lived tokens (> 90 days old)
• Revoke unused keys (old CI runners, deprecated integrations)
• Document where each key is used (Notion page, encrypted)

T-Minus 24 Hours: Backups & Cloud Sync

Full system backup

• Time Machine to encrypted external SSD
• Clone boot drive with Carbon Copy Cloner (bootable backup)
• Verify backup is mountable and files are readable

I've restored from CCC clones twice—once after a failed macOS update, once after spilling coffee on a keyboard.

Cloud sync verification

• Obsidian vault: confirm Syncthing is current
• Git repos: git pull --all on every active project, push any uncommitted work
• Dropbox/iCloud: resolve any sync conflicts

Offsite data snapshot

• Upload encrypted tarball of critical files to Hetzner Storage Box
• Include client contracts, tax docs, project archives
• Verify download works: rclone copy hetzner:backups/snapshot-2025-09.tar.gz.enc /tmp/

If my apartment burns down while I'm abroad, I can rebuild from this snapshot.

Photo and document backups

• Sync Google Photos, iCloud Photos
• Export scans of passport, visas, insurance cards to encrypted folder
• Share folder link with emergency contact

T-Minus 12 Hours: Operational Readiness

VPN configuration

• Confirm WireGuard configs are current on all devices
• Test connection to primary and backup servers (Amsterdam, Chicago)
• Download Mullvad app and import backup config (offline fallback)

DNS over HTTPS / TLS

• Set DoH provider: Cloudflare (1.1.1.1) or Quad9 (9.9.9.9)
• Test: dig +short txt qnamemintest.internet.nl (should show DoT/DoH active)

Tailscale mesh network

• Verify laptop and phone are connected
• Test SSH to home server (if I left one running)
• Confirm access to internal services (Grafana, private docs)

Offline resources

• Download maps for destination city + 100 km radius (Maps.me, Google Maps offline)
• Cache Wikivoyage articles, embassy contact info
• Sync Calibre library (technical books, travel guides)

Financial prep

• Notify credit card issuers of travel dates/locations (avoid fraud locks)
• Confirm ATM withdrawal limits, foreign transaction fees
• Load $200 USD cash in mixed denominations (emergency fund)

T-Minus 6 Hours: Final Checks

Device inventory

• Photograph serial numbers (laptop, phone, camera, tablet)
• Note IMEI: *#06# on phone
• Store list in password manager + email to self

If gear is stolen, police and insurance need these numbers.

Charge everything

• Laptop, phone, backup battery, AirPods, Kindle
• Test that USB-C cables aren't flaky (I carry three backups)

Install travel SIM / activate eSIM

• If using Airalo, install eSIM profile before departure
• Test data connectivity in airplane mode (Wi-Fi off, cellular on)

Pack security gear

• YubiKey (backup 2FA device)
• USB-C to Ethernet adapter (sketchy Wi-Fi bypass)
• Privacy screen for laptop (anti-shoulder-surfing)

Set auto-lock timers

• iPhone: 2 minutes
• macOS: 5 minutes
• Require password immediately after sleep

Enable "Find My" / anti-theft tracking

• iPhone: Settings → [Name] → Find My → enable all options
• Mac: System Preferences → Apple ID → iCloud → Find My Mac
• Install Prey on Linux backup laptop

Prepare emergency contact card

• Name, phone, email of someone back home
• Travel insurance policy number
• Embassy contact for destination country
• Laminate card, keep in wallet

Lessons from Skipped Audits

Accra, Ghana, 2023: Forgot to rotate AWS root password. Account got flagged for suspicious activity (login from new country). Took 18 hours to regain access via support ticket. Missed a deployment window.

Reykjavik, Iceland, 2024: Didn't verify backup integrity. Tried to restore a corrupted file, discovered my Time Machine backup was 6 weeks stale. Lost client meeting notes.

Bangkok, Thailand, 2024: Skipped VPN testing. Arrived to find hotel blocked WireGuard ports. Scrambled to configure OpenVPN over TCP 443. Wasted two hours I'd budgeted for actual work.

Buenos Aires, Argentina, 2025: Forgot to download offline maps. Phone died during a ride-share, couldn't navigate to Airbnb. Paid for overpriced data roaming to load Google Maps.

Every item on my checklist exists because I screwed it up once.

Streamlining the Process

Automation where possible

• macOS: brew bundle dump exports installed apps (restore with brew bundle)
• Ansible playbook for Linux laptop: config management, package installs
• Shell script for backup verification: mounts drives, checks timestamps, runs checksums

Templates and checklists

• Notion database with pre-trip tasks, due dates, dependencies
• Print checklist, cross off items with pen (tactile, satisfying)
• Review completed checklist before closing laptop for flight

Recurring calendar reminders

• "Start pre-trip audit" (48 hours before departure)
• "Rotate 2FA codes" (quarterly, regardless of travel)
• "Test backups" (monthly)

What I Don't Bother With

Wiping browser history: I use private browsing for sensitive stuff; regular history isn't worth the hassle.

Disabling cloud sync: I trust encryption. Dropbox E2E + VeraCrypt containers = fine.

Burner phone: Overkill for my threat model. I'm not a journalist in a hostile state; I'm a freelancer worried about pickpockets.

Fresh OS install: Unless I'm crossing a high-risk border (China, Russia), I don't nuke and pave. Too time-consuming.

The Payoff

This routine takes 4–6 hours spread across two days. That's annoying when I'm packing and prepping for client handoffs. But I've had zero catastrophic security failures in 18 months. No account lockouts mid-trip. No unrecoverable data loss. No surprise vendor bills because I forgot to kill orphaned cloud resources.

When my bag got slashed in Barcelona and someone grabbed my tablet, I activated Find My, saw it power off two blocks away, filed a police report with the serial number, and kept working from my phone. The pre-trip audit gave me redundancy I didn't know I'd need until that exact moment.

Security isn't a one-time setup. It's a habit you sharpen before every departure, so when chaos happens—and it will—you're already three steps ahead.