We used a Dell workstation laptop, which has ECC memory and a Xeon processor like a server. Built-in keyboard and trackpad reduces the risk of random external devices needing to be used.
Protection was BitLocker drive encryption with a manually entered (long!) passphrase to decrypt. Backups were to encrypted USB media never plugged into anything else other than a redundant clone of the CA used for DR testing. Everything went into safes.
This design works Well Enough for all but the most demanding purposes, but the whole rigmarole was undone by a well-meaning but naive admin “just doing his job”.
Protection was BitLocker drive encryption with a manually entered (long!) passphrase to decrypt. Backups were to encrypted USB media never plugged into anything else other than a redundant clone of the CA used for DR testing. Everything went into safes.
This design works Well Enough for all but the most demanding purposes, but the whole rigmarole was undone by a well-meaning but naive admin “just doing his job”.