The procedure that I got recommended in 2005 was to install a second fresh operative system (preferable windows) on the laptop on a separate partition/disk, make a copy of the old boot partition and disk encryption headers, encrypt the copy and store it online for later retrieval, and then overwrite the old boot with the new installation. Make sure to leave the old partitions alone.

The restore is then as simple as downloading the encrypted backup, decrypt and dd it back in place. Repeat the process before taking the trip back. It was advisable to test the processes before to familiarize yourself to it, and to use the fresh installation a bit so it wasn't completely blank.

I made this suggestion when I served on the security team at a major cybersecurity player.

When we had our company-wide annual internal conference it was always in person. This meant that basically everyone, with basically cumulative access to everything, and all our code, would be traveling across a multitude of borders at once. Some of which were less friendly than the US (at that time).

This was rejected as impractical for developers and redundant for everyone else. So I suggested locking the accounts of everyone who was traveling between the time they left and the time they arrived. This would have the side effect of signing them out of our most sensitive systems and removing certain highly confidential data from laptops. This was also rejected as “unnecessary”.

That company now counts a healthy proportion of the Fortune 500 amongst their customer base. I hope things are not so cavalier anymore.

I would like to add as a reminder to encrypt all devices as well. Leave as little plaintext data as possible.

Veracrypt has the ability to create hidden volumes, regardless of OS.

How do you restore it via VPN? Don't you first need a workable OS to connect to VPN first?