Also consider the little guy, the less ethical hardware supplier and their associates. I'd place more preparation on the horde of less ethical Chinese companies taking advantage of a foreigner than any Chinese Gov. intervention.
Tailscale may not work if you funnel traffic to a VPS as that's a common firewall avoidance tactic. A roaming SIM will have full access to the external internet without needing a VPN, if your carrier roaming is expensive an esim from 3hk or any other Asia roaming SIM may be worth it for 20-50usd depending on how much data and how long for. If you have any conceivable access to data that someone really wants always remember xkcd and the wrench. Enjoy china, is a fantastic place, don't talk about politics and enjoy.
Nothing to worry about as long as you don't get into politics. Enjoy your stay.
In my opinion, your setup is likely to be insufficient for the purposes you want, and in some minor or not so minor ways may be more likely to draw additional scrutiny (i.e. grapheneOS (minor)/tailscale(?)).
Physical access is almost never needed with current consumer hardware, especially if they control the infrastructure, which they do.
Any services you access through their network, can potentially be impersonated later or denied while you are there. Cookie capture for auth access tokens is real and very simple to do, and there are many other security threats in the IT space.
You should follow good security hygiene when starting and ending engagements.
You may want to limit your personal access through an intermediary, and almost surely should do a full account reset for all related services/systems you access while abroad upon your return, if you do not choose to create stubbed accounts.
It may be better to use limited stub accounts while traveling, which may also be used later as a tripwire indicator/honeypot of interest related to a particular trip.
From what you've written, it seems that you neglect the fact that physical coercion negates all your current security measures.
You should familiarize yourself with the laws there regarding VPNs, and the related requirements, as well as the customs of business in that country. (i.e. Gift Giving on first meeting, Who pays lunch, that sort of thing).
Not that it will come to physical coercion, or that it is even likely given your profile, but still, you should be aware and prepare accordingly. It is all about risk management.
As for what threats you should be worried about, its generally nothing you wouldn't already consider in any other country where your personal security is not guaranteed.
If you are particularly concerned about your safety or security, or are entering a high-risk area, K&R insurance, its related planning and preparation for travel abroad often covers the most critical important aspects. This is their jam. Cyber-related losses may potentially be covered under the extortion part of these policies.
Generally speaking, the sooner your state-side counterpart knows there is an actionable issue, the quicker they can react, and this will largely be decided by your level of acceptable risk and prior preparation. Regular check-in's are good practice.
Subtle challenge response phrase check-in's may allow you to indicate duress, or that you are missing (and not the one responding) in some extreme circumstances.
I'd like to emphasize, none of this is likely to be needed, but these things do happen, and still it is prudent to plan for the worst to give you the best chances if something does go wrong.
You should consider that whatever you access directly while you are there will not be private.
Also, the night before is hardly the right time to be asking these questions.
There is a lot of business process that generally needs to be implemented for proper risk management in an international business setting.
You may find this article helpful as a starting point, and may consider reaching out to one of the companies that specialize in these services, if further more detailed knowledge is needed.
https://us.milliman.com/en/insight/pirates-kidnappings-and-r...
[dead]
[flagged]
You're not big enough or important enough to attract attention from the Gov. Depending on your suppliers, you might not be that significant to them either.
I never had a problem with my factories. Good business people that understood my success was their success.