R
When you install the Linux OS, you have to assume that the software is the genuine one, free of backdoors. Linux distributions tend to use digital signature on packages; a digital signature does not guarantee absence of backdoor, but it prevents undetected alterations in transit: you know that the package you get is the one produced by the packager. Since you must make this basic assumption, the problem becomes one of networking: how do you get the packages into an offline system ?
There are several possibilities:
Burn a CD or DVD. On the plus side, most distributions can be obtained as a ready-to-burn ISO image, so you just have to make sure that you get the right one (download, compute the MD5 hash, compare with the value obtained from the source site over HTTPS), and you have a whole set of packages. On the minus side, a netbook won't have a CD/DVD reader, so you have to hook up a USB-driven reader.
Transfer the packages with some medium, e.g. an USB disk. As you note, this raises the possibility of a malicious firmware. An alternative is to use a CD/DVD writer, which is a lot more cumbersome, but arguably safer since a CD or DVD does not contain any firmware. In older times one would have used a magnetic support like Iomega Zip drives, but they have become rare nowadays, and are very expensive (in particular considering the size of individual disks: 100 MB... which is a lot when you think about it, but can be cramped with modern fat software).
Use the network. Of course, that's challenging on an offline machine, by definition. You may make a trade-off, with a machine which is mostly offline, but that you occasionally plug to the Internet. You would then want to use a direct ethernet cable, connected to another machine that will do some NAT and firewalling. That way, your security relies on the bridge machine not to be under hostile control at the time you connect.
One may note that for a truly offline machine, that never goes connected, then installing security fixes loses most of its relevance: a patch that prevents remote code execution in some server software is not needed if the said server software is never launched. You could simply run off a "base" set of packages, that you installed from an official ISO image initially.
Network attacks are definitely thwarted when there is no network at all, but you will want to consider other types of attacks, in particular wholesome theft of the device. This is a netbook; it is easy to carry and run away with. On the other hand, you will not keep it with you at all times (e.g. when you take a shower) so there will be periods when the device could be stolen. In that case, you want to make sure that the machine contains no intelligible secret when you are not using it. This points at encryption, unlocked with a master password that you keep in your head, and accept to type when you want to access the data.
You can do encryption on a per-file basis, in which case the tool of choice would be GnuPG (the opensource PGP implementation). To really use it safely, you have to use some care:
Don't configure swap space on your machine. You must run on physical RAM only. Most Linux distribution will want to setup some swap upon installation, so you may have to prevent it or deactivate it afterwards. Not using swap prevents potentially secret data elements from leaking to the physical medium underlying swap space: RAM contents disappear for good about one minute after poweroff.
Use a RAM-based filesystem. When GnuPG decrypts a file, it will write the cleartext as another file, and you don't want that file to hit a physical medium. Instead, you must make sure that you work in a filesystem backed by physical RAM only (type man mount, then search for tmpfs). This implies some care: encrypted files are stored on the disk, but when you want to decrypt them, you first copy them to a RAM-based filesystem and do the decryption/re-encryption there.
Make sure to select a strong password. That is, a random password, not a witty password. See this question for guidance.
You may have noticed that not using swap, and then carving up a chunk of physical RAM for a filesystem, implies higher RAM usage. If your cheap netbook has little RAM, then this may be a problem. A "raw" Linux can run in very little RAM (my first Linux could boot and run a graphical interface in as little as 8 MB of RAM without swapping, but it was in 1994). However, modern Linux distributions tend to eat up a lot of RAM (though not using a Web browser -- since the machine is offline -- will make your life much easier). In practice, I use Lubuntu; for the purposes you envision, you should be able to fit a comfortable Lubuntu with a 400 MB RAM-based filesystem in a netbook with 1 GB of RAM.
An alternative is full-disk encryption. If you use full-disk encryption, you can use swap and do not need a RAM-based filesystem. However, full-disk encryption will have to be done at installation time, and you don't get as much flexibility with regards to algorithms and tools.
Don't forget backup. You don't want to see your secrets stolen, but you don't want to lose them either, e.g. if the netbook, on day, refuses to boot. There again, you will need either encryption or physical protection (keep these CD in a safe), or both.
You will want to avoid forgetting your master password as well. For that, write it on a piece of paper, put the paper in a sealed envelope, and the envelope in a bank safe.
