In this thread I am going to explore options for building a secure workstation at home. The emphasis will initially be on hardware, but later we can add further considerations for software and OS hardening.
I’m not actually thinking about the hardware requirements for running a validator at home, although the thought process here is similar. Even if you do run your own machine for validation (could be at home, or in a data center), you should consider also having a dedicated secure workstation.
Why? Take another look over Trail of Bit’s security rules for hardware wallets: 10 Rules for the Secure Use of Cryptocurrency Hardware Wallets. In particular, let’s have another look at rule 8: “Consider using a high assurance workstation, even with a hardware wallet”.
By dedicating a workstation to the single task of operating the hardware wallet, it can be locked down to a greater degree because it is not used for day-to-day tasks, nor exposed to as many potential sources of compromise.
This workstation would be offline only, and dedicated to the task of transaction creation and signing using the hardware wallet.
I think this is sound advice for people operating validation servers or for people who want a dedicated machine for managing keys and wallet files. Nominators with a large amount of tokens should also consider this advice with great keenness.
I started to do a little digging to figure out what hardware might be suitable for this task. I can certainly build a system, that’s pretty easy, but I wondered if I could just buy a device off-the-shelf and start using straight away. So far I’ve mostly come up short.
While thinking on potential hardware solutions the following sections has the things I had in mind…
- Portability - I’m leaning towards making it as small as possible.
- Connectivity - LAN only would be acceptable (but ideally not). Strongly prefer no wireless modules.
- Trusted components - hard to gauge this, but perhaps it would be wise to avoid Chinese companies given the recent scares.
The device doesn’t need to have high performance. It only needs to run a modern OS and little more.
My first thoughts to consider using small form factor devices, e.g.:
- Raspberry Pi
- Gigabyte Brix
- Intel NUC
These devices are highly portable which I think is useful although perhaps not entirely necessary. The lower end ones should be cheap enough while also having enough computing power.
My initial fear was that all options come with wireless modules soldered to the boards. I suspected it wouldn’t be easy to remove the wireless chips from these devices either. However, it looks like both the Brix and NUC options do have some models where the wireless module is a removeable card.
One possibility is to build a Faraday cage, or to consider looking for other devices. Update: Scratch that, it isn’t worth the hassle!
It seems like there is a gap in the market for small but secure computing devices (surely, they exist?!).
As I continued my search, I recalled a good blog from Jameson Lopp. It turns out that it also has some suggestions for hardware. See the blog in question: “Fifteen Men on a Dead Man’s Switch”. His suggestion is to get a cheap laptop (will have wireless connectivity), or to consider device from puri.sm however the current range is expensive.
One interesting link from his blog is to the Glacier Protocol, which also has a hardware page. It mentions the use of a cheap laptop, but I note that the laptop has wireless connectivity (not perfect, but potentially acceptable). The guide does suggest removing the cards, but somehow I’d prefer it to be simpler! I suppose a good thing about laptops is that they are an all-in-one device. You don’t need to buy further peripherals.
I know it is possible to create a Faraday cage at home, in order to kill wireless signals, but I also figured that would be a pain. One of the links on the glacier site leads to a guide that suggests it could be easy. Small form factor devices would easily fit inside a small homemade Faraday cage, but it does kill some amount of portability.
A list of devices to consider for creating a secure (isolated) workstation.
I think the NUC (as well as the Raspi) both have fixed wireless chips. Older versions of the NUC apparently have a removeable card, while older versions of the Pi don’t have wifi. That said, the Pi 0 has no wireless and very limited connected which reduces attack surface and cost. The Brix definitely has models with removeable wireless cards (picture)
It looks like many of the Brix systems has removeable cards and support Linux.
Laptops / Netbooks
- Cheap netbooks
- Mid/High end laptops
- Puri.sm laptops - e.g. Librem 3
If we don’t go for a small form factor device (all-in-one) then we could build a small desktop system. This is a bit cheaper, but far larger in size and requires a little time / effort to build.
I threw together something on PC Part Picker.
- Intel - Core i3-8100 3.6 GHz Quad-Core Processor - $118.89
- Rosewill - RCX-Z775-LP 33.5 CFM Sleeve Bearing CPU Cooler - $11.99
- ASRock - H310M-ITX/ac Mini ITX LGA1151 Motherboard - $79.99
- Kingston - HyperX Fury Black 4 GB (1 x 4 GB) DDR4-2133 Memory - $29.99
- Crucial - BX300 120 GB 2.5" Solid State Drive - $25.96
Plus a case:
- Rosewill - RS-MI-01 BK Mini ITX Tower Case w/250 W Power Supply - $54.99
I selected something small but PC Partpicker says that there might be an imcompatibility. It is great that a power supply is included.
Build total: $321.81
I debated whether to make it a Pentium / Celeron or an i3. It definitely doesn’t need to be powerful, but I do want to make sure there is Linux support and I figure that will be easier on more popular processors.
I also picked a small motherboard to try and make it as small as possible. This is essentially a single purpose computer it doesn’t need to be large.
The total price is quite a bit less than a Gigabyte Brix of similar(ish) performance.
I did build a simple rig with a few second parts in 2017 and got an Athlon CPU for c. $30. The only problem is that the motherboard didn’t support Linux.
Happy to hear people’s thoughts on this topic too!