Setting up a secure workstation at home (hardware)


#1

In this thread I am going to explore options for building a secure workstation at home. The emphasis will initially be on hardware, but later we can add further considerations for software and OS hardening.

Background

I’m not actually thinking about the hardware requirements for running a validator at home, although the thought process here is similar. Even if you do run your own machine for validation (could be at home, or in a data center), you should consider also having a dedicated secure workstation.

Why? Take another look over Trail of Bit’s security rules for hardware wallets: 10 Rules for the Secure Use of Cryptocurrency Hardware Wallets. In particular, let’s have another look at rule 8: “Consider using a high assurance workstation, even with a hardware wallet”.

By dedicating a workstation to the single task of operating the hardware wallet, it can be locked down to a greater degree because it is not used for day-to-day tasks, nor exposed to as many potential sources of compromise.

This workstation would be offline only, and dedicated to the task of transaction creation and signing using the hardware wallet.

I think this is sound advice for people operating validation servers or for people who want a dedicated machine for managing keys and wallet files. Nominators with a large amount of tokens should also consider this advice with great keenness.

I started to do a little digging to figure out what hardware might be suitable for this task. I can certainly build a system, that’s pretty easy, but I wondered if I could just buy a device off-the-shelf and start using straight away. So far I’ve mostly come up short.

While thinking on potential hardware solutions the following sections has the things I had in mind…

Considerations

  • Portability - I’m leaning towards making it as small as possible.
  • Connectivity - LAN only would be acceptable (but ideally not). Strongly prefer no wireless modules.
  • Trusted components - hard to gauge this, but perhaps it would be wise to avoid Chinese companies given the recent scares.

The device doesn’t need to have high performance. It only needs to run a modern OS and little more.

My first thoughts to consider using small form factor devices, e.g.:

  • Raspberry Pi
  • Gigabyte Brix
  • Intel NUC

These devices are highly portable which I think is useful although perhaps not entirely necessary. The lower end ones should be cheap enough while also having enough computing power.

My initial fear was that all options come with wireless modules soldered to the boards. I suspected it wouldn’t be easy to remove the wireless chips from these devices either. However, it looks like both the Brix and NUC options do have some models where the wireless module is a removeable card.

One possibility is to build a Faraday cage, or to consider looking for other devices. Update: Scratch that, it isn’t worth the hassle!

It seems like there is a gap in the market for small but secure computing devices (surely, they exist?!).

As I continued my search, I recalled a good blog from Jameson Lopp. It turns out that it also has some suggestions for hardware. See the blog in question: “Fifteen Men on a Dead Man’s Switch”. His suggestion is to get a cheap laptop (will have wireless connectivity), or to consider device from puri.sm however the current range is expensive.

One interesting link from his blog is to the Glacier Protocol, which also has a hardware page. It mentions the use of a cheap laptop, but I note that the laptop has wireless connectivity (not perfect, but potentially acceptable). The guide does suggest removing the cards, but somehow I’d prefer it to be simpler! I suppose a good thing about laptops is that they are an all-in-one device. You don’t need to buy further peripherals.

I know it is possible to create a Faraday cage at home, in order to kill wireless signals, but I also figured that would be a pain. One of the links on the glacier site leads to a guide that suggests it could be easy. Small form factor devices would easily fit inside a small homemade Faraday cage, but it does kill some amount of portability.

Device List

A list of devices to consider for creating a secure (isolated) workstation.

Small devices

I think the NUC (as well as the Raspi) both have fixed wireless chips. Older versions of the NUC apparently have a removeable card, while older versions of the Pi don’t have wifi. That said, the Pi 0 has no wireless and very limited connected which reduces attack surface and cost. The Brix definitely has models with removeable wireless cards (picture)

It looks like many of the Brix systems has removeable cards and support Linux.

Laptops / Netbooks

  • Cheap netbooks
  • Chromebooks
  • Mid/High end laptops
  • Puri.sm laptops - e.g. Librem 3

Barebones desktop
If we don’t go for a small form factor device (all-in-one) then we could build a small desktop system. This is a bit cheaper, but far larger in size and requires a little time / effort to build.

I threw together something on PC Part Picker.

  • Intel - Core i3-8100 3.6 GHz Quad-Core Processor - $118.89
  • Rosewill - RCX-Z775-LP 33.5 CFM Sleeve Bearing CPU Cooler - $11.99
  • ASRock - H310M-ITX/ac Mini ITX LGA1151 Motherboard - $79.99
  • Kingston - HyperX Fury Black 4 GB (1 x 4 GB) DDR4-2133 Memory - $29.99
  • Crucial - BX300 120 GB 2.5" Solid State Drive - $25.96

Plus a case:

  • Rosewill - RS-MI-01 BK Mini ITX Tower Case w/250 W Power Supply - $54.99

I selected something small but PC Partpicker says that there might be an imcompatibility. It is great that a power supply is included.

Build total: $321.81

Comments
I debated whether to make it a Pentium / Celeron or an i3. It definitely doesn’t need to be powerful, but I do want to make sure there is Linux support and I figure that will be easier on more popular processors.

I also picked a small motherboard to try and make it as small as possible. This is essentially a single purpose computer it doesn’t need to be large.

The total price is quite a bit less than a Gigabyte Brix of similar(ish) performance.

I did build a simple rig with a few second parts in 2017 and got an Athlon CPU for c. $30. The only problem is that the motherboard didn’t support Linux. :confused:

Happy to hear people’s thoughts on this topic too!


#2

There’s alternatives to a Raspi without onboard wifi - eg some of the Banana Pi models… (include SATA connection and more RAM options)


#3

Nice! Didn’t know that. In your travels across the internet have you come across similar discussions or perhaps a good resource for this topic?

Re: Banana Pi, can you recommend a model? I’m having a look at their site but can’t quite figure out which is wifi-free.

Re: Raspberry Pi One concern with Raspi was whether it supports encrypted disks. I believe you can, but it isn’t by default. I did look up using LUKS on Raspi. Although even that is not without dangers.

I was discussing this topic in an email with other people and they raised a point about boot security. I’m not sure if those are huge problems if, say, you only used the device for manipulating data (accessing files), but have the sensitive material stored on removable disks.

The lack of ability to remove the wifi chip does still hang heavy on me, and I was just reminded a vulnerability affecting wifi firmware.

Cheap netbook / Chromebook
This came up as a suggestion in the aforementioned email. Using a cheap network could work well. It is an all-in-one solution that won’t require peripherals and is perhaps the cheapest even if the form factor isn’t technically as small as a Pi or a Brix.

I’d be more keen on one that runs Linux than going for a Chromebook. I at least have a decent idea about how to harden Linux, where as I’m less knowledgeable about the latter.

Small devices
Apparently there are some options for small form factor devices that have remove wireless chips.

Caveats:

  • The Mac Mini because its firmware makes the initial Linux install a total hassle.
  • NUCs apparently have great Linux support, but in recent models only the highest-end model has an RF card that is not soldered onto the board.

It looks like Brix have removeable wireless cards. I hadn’t appreciated that I was browsing them before. One comment on Amazon suggests that Linux support is poor. Update: Actually, I found a few videos on YouTube that suggest it is possible, plus one guy also removes the wifi card. Also, on the official site you can see that the card can be removed: picture.


#4

check specs for banana pi f2 & w2.


#5

Cool. Thanks again!

Both have SATA and HDMI which is useful.

I see the W2 but not the F2 on Ali Express. W2: $100, just for the board and postage.

Some comments suggest that Linux support ain’t get. :-/

Ok. But still no Ubuntu support

Good soldering. But official OS images are terrible. The kernel requires a kot if work. Too many things that support by soc are not implemented.

Raspberry Pi 0
Interestingly, the Raspi 0 has no wifi and almost no connectivity at all! No ethernet either. This reduces the attack surface a lot, which is interesting. Dunno why I overlooked this before.

The basic board is also less than a fiver.

Thoughts on transaction signing

One of the reasons for thinking about this thread is the need for signing transactions (/extrinics) offline. I realise that Parity Signer basically offers this, but it is currently a mobile app. The backend is apparently written in Rust, so only front end needs to be redone. No promises that is ever delivered, but it would be cool to see.

update: Now that Polkawallet have made a public announcement I’ve asked them if they would build a desktop version and consider integrating Parity Signer functionality.


#6

I’ve only ever played around with raspi’s so no idea on price or setting up a banana pi - I was just pointing out that there are some raspi alternatives without wifi onboard. I’d not right them off from one comment - but then neither am I suggesting that a super sff is best option for use case… And, yep, some older raspi’s didn’t have wifi o/b.


#7

Thanks for the recommendation. Is always good to learn more!

I did try to build a simple Faraday cage to try blocking out wifi signal with a RPi that I already had, but it was a lot harder than expected!

I will need to try playing around with some of the other devices!


Linux auditing and hardening (for validators / workstations)