2

I have an off-the-shelf PC with a database on it (CouchDB). The database contains sensitive data. I'm taking this machine to a community with poor/zero data connectivity, where the database will accessible through their LAN. At some frequency, the machine will sync with an upstream "master" database in AWS - the machine may be physically driven to a place with connectivity to sync as required.

The machine has both public/private keys for a self-signed SSL certificates trusted by those using the service locally.

I cannot provide any reasonable level of access security to the machine. It is likely an unsolvable security situation. That said, I'm looking for some mitigations which I can do to decrease the severity of a successful attack and increase barriers to a successful attack.

  • Full Disk Encryption (one "admin" on site will need this password in case of a reboot)
  • Limit the amount of data on the machine.
  • Can ensure nobody on site has user/root credentials for the machine (only tech support coming in to fix an issue).

Beyond these steps, what barriers should I be considering to make this tamper resistant? I'm primarily concerned about data privacy + data integrity.

Kenn
  • 131
  • 4
  • 2
    What kind of tampering are you worried about? Are you worried about confidentiality of the data(keeping it secret), integrity(keeping bad actors from changing it), or availability(database goes down)? What kind of adversaries are you worried about (nation-states, local law enforcement, script kiddies, bored teenagers etc)? – user8675309 Nov 08 '18 at 15:51
  • 1
    @user8675309 I'm most worried about keeping the confidentiality of the data and integrity of the data (particularly, I'm worried about the data upstream being compromised when the server syncs to the cloud). It would be nice to know if the machine was tampered with. For adversaries, I have no idea. I'd just be guessing. – Kenn Nov 08 '18 at 19:37
  • Around here it's usually very difficult to give good advice if we don't know who you're worried about. For instance, if you're trying to keep your data safe from a well-trained, persistent bad actor with thousands in funding to throw at infiltrating your db (e.g. federal agency) it's a much different prospect than keeping it safe from a nosy user or driveby malware. Even if you can't name all of the threats you could possibly face, it might help to think about what threats you're reasonably likely to face in your scenario. – user8675309 Nov 08 '18 at 23:04
  • 1
    @user8675309 It's a government sponsored project in a rural village. Local people have very little internet access and poor technical skills. Realistically, it is likely there won't even be a monitor/keyboard to plug into the machine. So -- unlikely to be a very sophisticated attack. I think I'm mostly here to cover my bases, and do my best to respect that data that is going to be on this machine. – Kenn Nov 12 '18 at 14:53

1 Answers1

1

Your barriers are going to be hardening your OS, mainly, so that it doesn't allow things like root access and USB peripherals. I can think of two major things though:

First, use TPM-bound Full Disk Encryption. This eliminates an on-site admin with the password to the disk. Properly configured, hardware and pre-boot changes will result in the disk being locked out.

Second, ensure you have a modern secure boot implementation (you can bind the FDE to secure boot state), to prevent some tampering with firmware and memory, which ensures TPM effectiveness.

You may also want to use AMD's memory encryption, but that is a fairly advanced attacker who has tens of thousands of dollars of equipment.

user71659
  • 286
  • 3
  • 7
  • 2
    You would want to use TPM-based measured boot, not just full disk encryption. – forest Nov 09 '18 at 02:35
  • @user71659 Would you elaborate on the risks from USB peripherals? Should I remove all USB ports? – Kenn Nov 12 '18 at 14:57