Changes between Version 11 and Version 12 of doc/OperationalSecurity


Ignore:
Timestamp:
Apr 23, 2010, 4:47:35 AM (10 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/OperationalSecurity

    v11 v12  
    5252On Debian, running at least a 2.6.4 kernel, encrypting swap is simple as doing
    5353a aptitude/apt-get install cryptsetup.
    54 After you compiled support for [http://www.saout.de/misc/dm-crypt/  DM-CRYPT] (CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and
     54After you compiled support for [http://www.saout.de/misc/dm-crypt/  DM-CRYPT] (Under Device Drivers---> Multi-Device Support (RAID and LVM)---> CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and
    5555the ciphers you want to support add the following to /etc/crypttab
    5656
     
    8888}}}
    8989
     90'''FreeBSD'''
     91
     92Swap encryption has been possible with FreeBSD since 5.3-RELEASE.
     93
     94Information on how to configure it can be found in the FreeBSD handbook:
     95[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html  Encrypting Swap Space with FreeBSD]
     96
     97Information on how to encrypt other disk partitions can be found here:
     98[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html  Encrypting Disk Partitions with FreeBSD]
     99
    90100'''OpenBSD'''
    91101
     
    124134For Windows 95/NT visit [http://www.stack.nl/~galactus/remailers/wipeswap.html].
    125135
    126 [http://www.jetico.com/index.htm#/bcrypt7.htm BestCrypt] creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters.
     136For Windows 2000/2003/XP and the 64bit versions of these (running FAT/FAT32/NFTS): The open source project [http://www.truecrypt.org/ TrueCrypt] with its extensions [http://www.truecrypt.org/third-party-projects/tcgina/ TCGINA] and [http://www.truecrypt.org/third-party-projects/tctemp/ TCTEMP] allows transparent encryption with e.g. AES, Twofish, Blowfish of Windows' temporary files directory, user profiles and general data containers. Therefore with True''''''Crypt/TCGINA/TCTEMP you will be able to ensure that any sensitive files (including the  server's  private  key and swap  space) are stored inside encrypted containers as recommended above. A pdf document explaining step by step how to install and set this up can be downloaded from [http://www.herrschilling.de/sjsinternetpubs/files/Truecrypt_TOR.pdf TrueCrypt_TOR.pdf].
     137
     138[http://www.jetico.com/index.htm#/bcrypt7.htm BestCrypt] is similar to True''''''Crypt but does not offer as many features. Best''''''Crypt also creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters.
    127139
    128140Microsoft resource document for the [http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_qutx.asp    Encrypted File System] (NTFS only)
    129141
     142To use EFS built into Windows XP Professional, browse to Documents and settings\<username>\Application Data and right click on the Tor
     143directory and select Properties. In the general tab click on the Advanced tab and tick the "Encrypt contents to secure data"
     144See the Microsoft resource document above for me details.
     145
    130146{{{
    131147TODO: Give instructions on setting up encrypted filesystems and swap on
    132 various OSs (hopefully including OS X and Windows).
     148various OSs (hopefully including OS X).
    133149}}}
    134150
     
    144160Make sure that the machine running your Tor server is physically secure. If
    145161it is in a cabinet or rack in a colocation facility, make sure the door(s)
    146 is/are locked. If it is in a machine room in your office, make sure the do
     162is/are locked. If it is in a machine room in your office, make sure the door
    147163to the machine room is locked.
    148164
     
    159175
    160176If you must run other services, lock them down to the extent possible. For
    161 example, you can set OpenSSH to allow only certain user accounts to connect,
     177example, you can set OpenSSH to only allow certain user accounts to connect with the AllowUsers option,
    162178or you can firewall your system such that only certain IP addresses are
    163179allowed to connect to the SSH service on your server. The same applies for