Air-gap implementation for personal computer use

I will focus only on some problems with your approach:

  • The insecure system writes the CD and thus can tamper with both the data on the CD but also with the format of the CD, i.e. the file system.
  • This CD is then read by the secure (air-gapped) system and mounted there. Mounting is done inside the kernel (i.e. system level access) and there were bugs in the past in this area.
  • It does not matter if there is existing malware which hijacks this process. With your setup you are aiming more in the area of defending aganst targeted attacks and there it only counts if such malware could be developed. And I think this should not be too hard.

Also, while you encrypt outgoing mails on the air-gapped machine you need to decrypt incoming mails on the insecure machines, because otherwise you could not transform these to plain text like you want. This means that the decrypted and probably sensitive information are available on the insecure machine. If you instead transfer the encrypted incoming mails to the air-gapped machine you then have to deal with (possible malicious) attachments there.

And, while product recommendations are off-topic (but you requested these): I would not recommend any general purpose Linux distribution. Go at least for something hardened with Grsecurity or just go with OpenBSD. They are more focused on security by design and on security in depth than Linux is.


You can use amodem ( https://github.com/romanz/amodem ) in lieu of write-once media. It is quite fast on shielded audio cable. Works on RF too, but that's not your need. Only send from the gate computer, and only receive on the gapped computer. When necessary, switch this around.

Avoid file formats that can be naughty (most media files), and only use archives for which you have valid GPG/PGP signatures on the gapped computer. Don't run amodem as a privileged user, run it as a user specially created for that program only.

Amodem itself is manageable to compile with a few hardening tricks (I'm no expert), but at least static, PIE, and add some grsec/PaX and apparmor control. If really serious, drop it in a chroot with only the absolutely necessary devices in /dev. In simplex operation, it cannot leak data back to the sending computer.


There is one major flaw in your system: Physical security. Your air-gapped machine is only secure as long as you have it in your sight. If you EVER leave it alone someone can break in, install whatever they like and leave again with you none the wiser. Air-gapped machines in alphabet soup agencies are under constant surveillance. The best thing you could do is NEVER let anyone know you had an air-gapped computer which you have already told to the whole world... sorry pal it's already over for you...

Tags:

Linux

Air Gap