It all depends on what you want to do. Very secured technical solutions exist. But these solutions may not be applicable to any situations.
Have you heard about data diodes ? If not, then you can read this document <https://owlcyberdefense.com/blog/what-is-data-diode-technology-how-does-it-work/> . Data diodes are unhackable because it relies on the law of physics : IT is hackable. The laws of physics, on the other hand, are not. You cannot get around the laws of physics, regardless of the amount of resources you are ready to spend. So, you may use a data diode to make use that nobody can infiltrate your signing server from the Internet. However, this solution is 100% bulletproof on the condition of your signing server "only sends data," that is if it does not need to respond to requests from the Internet. In this situation, your server does not expose any network entry point. It only exposes an "unhackable one way only" exit point. If your signing server needs to respond to requests from the Internet, then you can implement "air gap isolation" with another data diode. An (unsafe) server receives a request. It extracts the data from the request, and send it to the (secure) signing server through a one way only exit point (a data diode). Therefore, your secure signing server has two data diodes : one for the reception of requests and the other for the emission of signed documents. This solution is not 100% bulletproof since a carefully crafted request may be used to hack the secure server (you use the technique known as "buffer overflow" to inject malicious code). However, without direct feedback (the data diode forbids feedback) and without knowledge of the server software environment, doing so is really difficult. I doubt that it is practically doable, although it theoretically is. Thus, you could create a "practically" (as opposed as "theoretically") unhackable (from the Internet) signing server. Now, the question is : what can you do about the administrators ? The response maybe : create a server that does not need to be administered and protect it physically (place it in a safe, for example). If your server only needs to sign documents, then it can be very "rustic and cheap." A Raspbery Pi should be more than enough. You install a minimal Linux distribution with only the bare requirements for your application. It should not need to be administered. And if a problem occurs, don't bother to fix it... just replace the server with a new one (ready to be used). Denis Le mar. 28 juil. 2020 à 17:39, Ayoub Misherghi <ayou...@gmail.com> a écrit : > A human environment went insane and uncontrollable. The system is > intended to bring sanity back and maintain it. > > > Client programs access server(s) for real-time encryption or decryption. > Network of servers that may be located at different geographic > locations. Each server would need keys that need to be protected. The > servers are in a hierarchy communicating with each other securely as > needed. Horrible environment to protect. > > > Server design may need to be specialized with immunity to tampering and > abuse. Operator and admin may need to be on constant > monitoring/surveillance with biometric ID. Equipment may need to be > identifiable and be under constant monitoring and surveillance. > > > Grateful for all suggestions. Keep them coming. I have a lot to learn. > > > Ayoub > >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
