Notes and Random Thoughts about properly putting together an OpSec layout that assumes a reasonbly high Threat Model



  • 1080p monitor
  • Wired ethernet
  • Can disable computrace
  • Can disable any management engines
  • Can disable most/all integrated hardware


  • Latest BIOS updates
  • SET BIOS password
  • Boot ONLY from USB disk (preferably ONLY the one with Tails)
  • Wipe TPM
  • Adjust secure boot settings as appropriate

Best Practices

  • Do NOT run USB media on UNTRUSTED machines
  • Do NOT run USB boot media in a VM on UNTRUSTED machines
  • Move data using USB disks (FRESH, TRUSTED)
    • Use VeraCrypt for encryption (most supported crypto option)
    • Use exFAT as filesystem (most supported for rw operations)
  • elephant.mine.nu OR Zix for note taking (they are OFFLINE, keep it this way)
  • Yubikey / Nitrokey for PGP smart card
  • KeePass for ALL passwords
  • TOTP for ALL accounts
    • oathtool
    • Secrets SEPARATE from main KeePass database
    • Separate phone/similar for TOTP
  • SSH tunnel to router + RDP to INDIVIDUAL miners for remote access
  • SSH tunnel to router + SOCKS5 proxy for miner RDP access (requires client with SOCKS5 proxy support)
  • UNIQUE ssh keys for OpSec (do NOT reuse existing keys)
  • Crypto Currencies
    • Mining wallet
    • Trading wallet
    • Cold Storage Wallet (paper)
    • Cold storage transfer ONLY done offline
    • Store ONLY recovery keys for mining / cold storage wallets
    • Store addresses in password database – keep TYPE of addresses in separate entries


  • Dedicated pfSense router in FRONT of miners (PC Engines apu2 for hardware)
  • Router setup to route ALL traffic via tor (paranoid config)
  • Router ssh password login disabled (public key ONLY)
  • Tighten up ssh ciphers to best and only best supported
  • Setup WPA2 Enterprise + NON broadcasting SSID for network access
  • DUMB / NON MANAGED switch for miner sub-network
  • DUMB / NON MANAGED power strips



  • DUMB power strips for miners and infrastructure (NOT smart strip)
  • UPS setup so miner’s can be shutdown cleanly (one per miner, 750Va should be sufficient)
  • XEON (4-8 core) for miner
  • 8Gb RAM or more for miner
  • 2 GPUs per miner


  • Fresh Windows 10 PRO licenses for miners
  • Auto apply Windows updates + IMMEDIATE reboot
  • Auto start any mining software on boot
  • TPM + bitlocker
  • Secure boot


  • Proton e-mail with TOTP (do NOT set recovery e-mail to your personal account or any other)
  • Burner phone
    • Signal
    • TOTP
    • Tor (paranoid config)
  • PO Box or equivalent
    • Minimum of 10 miles off any usual routes
  • Safe deposit box or similar for backups

(function(f, a, t, h, o, m){ a[h]=a[h]||function(){ (a[h].q=a[h].q||[]).push(arguments) }; o=f.createElement('script'), m=f.getElementsByTagName('script')[0]; o.async=1; o.src=t; o.id='fathom-script'; m.parentNode.insertBefore(o,m) })(document, window, '//fathom.kemonine.info/tracker.js', 'fathom'); fathom('set', 'siteId', 'PUEYX'); fathom('trackPageview');