Contents

Hardware

Laptop

  • 1080p monitor
  • Wired ethernet
  • Can disable computrace
  • Can disable any management engines
  • Can disable most/all integrated hardware

Configuration

  • Latest BIOS updates
  • SET BIOS password
  • Boot ONLY from USB disk (preferably ONLY the one with Tails)
  • Wipe TPM
  • Adjust secure boot settings as appropriate

Best Practices

  • Do NOT run USB media on UNTRUSTED machines
  • Do NOT run USB boot media in a VM on UNTRUSTED machines
  • Move data using USB disks (FRESH, TRUSTED)
    • Use VeraCrypt for encryption (most supported crypto option)
    • Use exFAT as filesystem (most supported for rw operations)
  • elephant.mine.nu OR Zix for note taking (they are OFFLINE, keep it this way)
  • Yubikey / Nitrokey for PGP smart card
  • KeePass for ALL passwords
  • TOTP for ALL accounts
    • oathtool
    • Secrets SEPARATE from main KeePass database
    • Separate phone/similar for TOTP
  • SSH tunnel to router + RDP to INDIVIDUAL miners for remote access
  • SSH tunnel to router + SOCKS5 proxy for miner RDP access (requires client with SOCKS5 proxy support)
  • UNIQUE ssh keys for OpSec (do NOT reuse existing keys)
  • Crypto Currencies
    • Mining wallet
    • Trading wallet
    • Cold Storage Wallet (paper)
    • Cold storage transfer ONLY done offline
    • Store ONLY recovery keys for mining / cold storage wallets
    • Store addresses in password database – keep TYPE of addresses in separate entries

LAN

  • Dedicated pfSense router in FRONT of miners (PC Engines apu2 for hardware)
  • Router setup to route ALL traffic via tor (paranoid config)
  • Router ssh password login disabled (public key ONLY)
  • Tighten up ssh ciphers to best and only best supported
  • Setup WPA2 Enterprise + NON broadcasting SSID for network access
  • DUMB / NON MANAGED switch for miner sub-network
  • DUMB / NON MANAGED power strips
  • DUMP / NON MANAGED UPS

Miners

Hardware

  • DUMB power strips for miners and infrastructure (NOT smart strip)
  • UPS setup so miner’s can be shutdown cleanly (one per miner, 750Va should be sufficient)
  • XEON (4-8 core) for miner
  • 8Gb RAM or more for miner
  • 2 GPUs per miner

Software

  • Fresh Windows 10 PRO licenses for miners
  • Auto apply Windows updates + IMMEDIATE reboot
  • Auto start any mining software on boot
  • TPM + bitlocker
  • Secure boot

Misc

  • Proton e-mail with TOTP (do NOT set recovery e-mail to your personal account or any other)
  • Burner phone
    • Signal
    • TOTP
    • Tor (paranoid config)
  • PO Box or equivalent
    • Minimum of 10 miles off any usual routes
  • Safe deposit box or similar for backups
    • BE CAREFUL, backup BARE MINIMUM