Operations Security (OPSEC)

Advanced secure work environments

• Secure server systems — solutions for secure server systems and advanced filesystems and data storage
• Virtualisation and isolation of services — solutions for virtualisation of systems and services as well as isolation of services and processes
• Operations in secure environments — solutions for Virtual Private Networks, confidentiality of communication, advanced communications confidentiality as well as advanced filesystems and data storage
• Operations on volatile data — solutions for advanced filesystems and data storage, encryption and authentication as well as advanced encryption

Productions services

• Web servers — service providing content over the HTTP protocol for any tasks, including up to complex tasks in cloud and cluster environments — solutions for WebOps NginxCaddyrelayd
• CGI environments — code execution environments closely cooperating with HTTP servers, usually providing logic for Web — solutions for PHP programming services and Go programming services PHPGo
• Database systems — production database systems, both RDBMS and non-relational, operating as autonomous services offering a wide array of functions and access methods MySQLPercona MySQLPostgreSQLSQLiteRedis
• Embedded databases — environments of database systems embedded into applications, software solutions or operating as parts of bigger architectures RocksDBLMDBBerkeleyDB
• Electronic mail servers — mail exchange systems, spam filtering and providing access to client applications OpenSMTPDPostfixRspamd
• Secure communication systems — secure text, audio and video communication systems, usually deployed in closed-loop settings — solutions for confidentiality of communication and advanced communications confidentiality SignalSimpleXMatrixIRC
• Cluster and virtualisation production systems — deployments of microservice containerisation and virtualisation in essential clusters and load balancing — solutions for virtualisation of systems and services DockerKVMbhyve
• Git repositories — code repositories and version control systems with Web interfaces — solutions for GitOps GitGitLabGiteagitolite
• Cloud frameworks — services enabling easy online data synchronisation and exchange — solutions for private and public clouds ownCloudSeafileSyncthingRclone
• Data sharing servers — systems of efficient high volume data sharing using secure high-performance SFTP and SCP protocols — solutions for advanced filesystems and data storage ZFSBtrfsOpenSSH

Production and DevOps support services

• Authentication servers — servers providing centralised system, user and process authentication, usually in DevOps environments SSSD
• DNS servers — nameservers configured for efficient and secure work in secure environments and with DevOps instrumentation Unbound
• SMB and NFS servers — services providing easy data sharing for local networks — solutions for advanced computer networks SambaNFS

Performance monitoring with Prometheus

• Performance metrics collection using exporters built into systems and applications, and third party open source software — solutions for secure server systems, production services and key server processes as well as virtualisation of systems and services
• Programming solutions for collection and delivery of performance metrics and code self monitoring — tasks for PHP programming services and Go programming services

Performance visualisation and analysis

• Data processing and detailed visualisation with Grafana
• In-house programming solutions for processing of data provided by Prometheus/PromQL — tasks for PHP programming services and Go programming services

ZFS copy-on-write server filesystem

• Secure ZFS Boot Environments
• Native ZFS cryptography
• ZFS data management — export, replication and recovery of pools and volumes
• ZFS data integrity — redundant, ZRAID, mirroring and self-healing pools and volumes
• ZFS specialised applications — one-time pools and volumes
• Optimisation of ZFS structures in large scale deployments
• Hardware optimisation for ZFS arrays
• Environment optimisation for ZFS filesystem storing MySQL/PostgreSQL databases and other specialised services
• Operational differences between Oracle ZFS, FreeBSD ZFS and OpenZFS

Btrfs copy-on-write server filesystem

• Btrfs data management — export, replication and recovery of Btrfs devices and subvolumes
• Btrfs data integrity — redundant, RAID, mirroring and self-healing devices and subvolumes
• Btrfs specialised applications — one-time devices and subvolumes
• Hardware optimisation for Btrfs filesystems
• Environment optimisation Btrfs filesystems storing databases and other specialised services

Other server filesystems

• Standard — operations on ext4, UFS, FFS, Hammer and (ex)FAT(32)
• Network protocol based — operations on and implementation of providers for NFSv3/v4 and SMB — solutions for DevOps as well as production services and key server processes

The APFS filesystems for macOS

• Advanced operations and native cryptography of APFS filesystem

Data encryption

• Basic solutions for encryption and authentication and confidentiality of communication
• Advanced solutions for secure server systems, production services and key server processes, virtualisation of systems and services, private and public clouds, advanced encryption as well as advanced communications confidentiality

Encryption systems for FreeBSD

• Block device encryption
  • geli — an advanced encryption systems based on the GEOM and crypto frameworks, operating as a block storage hardware abstraction layer. Fully integrated with ZFS and Boot Environments enabled bootloaders, it offers full disk encryption for the most complex scenarios, usually operating as a device provider for UFS or ZFS filesystems. Possibly the most sophisticated encryption system currently available.
  • gdbe — an encryption system based on the GEOM and crypto frameworks operating as a block storage hardware abstraction layer, originally designed under a DARPA contract. Volumes encrypted with gdbe become distinguishable from volumes simply filled with random data, which qualities gdbe for very particular applications.
• Native filesystem encryption
  • ZFS — encryption as a native ZFS filesystem feature compliant with the OpenZFS implementation, enabling on-the-fly encryption of ZFS datasets on physical and virtual volumes

Encryption systems for OpenBSD

• Block device encryption
  • softraid (d:crypto) — an encryption system available as a softraid pseudodevice operating under CRYPTO discipline as a block device hardware abstraction layer. Integrated with the bootloader allows perfect full volume encryption, usually operating as a device provider for FFS.

Encryption systems for Ubuntu Server

• Block device encryption
  • cryptsetup — an advanced encryption system based on the dm-crypt and LUKS frameworks, operating as a block device hardware abstraction layer. Advanced configurations offer full volume encryption supporting particular bootloaders. As a well developed and efficient encryption, it may be a device provider for OpenZFS or Btrfs.
• Native filesystem encryption
  • ext4 — encryption as a native ext4 filesystem feature available for individual keyed file directories
  • ZFS — encryption as a native ZFS filesystem (OpenZFS implementation) feature, enabling on-the-fly encryption of ZFS datasets on physical and virtual volumes

Encryption systems for Oracle Solaris 11

• Block device encryption
  • (Oracle) ZFS — encryption of original Oracle ZFS driven by the Solaris Cryptographic Framework cryptography provider. ZFS on Solaris remains a commercial product and its closed source code is not available for an independent review

Hardware encryption

• Hardware encryption scenarios involving self-encrypting drives, often operating as the base layer for more advanced configurations
  • Self-encrypting drives with individual security schemes
  • Self-encrypting drives implementing the TCG OPAL standard

Active protection and failsafe type schemes

• One-time and temporary encryption and ciphers
• Active software and hardware protections of encrypted systems and volumes against physical third-party interference and seizure

Advanced confidentiality and highly secure data exchange

• Solutions for secure server systems, confidentiality of communication, advanced communications confidentiality and engineering of non-public and anonymous networks

FreeBSD server systems

An advanced BSD Unix offering unique features. Server dedicated.

• System engineering
  • Advanced installation and recovery
  • Kernel and source code engineering — task specific system builds
  • ZFS filesystem and boot environments — solutions for advanced filesystems and data storage
  • Advanced debug and DTrace dynamic tracing
  • Advanced system and services performance monitoring — solutions for systems and services performance monitoring
• Security
  • Highly advanced secure setup
  • IPFW i PF packet filtering
  • Advanced routing, network encryption and management — solutions for virtualisation of systems and services and Virtual Private Networks
  • Advanced multi-layer data encryption schemes — solutions for advanced filesystems and data storage, encryption and authentication and advanced encryption
  • Advanced privacy features and anonymous networks support — solutions for confidentiality of communication, advanced communications confidentiality and engineering of non-public and anonymous networks
• Virtualisation and isolation of services
  • Solutions for virtualisation of systems and services and isolation of services and processes
  • jail isolation environments
  • VNET and Netgraph network virtualisation
  • bhyve and VirtualBox virtualisation frameworks

OpenBSD server systems

A legendarily secure system with a group of trusted daemons. Specialised deployments.

• System engineering
  • Advanced installation and recovery
  • Kernel and source code engineering — task specific system builds
  • Advanced debug and btrace dynamic tracing
  • Advanced system and services performance monitoring — solutions for systems and services performance monitoring
• Security
  • Highly advanced secure setup
  • PF packet filtering
  • Advanced routing, network encryption and management — solutions for virtualisation of systems and services and Virtual Private Networks
  • Data encryption schemes — solutions for advanced filesystems and data storage, encryption and authentication and advanced encryption
  • Advanced privacy features and anonymous networks support — solutions for confidentiality of communication, advanced communications confidentiality and engineering of non-public and anonymous networks
• Virtualisation
  • Solutions for virtualisation of systems and services and isolation of services and processes
  • vmm virtualisation subsystem

Ubuntu Server server systems

An easy to use and versatile Linux. Universal and flexible use.

• System engineering
  • Advanced installation and recovery
  • Kernel and source code engineering — system imagining and customisation
  • OpenZFS and Btrfs filesystems — solutions for advanced filesystems and data storage
• Security
  • Easier secure setup
  • iptables and UFW packet filtering
  • Advanced routing, network encryption and management — solutions for virtualisation of systems and services and Virtual Private Networks
  • Data encryption schemes — solutions for advanced filesystems and data storage, encryption and authentication and advanced encryption
  • Advanced privacy features and anonymous networks support — solutions for confidentiality of communication, advanced communications confidentiality and engineering of non-public and anonymous networks
• Virtualisation and containerisation
  • Simplified Docker microservice containerisation
  • LXD service isolation and containerisation framework
  • KVM/Qemu advanced virtualisation framework
  • Other solutions for virtualisation of systems and services and isolation of services and processes

Oracle Solaris 11 server systems

An advanced and powerful corporate closed-source Unix

• System engineering
  • Advanced installation and recovery
  • Original Oracle ZFS filesystem and Boot Environments — solutions for advanced filesystems and data storage
  • Advanced debug and DTrace dynamic tracing
  • Advanced system and services performance monitoring — solutions for systems and services performance monitoring
• Security
  • Advanced secure setup
  • PF packet filtering
  • Advanced routing, network encryption and management — solutions for virtualisation of systems and services and Virtual Private Networks
  • Native Oracle ZFS filesystem encryption schemes
  • Cryptographic operations with Cryptographic Framework
• Virtualisation and isolation
  • General and network virtualization and isolation with Solaris Zones
  • General, network and kernel virtualization and isolations with Solaris Kernel Zones
  • VirtualBox virtualisation framework

Server solutions consultancy

• Advisory services for purchasing, expansions and configuration of server systems and hardware
• Advisory services for peering analysis and datacenter choice

Cluster and microservices containerisation

• Simplified Docker containerisation systems for Linux and macOS
• Secondary containerisation services for Linux systems

Advanced isolation of productions services and secure networks

• LXD isolation and containerisation system for Ubuntu Server
• VNET and Netgraph enabled jail isolation system for FreeBSD
• Solaris Zones and Solaris Kernel Zones isolation frameworks for Oracle Solaris 11
• Secondary isolation systems for Ubuntu Server, FreeBSD and OpenBSD

Deep virtualisation of server services

• Solutions for virtualisation of systems and services.
• Solutions for secure server systems, production services and key server processes, private and public clouds, confidentiality of communication, advanced communications confidentiality as well as engineering of non-public and anonymous networks.

Engineering, deployment, specialised configuration, advanced security and optimisation of virtualisation systems and individual virtual machines

• KVM/Qemu virtualisation for Linux systems
• bhyve virtualisation for FreeBSD
• vmm virtualisation for OpenBSD
• VMWare virtualisation framework for multiple systems
• VirtualBox virtualisation framework for multiple systems
• UTM/Qemu virtualisation for macOS and Apple Silicon/ARM64

Virtualisation security

• Complete encryption of virtual machines
• One-time and temporary encryption of special purpose virtual machines
• Solutions for secure server systems, isolation of services and processes, Virtual Private Networks, engineering of non-public and anonymous networks, advanced filesystems and data storage, encryption and authentication as well as advanced encryption

Encryption and authentication of content, text and individual files

• OpenPGP/GnuPG standard — a universal encryption and authentication system for content, text and individual files based on asymmetric cryptography, defined by the RFC 4480 and RFC 9580 standards and functioning as the de facto default system for software and code signing and encryption and authentication of electronic mail. In use for over 30 years, its security depends on the type of keys and algorithms chosen. The PGP standard encompasses direct exchange of public keys between communicating parties remaining independent of third-party trust services.
• S/MIME standard — a universal encryption and authentication system for electronic mail based on asymmetric cryptography, defined by the RFC 8551 standard. The S/MIME depends on a trusted third-party confirming the validity of certificates in use.
• Signify standard — a system of files and text authentication developed by the OpenBSD project based on asymmetric cryptography, intertwining ease of use with modern cryptography

Electronic signature and document authentication systems

• Operations on electronic signatures required by the eIDAS regulation — solutions for managing electronic signature standards of CAdES, PAdES and XAdES
• Programming solutions for automated and integrated management of electronic signatures — solutions for PHP programming services, Go programming services, code operations security and code data security

Basic data encryption

• Block device encryption
  • Encrypting filesystems — particular modern filesystems offer encryption capability, often operating as a transparent user independent layer.
    Example Apple APFS — a filesystem provided by recent versions of Apple macOS on-the-fly encrypting all data either as an automated Filevault component, or as a user configurable subsystem allowing more advanced configurations. Encryption capabilities of both the Apple Silicon and the APFS filesystem may be an effective basis for a more complex data security scenario. APFS remains a closed-source commercial product.
  • Cryptographic containers and modular volume encryption — systems of simpler block encryption, effectively encrypting full volumes and maintaining virtualised cryptographic containers, usually open-source allowing independent security reviews.
    ExampleVeraCrypt — a modern fork of TrueCrypt
• Encrypting stack filesystems — solutions for stack filesystems operation at the user level, most often used to securing particular pools of data
  ExampleeCrypFs for Linux or EncFS available on several platforms
• Cloud-optimised data encryption — encryption systems by design optimised for deployments in third-party clouds and data exchange systems
  Examplegocryptfs or cryfs available on several platforms

Confidentiality of communication and secure data exchange

• Solutions for confidentiality of communication, advanced communications confidentiality, Virtual Private Networks, private and public clouds as well as engineering of non-public and anonymous networks