Home

Operations Security (OPSEC)

is a set of instruments facilitating privacy and security. Our approach to operations security builds upon high simplicity, ensured processing efficiency and cryptographic solutions of proven reliability.
Miniature norms

Operational compliance with cybersecurity norms

Engineering and development of solutions by default compliant with current cybersecurity norms
Compliance with Polish and European policy
  • The General Data Protection Regulation (GDPR), EU Regulation 2016/679
  • The Network Information and Security (NIS2), EU Directive 2022/2557
  • The Act on the National Cybersecurity System, published on 5 June 2018., with the novelization of the Act on the National Cybersecurity System, a preview published on 29 December 2025, implementing NIS2 requirements
Compliance with the ISO international standards on cybersecurity and data privacy
  • Norm ISO/IEC 27001:2022 — an outline norm on Information Security Management Systems, with key extensions
    • Norm ISO/IEC 27002:2022 — Information security
    • Norm ISO/IEC 27701:2019 — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
  • Norm ISO/IEC 27017:2015 — Information security for cloud services
  • Norm ISO/IEC 27018:2019 — Protection of personal data in public clouds
  • Norms ISO/IEC 27033-1|2|3|4|5|6|7 — Network security
  • Norms ISO/IEC 27034-1|2|3|5|5-1 — Application security
  • Norm ISO/IEC 27040:2024 — Storage security
  • Norm ISO/IEC 27100:2020 — Cybersecurity
Miniature personal

Secure workstations and personal computers

Secure workstations and personal computers
Workstations and personal computers on macOS

An advanced commercial closed-source operating systems based on BSD traditions.

  • System engineering
    • Low-level operations
      • System installation and advanced Recovery
      • Boot procedure and startup disciplines
      • Integrity protection mechanics of system resources
    • Non-standard kernel extensions and modules
    • Non-standard device drivers and compatibility with specialised devices
  • Stability and performance
    • Open-source software
      • Standard instrumentation of applications and command-line user interfaces compatible with BSD and GNU / Linux
      • A dedicated homebrew software packet manager
    • Modern filesystems
  • Security
  • Virtualisation and containerisation
    • Basic virtualisation — simplified executions of applications designed for other platforms
      • Compatibility and software abstraction with Crossovercommercial license
      • Simplified virtualisation with Parallelscommercial license
    • Advanced virtualisation — complete virtualisation for Apple Silicon/ARM64
    • Containerisation and modular work environment
      • Docker containerisation framework with particular visualisation elements for macOS
  • Corporate environment and Apple cloud
    • Centralised management of Apple devices with Apple MDM framework
    • Applied security and engineering of Apple cloud services
    • Applied privacy and data synchronisation with Apple cloud services
Workstations and personal computer on open-source operating systems

BSD and Linux systems in personal computer specific configurations

Miniature services

Production services and key server processes

Engineering, deployment, security and optimisation of key production services for BSD and Linux systems
Advanced secure work environmentsProductions services
  • Web servers — service providing content over the HTTP protocol for any tasks, including up to complex tasks in cloud and cluster environments — solutions for WebOps NginxCaddyrelayd
  • CGI environments — code execution environments closely cooperating with HTTP servers, usually providing logic for Web — solutions for PHP programming services and Go programming services PHPGo
  • Database systems — production database systems, both RDBMS and non-relational, operating as autonomous services offering a wide array of functions and access methods MySQLPercona MySQLPostgreSQLSQLiteRedis
  • Embedded databases — environments of database systems embedded into applications, software solutions or operating as parts of bigger architectures RocksDBLMDBBerkeleyDB
  • Electronic mail servers — mail exchange systems, spam filtering and providing access to client applications OpenSMTPDPostfixRspamd
  • Secure communication systems — secure text, audio and video communication systems, usually deployed in closed-loop settings — solutions for confidentiality of communication and advanced communications confidentiality SignalSimpleXMatrixIRC
  • Cluster and virtualisation production systems — deployments of microservice containerisation and virtualisation in essential clusters and load balancing — solutions for virtualisation of systems and services DockerKVMbhyve
  • Git repositories — code repositories and version control systems with Web interfaces — solutions for GitOps GitGitLabGiteagitolite
  • Cloud frameworks — services enabling easy online data synchronisation and exchange — solutions for private and public clouds ownCloudSeafileSyncthingRclone
  • Data sharing servers — systems of efficient high volume data sharing using secure high-performance SFTP and SCP protocols — solutions for advanced filesystems and data storage ZFSBtrfsOpenSSH
Production and DevOps support services
  • Authentication servers — servers providing centralised system, user and process authentication, usually in DevOps environments SSSD
  • DNS servers — nameservers configured for efficient and secure work in secure environments and with DevOps instrumentation Unbound
  • SMB and NFS servers — services providing easy data sharing for local networks — solutions for advanced computer networks SambaNFS
Miniature Performance

Systems and services performance monitoring

Solutions for monitoring of code performance, infrastructure, network systems, virtualisation as well as services and processes
Performance monitoring with PrometheusPerformance visualisation and analysis
Miniature filesystems

Advanced filesystems and data storage

Management of storage systems for server systems and advanced workstations
ZFS copy-on-write server filesystem
  • Secure ZFS Boot Environments
  • Native ZFS cryptography
  • ZFS data management — export, replication and recovery of pools and volumes
  • ZFS data integrity — redundant, ZRAID, mirroring and self-healing pools and volumes
  • ZFS specialised applications — one-time pools and volumes
  • Optimisation of ZFS structures in large scale deployments
  • Hardware optimisation for ZFS arrays
  • Environment optimisation for ZFS filesystem storing MySQL/PostgreSQL databases and other specialised services
  • Operational differences between Oracle ZFS, FreeBSD ZFS and OpenZFS
Btrfs copy-on-write server filesystem
  • Btrfs data management — export, replication and recovery of Btrfs devices and subvolumes
  • Btrfs data integrity — redundant, RAID, mirroring and self-healing devices and subvolumes
  • Btrfs specialised applications — one-time devices and subvolumes
  • Hardware optimisation for Btrfs filesystems
  • Environment optimisation Btrfs filesystems storing databases and other specialised services
Other server filesystemsThe APFS filesystems for macOS
  • Advanced operations and native cryptography of APFS filesystem
Data encryption
Miniature advanced encryption

Advanced encryption

Advanced data encryption for server systems
Encryption systems for FreeBSD
  • Block device encryption
    • geli — an advanced encryption systems based on the GEOM and crypto frameworks, operating as a block storage hardware abstraction layer. Fully integrated with ZFS and Boot Environments enabled bootloaders, it offers full disk encryption for the most complex scenarios, usually operating as a device provider for UFS or ZFS filesystems. Possibly the most sophisticated encryption system currently available.
    • gdbe — an encryption system based on the GEOM and crypto frameworks operating as a block storage hardware abstraction layer, originally designed under a DARPA contract. Volumes encrypted with gdbe become distinguishable from volumes simply filled with random data, which qualities gdbe for very particular applications.
  • Native filesystem encryption
    • ZFS — encryption as a native ZFS filesystem feature compliant with the OpenZFS implementation, enabling on-the-fly encryption of ZFS datasets on physical and virtual volumes
Encryption systems for OpenBSD
  • Block device encryption
    • softraid (d:crypto) — an encryption system available as a softraid pseudodevice operating under CRYPTO discipline as a block device hardware abstraction layer. Integrated with the bootloader allows perfect full volume encryption, usually operating as a device provider for FFS.
Encryption systems for Ubuntu Server
  • Block device encryption
    • cryptsetup — an advanced encryption system based on the dm-crypt and LUKS frameworks, operating as a block device hardware abstraction layer. Advanced configurations offer full volume encryption supporting particular bootloaders. As a well developed and efficient encryption, it may be a device provider for OpenZFS or Btrfs.
  • Native filesystem encryption
    • ext4 — encryption as a native ext4 filesystem feature available for individual keyed file directories
    • ZFS — encryption as a native ZFS filesystem (OpenZFS implementation) feature, enabling on-the-fly encryption of ZFS datasets on physical and virtual volumes
Encryption systems for Oracle Solaris 11
  • Block device encryption
    • (Oracle) ZFS — encryption of original Oracle ZFS driven by the Solaris Cryptographic Framework cryptography provider. ZFS on Solaris remains a commercial product and its closed source code is not available for an independent review
Hardware encryption
  • Hardware encryption scenarios involving self-encrypting drives, often operating as the base layer for more advanced configurations
    • Self-encrypting drives with individual security schemes
    • Self-encrypting drives implementing the TCG OPAL standard
Active protection and failsafe type schemes
  • One-time and temporary encryption and ciphers
  • Active software and hardware protections of encrypted systems and volumes against physical third-party interference and seizure
Advanced confidentiality and highly secure data exchange
Miniature VPN

Virtual Private Networks

Solutions ensuring secure communication between secure severs systems and networks
High performance secure IPSec linksWireguard protocol based virtual private networkSsh (OpenSSH) protocol based virtual private network
  • Virtualisation and ssh deployment as special purpose VPNs
  • Secure data transport for server systems and specialised networking hardware
  • Ssh as a secure authentication system for network resources
Secondary VPN solutions
  • OpenVPN based virtual private networks and links
  • Cisco AnyConnect based virtual private networks and links
Miniature DeepWeb

Engineering of non-public and anonymous networks

Engineering, deployment, security and optimisation of services for the non-public Internet (deep web) and the hidden Internet (darkweb)
Deep web networksAnonymous networks
Miniature environment

Secure work environments

Designing and deployment of secure work environments
Secure computer networksSecure workstations and personal computersProduction server systems on BSD and Ubuntu ServerVirtualisation and security of key services and applicationsPrivacy and data encryptionDevOps tasks
Miniature servers

Secure server systems

Advanced server systems delivering security and stability suitable for handling of virtually any task
FreeBSD server systems

An advanced BSD Unix offering unique features. Server dedicated.

OpenBSD server systems

A legendarily secure system with a group of trusted daemons. Specialised deployments.

Ubuntu Server server systems

An easy to use and versatile Linux. Universal and flexible use.

Oracle Solaris 11 server systems

An advanced and powerful corporate closed-source Unix

  • System engineering
  • Security
  • Virtualisation and isolation
    • General and network virtualization and isolation with Solaris Zones
    • General, network and kernel virtualization and isolations with Solaris Kernel Zones
    • VirtualBox virtualisation framework
Server solutions consultancy
  • Advisory services for purchasing, expansions and configuration of server systems and hardware
  • Advisory services for peering analysis and datacenter choice
Miniature service isolation

Isolation of services and processes

Engineering, deployment, security and optimisation of advanced containerisation and isolation of server services
Cluster and microservices containerisation
  • Simplified Docker containerisation systems for Linux and macOS
  • Secondary containerisation services for Linux systems
Advanced isolation of productions services and secure networks
  • LXD isolation and containerisation system for Ubuntu Server
  • VNET and Netgraph enabled jail isolation system for FreeBSD
  • Solaris Zones and Solaris Kernel Zones isolation frameworks for Oracle Solaris 11
  • Secondary isolation systems for Ubuntu Server, FreeBSD and OpenBSD
Deep virtualisation of server services
Miniature virtualisation

Virtualisation of systems and services

Engineering, deployment, management and optimisation of virtualisation provider systems and virtual machines
Engineering, deployment, specialised configuration, advanced security and optimisation of virtualisation systems and individual virtual machines
  • KVM/Qemu virtualisation for Linux systems
  • bhyve virtualisation for FreeBSD
  • vmm virtualisation for OpenBSD
  • VMWare virtualisation framework for multiple systems
  • VirtualBox virtualisation framework for multiple systems
  • UTM/Qemu virtualisation for macOS and Apple Silicon/ARM64
Virtualisation security
Miniature Encryption and authentication

Encryption and authentication

Encryption and security of confidential and volatile digital data
Encryption and authentication of content, text and individual files
  • OpenPGP/GnuPG standard — a universal encryption and authentication system for content, text and individual files based on asymmetric cryptography, defined by the RFC 4480 and RFC 9580 standards and functioning as the de facto default system for software and code signing and encryption and authentication of electronic mail. In use for over 30 years, its security depends on the type of keys and algorithms chosen. The PGP standard encompasses direct exchange of public keys between communicating parties remaining independent of third-party trust services.
  • S/MIME standard — a universal encryption and authentication system for electronic mail based on asymmetric cryptography, defined by the RFC 8551 standard. The S/MIME depends on a trusted third-party confirming the validity of certificates in use.
  • Signify standard — a system of files and text authentication developed by the OpenBSD project based on asymmetric cryptography, intertwining ease of use with modern cryptography
Electronic signature and document authentication systemsBasic data encryption
  • Block device encryption
    • Encrypting filesystems — particular modern filesystems offer encryption capability, often operating as a transparent user independent layer.
      Example Apple APFS — a filesystem provided by recent versions of Apple macOS on-the-fly encrypting all data either as an automated Filevault component, or as a user configurable subsystem allowing more advanced configurations. Encryption capabilities of both the Apple Silicon and the APFS filesystem may be an effective basis for a more complex data security scenario. APFS remains a closed-source commercial product.
    • Cryptographic containers and modular volume encryption — systems of simpler block encryption, effectively encrypting full volumes and maintaining virtualised cryptographic containers, usually open-source allowing independent security reviews.
      ExampleVeraCrypt — a modern fork of TrueCrypt
  • Encrypting stack filesystems — solutions for stack filesystems operation at the user level, most often used to securing particular pools of data
    ExampleeCrypFs for Linux or EncFS available on several platforms
  • Cloud-optimised data encryption — encryption systems by design optimised for deployments in third-party clouds and data exchange systems
    Examplegocryptfs or cryfs available on several platforms
Confidentiality of communication and secure data exchange
Miniature networks

Advanced computer networks

Engineering, deployment, security and optimisation of secure high performance computer networks
Secure local networks
  • Network management
    • Active security of wired and wireless networks — network gateways, packet filtering and active network traffic management and profiling
    • Advanced management of Internet access endpoints on own hardware and software
  • Advanced network infrastructure
    • Wired networks
      • Ethernet networks with throughput up to 10 Gbit/s
      • Local networks requiring secure access authentication
      • Ethernet encryption
    • Wireless networks
      • Standard WiFi 6 and 7 wireless network
      • High performance wireless networks with throughput up to 2.5 Gbit/s
      • Multi-layered wireless network encryption
      • Wireless networks access authentication systems
    • Networks providing complete Ubiquiti Unifi functionality
  • Network peripherals
    • Ethernet oriented Network Attached Storage (NAS) disk resources
    • Printing servers and networked printers
    • Multi source and redundant power management for the whole networks
Network as secure work environmentSpecialised network services
Miniature Cloud

Private and public clouds

Engineering, deployment and management of private and public cloud services
Private cloudsPublic clouds