

Ask HN: Tips to build an OpenBSD Thinkpad for airgap use? - niels_olson

I&#x27;m interested in setting up an airgap machine. My gut says I should run OpenBSD on a ThinkPad and just figure out all the dependencies. Tails sounds good too, though that&#x27;s a slightly different problem. I want a permanent system. I just don&#x27;t want it on the network much and I do want it to handle protocols well. Seems like OpenBSD is the way to go in that regard. But then, I&#x27;m definitely not an expert.<p>There are any number of gotchas to managing an airgap machine though, and there are any number of problems with installing a new OS on a laptop. Wanted to solicit for opinions while I wait for my copy of Absolute OpenBSD to arrive.
======
runjake
INSUFFICIENT DATA FOR MEANINGFUL ANSWER [1]

Why?

What does the OS or network config matter if it's "airgapped"?

What do you consider an "airgapped machine"?

1\.
[http://www.multivax.com/last_question.html](http://www.multivax.com/last_question.html)

~~~
niels_olson
> What does the OS or network config matter if it's "airgapped"?

Fundamentally, you're still moving data on and off the machine. The software
implementing the communications protocols can still be vulnerable. So the
procedures for maintaining the airgap matter. Schneier has some good pointers
on this.

> What do you consider an "airgapped machine"?

A machine that, once set up, never sees a network. At the limit, set up one
machine, scan that disk image for viruses, then install it on a second
identical machine.

~~~
runjake
Yes but why? What are your goals? What conclusion are you trying to arrive at?
Is TEMPEST a concern? Is hardware that may break your airgap (bluetooth, any
weird IPMI stuff, etc) a concern?

A meaningful answer cannot be given if we don't know your goals, here.

~~~
niels_olson
Mostly academic curiosity, but being in the government, there's always an non-
theoretical risk someone will decide to come after you.

