zHIVErbox - pronounced like 'cypher box' (sī′fər bŏks) - is an unfairly secure
and unfairly cheap base system for the era of distributed networks (meshnets).
Minds joining those networks form a HIVE (swarm) of self-sovereign individuals
who DON'T TRUST, BUT VERIFY.
zHIVErbox is based on Armbian, a Debian-based distribution for single-board ARM development boards.
Unfortunatly, security cannot be provided as a simple 'download'. A secure system requires individual encryption and a secure source of randomness (entropy). Therefore a secure system can only be created by self-sovereign individuals themself - and only for themself. However, not everybody in a HIVE (society) can aquire the highly specialized knowledge and skills to create their own secure system from scratch.
Therefore Cypherpunks write software and provide technology that can be used by
other individuals to achieve the same level of security, privacy and self-
sovereignty. Those tools should be as user friendly as possible without
compromising on security. Ideally, those tools still provide a certain level of
education, to retain their users from developing a 'blindly trusting attitude'.
DON'T TRUST! VERIFY!
zHIVErbox is a set of open source tools following these guidelines while
maintaining a security first approach.
While Armbian is perfect for development purposes, zHIVErbox customizations try
to turn Armbian into a Security Fortress for production purposes. The goal is
to reduce typical and possible attack vectors to a minimum.
High-level differences with Vanilla Armbian:
- LUKS encrypted root partition with Btrfs filesystem / subvolumes (flat layout)
- LUKS encrypted data partition on the attached hard disk (Odroid HC1/HC2)
- Security-hardened Linux kernel
- Firewall (ferm) to block all inbound/outbound Clearnet traffic by default
- Enforces SSH public-key authentication
- Enforces all Internet traffic (incl. DNS) over Tor
- Tor-based time syncing instead of NTP (tordate and htpdate)
- Filter (proxy) for fine-graned access to Tor control port (onion grater)
- Ships with Cjdns (OSI-Layer-3 meshnet routing software) by default
- Ships with KadNode (DHT based, decentalized DNS alternative) by default
- Ships with IPFS (InterPlanetary File System) by default
- btrfs-snap tool for easy cron-based btrfs snapshots
For details please see the Security Design (SECURITY.md).
As many meshnet applications (IPFS, Bitcoin, ...) require a significant amount
of storage, there's only one cheap and consumer-friendly single-board computer
available right now - that allows to attach a hard disk in a solid/reliable way:
The Odroid HC1/HC2
Therefore zHIVErbox is currently only designed for and tested on the
Odroid HC1/HC2 (and therefore implicitly their parent also, the Odroid XU4).
But the zHIVErbox distribution would love to support more hardware in the future
if it becomes available.
Please follow the build instructions (BUILD.md)
The build process only creates a source image which allows for distribution to
users, but needs to be customized and re-encrypted by every self-souvereign
individual before installation on their own hardware. zHIVErbox provides an
Installer (currently an Ubuntu shell script) which helps the user with the
required customizations. Please see the installation instructions (INSTALL.md)