One of the things that sets Gibberfish apart from most hosted services is that we give each client a dedicated baremetal server. To keep their data as secure and private as possible, we simply install our management software and then lock ourselves out of the box, permanently. That software is called “daygate“, also known as the Gibberfish Management Portal. Through a simple web interface that runs as a Tor onion service, administrators can kick-off a fully automated installation simply by typing in their own encryption passphrase. That passphrase is then used to encrypt the volume where all of their data resides (including the database files which store sensitive things like private keys and passwords) and is then wiped from memory. This is how we guarantee that our clients are the sole owners of their data. However, we’d like to take this a step further by giving our users the proverbial keys to the kingdom: root access.
Since we don’t maintain a shared infrastructure, we have the flexibility to give our clients absolute control. In the near future we will be rolling out the ability to upload public SSH keys. This will not only let clients customize their server as they see fit1, but more importantly it will allow them to verify our promise that we have not left any back doors into our servers. There is no need to trust us when you can verify it for yourself.
However, this can also present a significant risk. If an attacker gains root access to the server, it’s basically game over. We don’t feel that a traditional username and password combo is strong enough security to protect this capability, so we will simultaneously begin requiring two factor authentication (2FA) in order to access this feature. 2FA adds one additional step to the login process. After the administrator enters their username and password, they will be prompted for a 6 digit passcode that changes every 30 seconds. By scanning a QR code with an app such as FreeOTP, administrators will be able to generate these codes on the fly. This means that an attacker would not only need to know your password, but also have access to your mobile device, which provides far more robust security than a username and password alone.
In the future we will also enhance the portal with other useful features, such as power control, and the ability to securely wipe and destroy the server on demand.
We’re currently testing 2FA on our own Gibberfish instance. Look for it in the coming weeks.
(¹ within the limits of our Terms of Service, of course)