Ask HN: Where can I find tamper resistant server hardware?
Hi HN!
I'm looking for a manufacturer of tamper resistant server hardware for a side project.
The main requirement: in case of an attempt to access server internals the server has to be either shut down by its firmware or this event has to be obtainable from our software.
Access to server internals is something like this:
- attempt to open server chassis lid;
- attempt to drill a hole in server chassis;
- any other mechanical brute force attempt to access internal hardware like HDD or RAM.
Also it has to be tamper proof: after the tamper event the server should not boot in normal mode (looks like it has to be implemented in firmware) so it would be evident for the operator that tamper event took place.
And the last one: tamper detection should be active even while it's powered off.
Could anyone please suggest a manufacturer of such hardware? I don't know a suitable manufacturer. But I'm curious: do you care about the physical form-factor of the server enclosure? When you say "chassis lid", it makes me think you're envisaging a 19" rack-mount server chassis? I had some exposure to an environment where all networking was fiber in a pressurized conduit with transparent faceplates, etc. There's some FIPS 140-2 L4 suitable plastic wrap/lining that's available for tamper detection, but that doesn't work without power applied, as far as I know. How far do you want to go here? It sounds like you just want the attempt logged, but don't want to wipe keys, or trigger the embedded thermite? Yes, 19" rack-mount server chassis would be a perfect solution, but it is not mandatory. The previous best bet were ORWL devices but I never managed to use them because of several nasty bugs. An idea to wrap equipment in some kind of a sealant is interesting, but I suppose that we'll face overheating problems in this case. There is no need to automagically wipe data or to explode anything: sensitive data is protected by encryption, during system startup key are loaded from external removable storage. But I have to be sure that software was not tampered with while server was offline. Did you find this firm? https://privatemachines.com/enforcer/ Never did, thank you! I'll try to contact them!