Skip to content

marcmav/bedrock

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

362 Commits
 
 
 
 

Repository files navigation

=======
bedrock
=======

A playbook of the architectural root of my security model. It defines the foundational layers, principles and controls that every system must satisfy before it can be considered trusted.

Scope: Bedrock defines the security architecture for personal computers (the layers I can consistently control on every machine I own), infrastructure outside the host (e.g., routers, security keys and other external hardware) is intentionally out of scope.
While some controls incidentally improve privacy, every control in Bedrock is included because it strengthens the system's security.

======================
Defense-in-Depth Model
======================

Defense-in-Depth is a security architecture principle that layers independent controls across different domains so that no single point of failure results in total compromise. Each layer assumes the layers above it are untrusted and the layers below it are already hardened. A threat that bypasses one control must still defeat every subsequent layer to reach its objective.

Bedrock implements this model sequentially from the system's lowest trust boundary outward to digital identities. If a lower layer is compromised, the structural integrity of every layer above it is fundamentally invalid.

[ Layer 5: Alias ] --- Digital Identities, Email Accounts, Online Accounts
    [ Layer 4: Credentials ] --- Password Manager, Authenticator
        [ Layer 3: Interface ] --- Browser, Search Engine
            [ Layer 2: Gateway ] --- Firewall, DNS, VPN
                [ Layer 1: Host ] --- Operating System
                    [ Layer 0: Core ] --- Firmware, Bootloader

=============
Layer 0: Core
=============

The Core layer represents the lowest trust boundary of a system. It consists of the firmware, which initializes hardware and establishes the initial trust state of the machine, and the bootloader, which is responsible for loading and transferring execution to the operating system. If this layer is compromised, no software control above it can be trusted.

----------
Components
----------

> - Firmware
> - Bootloader

---------
Principle
---------

Physical access to an unprotected Core is equivalent to full system compromise. Every layer above this one assumes the Core has not been tampered with.

---------
Objective
---------

Establish a trustworthy startup chain and ensure that only authorized code executes before the operating system gains control.

--------
Controls
--------

> - Firmware Updates
    Firmware is software. It has vulnerabilities and CVEs and must be updated like any other component in the stack.

> - Firmware Password
    Protects firmware settings from unauthorized modification. (Without it, anyone with physical access can disable Secure Boot, change the boot order and boot from external media).

> - Native UEFI Boot Mode
    Enforce native UEFI boot mode instead of legacy BIOS compatibility mode (CSM). UEFI provides the foundation for modern platform security features such as Secure Boot and TPM-based measured boot. CSM must be disabled unless required for compatibility reasons and should be re-disabled immediately after use. Legacy boot paths increase complexity and bypass modern platform security mechanisms, therefore they should remain disabled whenever possible.

> - Secure Boot
    Enabling it ensures only cryptographically signed bootloaders are allowed to execute. (Prevents bootkits and rootkits from loading before the OS has a chance to defend itself).

> - Boot Order
    Restrict boot sources to only those required for normal operation. External and network boot should be disabled when not needed. (Disabling USB and network boot eliminates the ability to boot a live OS or run cold boot attacks against the machine)

> - Memory Execution Protection
    Ensure processor-level execution prevention such as Intel XD (Execute Disable) or AMD NX (No-eXecute) are enabled in the firmware settings. These features enforce memory execution boundaries by preventing regions intended for data storage from being executed unless explicitly permitted. (A foundational mitigation against buffer overflow and memory corruption exploits, most modern processors support it but it must be explicitly enabled in firmware).

> - Component Minimization
    Disable firmware-level features and interfaces that are not required for the system's intended purpose. Every enabled component increases the attack surface and should be justified.

> - TPM (Trusted Platform Module)
    If supported, the TPM can securely store encryption keys and binds them to the system's measured boot state. Used in conjunction with full-disk encryption to bind decryption keys to a measured boot state, helping detect unauthorized modifications during startup. This allows the platform to verify the integrity of the boot chain before releasing protected secrets, helping detect unauthorized modifications to firmware, the bootloader or other boot components.

> - Decryption Key Protection
    Require a passphrase in addition to TPM verification before the decryption key is released. The key should only be released when both the measured boot state is trusted and a valid authentication factor has been provided. Platform integrity alone does not verify the user and user authentication alone does not verify the platform.

> - Bootloader Updates
    Bootloaders are software and must receive security updates.

> - Bootloader Configuration Integrity
    Ensures boot configuration has not been tampered with between boots. (The bootloader configuration controls how the operating system starts and can be abused to bypass OS-level security mechanisms if altered). Use mechanisms that authenticate or verify configuration changes before they are accepted, such as signed/enrolled configuration files, bootloader passwords or strict file permissions depending on the bootloader implementation.

> - Single Trusted Boot Path
    Maintain a single, intentional boot path. Every additional bootloader, operating system, or boot entry increases complexity and attack surface.


=============
Layer 1: Host
=============

The Host layer is the operating system. It establishes the trusted execution environment upon which every user process, application and security control depends. It is responsible for system configuration, resource management, privilege enforcement, process isolation and mediating access between user-space software and the underlying hardware. If this layer is compromised, every software component and security control above it must also be considered untrusted.

----------
Components
----------

> - Operating System

---------
Principle
---------

The operating system is the highest-privilege software layer on the machine. Every process, file and network connection is subject to its rules. A compromised Operating System is a compromised machine.

---------
Objective
---------

Deploy a minimal, auditable and actively maintained operating system that enforces strict access controls and exposes the smallest possible attack surface.

--------
Controls
--------

> - Operating System Selection
    Choose an open-source, actively maintained operating system with a transparent security model. Open source enables independent review of the codebase and provides greater visibility into how the system operates.

> - Minimal Installation
    Build the operating system from the smallest practical installation and install only the components required for its intended purpose.

> - Service Minimization
    Disable or remove services that are not required or that won't be used. (Every running service is an attack surface).

> - Full-Disk Encryption
    Encrypt all data at rest. Without it, physical access to the storage device is sufficient to bypass operating system access controls and recover stored data. If supported, combine full-disk encryption with TPM-based key protection as described in Layer 0.

> - User Authentication
    Require user authentication before granting access to the operating system session. Full-disk encryption protects data while the system is powered off, but it does not verify the identity of the person using the machine after the encrypted volume has been unlocked. Automatically lock inactive sessions and require re-authentication after suspend, hibernation or screen lock.

> - System Updates
    The operating system and installed software must be updated regularly. (Vulnerabilities lose much of their impact once patched).

> - Secure Software Sources
    Install software from trusted and verifiable sources. Prefer official repositories and cryptographically verified packages. (Avoid unofficial repositories and untrusted installation scripts).

> - Application Minimization
    Install only software that serves a defined purpose. (Unnecessary software increases complexity and attack surface).

> - Least Privilege
    Daily activities should be performed as a standard user. Root privileges should only be used when required.

> - Exploit Mitigations
    Ensure the operating system and kernel enforce available exploit mitigation mechanisms such as Address Space Layout Randomization (ASLR), hardware-backed execution prevention (NX/XD) and other memory protection technologies. These protections build upon the hardware capabilities established in Layer 0 and significantly increase the difficulty of exploiting memory corruption vulnerabilities.

> - SSH Hardening
    If remote administration is required, use public key authentication, disable password authentication, prohibit direct root login and expose the SSH service only when necessary.

> - Mandatory Access Control
    Enforce process-level access controls beyond standard Unix permissions. (Limits the blast radius of a compromised process).

> - Application Sandboxing
    Isolate high-risk applications from the rest of the system. (A browser should only have access to the network and downloads, a multimedia viewer should only have access to the file it is opening and nothing more).

> - Audit and Hardening Verification
    Periodically run a system hardening audit to identify misconfigurations and gaps.


================
Layer 2: Gateway
================

The Gateway layer represents the host's communication boundary with external networks. It consists of the mechanisms responsible for filtering, resolving and protecting network traffic before it reaches or leaves the machine. A misconfigured or unmonitored Gateway exposes every layer above it to remote threats regardless of how well they are hardened.

----------
Components
----------

> - Firewall
> - DNS
> - VPN

---------
Principle
---------

Every connection established or accepted by the host is a direct expansion of the system's attack surface. The external network is hostile and untrusted by default.

---------
Objective
---------

Establish a trusted communication path by minimizing network exposure, restricting unnecessary connectivity and ensuring the authenticity and confidentiality of network traffic.

--------
Controls
--------

> - Default Deny Inbound (Firewall)
    Block all inbound connections by default. Only explicitly permitted traffic should reach the machine.

> - Outbound Filtering (Firewall)
    Restrict outbound connections to only what is necessary. Limits the impact of malware attempting to phone home or exfiltrate data.

> - Trusted Resolver
    Route DNS queries through a trusted resolver with a verified no-log policy and support for DoT/DoH and DNSSEC. Prefer providers with transparent privacy practices and independent security audits.

> - DNS over TLS / DNS over HTTPS
    Encrypt DNS queries in transit. Unencrypted DNS exposes every domain you resolve to your ISP and any on-path observer. (Prevents local network observers or ISPs from eavesdropping on your browsing requests or altering DNS responses).

> - DNSSEC Validation
    Validate DNS responses are cryptographically signed and have not been tampered with in transit. (Prevents DNS spoofing and cache poisoning).

> - DNS Content Filtering
    Use DNS-based filtering to block known malicious domains, trackers, telemetry endpoints and user-defined unwanted domains during name resolution before a connection can be established.

> - DNS Leak Prevention
    Ensure all DNS queries are routed through the configured resolver and not leaking to the ISP or a default system resolver. Verify periodically.

> - VPN
    Route traffic through a trustworthy, audited and open-source VPN provider with a transparent privacy policy, modern cryptography and independent security audits when operating on untrusted networks. A VPN shifts trust from the ISP or local network to the VPN provider so choose accordingly.

> - Mandatory Network Kill-Switch
    The system transport routing must enforce a strict kill-switch rule. If the encrypted VPN tunnel drops, all clear-text outbound traffic must be instantly blocked by the firewall rather than leaking over the fallback interface.

> - Public Networks
    Treat public networks as hostile. Always use a VPN when accessing untrusted networks and avoid transmitting sensitive information without appropriate encryption.

> - Minimize Exposed Services
    Disable or avoid exposing network services that are not explicitly required. (Every listening service increases the remote attack surface).

> - Network Monitoring
    Periodically audit active connections and listening ports to identify unexpected outbound traffic or exposed services.

> - Secure Protocols
    Prefer protocols that provide authentication and encryption by default. Avoid deprecated or insecure protocols whenever modern alternatives exist.


==================
Layer 3: Interface
==================

The Interface layer is the primary point of interaction between the user and the open internet. It consists of the browser and search engine, through which external content is discovered, requested, rendered and interacted with. This layer routinely processes untrusted input from remote systems, making it one of the largest attack surfaces on a modern host. If compromised or misconfigured, adversarial content can reach the system regardless of how well the underlying layers are hardened.

----------
Components
----------

> - Browser
> - Search Engine

---------
Principle
---------

The browser is the largest attack surface on a modern machine. It executes arbitrary remote code, renders untrusted content and manages persistent state across sessions. Every extension, setting and permission granted is a trust decision.

---------
Objective
---------

Deploy a hardened browser that minimizes exposed attack surface, enforces strict identity compartmentalization and safely mediates interactions with untrusted web content.

--------
Controls
--------

> - Browser Selection
    Use an open-source browser with a transparent security model, an active security patch cadence and advanced process isolation. (Avoid closed-source browsers that enforce opaque profiling or aggregate user tracking data).

> - Browser Hardening
    Apply a hardened browser configuration that minimizes telemetry, reduces browser fingerprinting and disables unnecessary features.

> - HTTPS Enforcement
    Enforce HTTPS-only mode. Refuse to load resources over unencrypted connections.

> - Permission Minimization
    Deny browser access to camera, microphone, location and notifications by default. Grant permissions only when explicitly required and revoke immediately after.

> - Extension Minimization
    Install only extensions that serve a defined security or privacy purpose. (Every extension runs with elevated browser privileges and is a potential attack vector).

> - Content Blocking
    Block advertisements, trackers and known malicious scripts at the browser level by default as a second layer of defense after DNS filtering, enabling them only in explicit cases. (Reduces both privacy exposure and the likelihood of malicious script execution).

> - URL Tracking Stripping
    Strip tracking parameters from URLs before requests are made. (Prevents the linkage of distinct browsing sessions across different services).

> - Cookie Management
    Limit persistent cookies and regularly clear browsing data. Isolate website state to reduce cross-site tracking.

> - Identity Compartmentalization
    Separate browsing activities into distinct browser profiles or containers according to their trust tier. (This reduces credential exposure, limits session leakage and confines the impact of browser compromise).

> - First-Party Isolation & Partitioning
    Enforce strict state partitioning and cookie isolation. Cookies, local storage and caches must be separated by the top-level domain. (Prevents tracking networks from profiling activities across different websites).

> - Search Engine Selection
    Use an independent, non-profiling search engine that does not build a behavioral profile or correlate queries to an identity.

> - Search Isolation
    Search queries must not be tied to an authenticated account or a persistent identity. Avoid signing into any account within the primary browsing context.

> - Download Verification
    Treat every downloaded file as untrusted until its integrity and origin have been verified.

--------------
Profile Tiers
--------------

Browser activity is separated into distinct profiles according to trust level and purpose. Each tier operates under a different set of permissions, extensions and hardening settings. A session in a lower-trust tier must never share state, cookies or identity with a higher-trust tier.

[ Tier 0: Root ]
    [ Tier 1: Professional ]
        [ Tier 2: Personal ]
            [ Tier 3: Disposable ]


> - Tier 0: Root
    Used exclusively for sensitive authenticated sessions such as banking, government services, password manager and primary email.
    Maximum hardening. No general browsing. No extensions beyond essentials.

> - Tier 1: Professional
    Used for operational workflows, technical research, professional accounts and trusted learning resources.
    Strict hardening. No extensions beyond essentials.

> - Tier 2: Personal
    Used for daily personal tasks, general media consumption and streaming.
    Moderate hardening. Standard extension set active.

> - Tier 3: Disposable
    Used for investigating unknown links, testing untrusted web applications, and performing general and transient clear-net lookup.
    Moderate Hardening. No persistent state.

(Will document further more)


====================
Layer 4: Credentials
====================

The Credentials layer protects the secrets that authenticate identity across every service, account and system. It consists of the password manager and Multi-factor authenticator, the two mechanisms responsible for generating, storing and producing proof of identity on demand. If this layer is compromised, every account and service above it is accessible to the adversary regardless of how well the layers below it are hardened.

----------
Components
----------

> - Password Manager
> - Authentication

---------
Principle
---------

Credentials are proof of identity, their confidentiality determines the security of every account they protect. A weak, reused or exposed credential collapses the boundary between the adversary and everything you have access to.

---------
Objective
---------

Establish a centralized, encrypted and recoverable credential management system that minimizes secret exposure while enforcing strong, multi-factor authentication across every supported service.

--------
Controls
--------

> - Password Manager Selection
    Use an open-source, audited password manager. If using a local file-based database, it must be strongly encrypted and synchronized only via end-to-end encrypted local channels. If using a cloud vault, it must use zero-knowledge local encryption before transmission with end-to-end encryption.

> - Strong Password Generation
    All passwords must be randomly generated by the password manager. (Human-chosen passwords are predictable).

> - Master Password Strength
    The password manager master password must be the strongest credential in the entire stack. It must be long, random and memorized, never written in plaintext or stored digitally outside the vault.

> - Unique Passwords
    Every account must have a unique password. (Credential reuse means a single breach propagates access across every service sharing that password).

> - Automated Clipboard Purging
    The password manager utility must be configured to automatically clear copied credentials from the system clipboard after a short period. (Reduces the window of exposure for local background processes to sniff copied credentials).

> - Vault Lifecycle & Lock Timing
    The vault must automatically lock itself after a brief period of system inactivity or whenever the host machine suspends. It must never remain unlocked in the background indefinitely.

> - Multi-Factor Authentication
    Enable MFA wherever supported. Authentication should require something more than a password alone.

> - TOTP Authenticator Selection
    Use an open-source, locally encrypted TOTP application with no cloud dependency.

> - TOTP Over SMS
    Use time-based one-time passwords (TOTP) as the second factor wherever possible. (SMS-based 2FA is vulnerable to SIM swapping and interception and must be avoided).

> - Passkeys
    Prefer passkeys where supported. Hardware-backed, phishing-resistant authentication reduces reliance on passwords while maintaining strong security guarantees.

> - Authentication Decoupling
    Consider storing TOTP secrets separately from the primary password vault for high-value accounts. (This reduces the impact of a single vault compromise).

> - 2FA Coverage
    Every account that supports a second factor must have one enabled. Prioritize accounts that protect email, financial services, primary identity and the password manager itself.

> - Vault Access Hardening
    Access to the password manager must itself be protected by a second factor. (The vault is the single point of failure for the entire credentials layer).

> - Recovery Codes
    Store recovery codes offline in a secure location. They are equivalent to authentication credentials and must receive the same protection.

> - Secret Sharing
    Credentials must never be transmitted through insecure communication channels. Share secrets only through encrypted mechanisms when absolutely necessary.

> - Credential Verification
    Credentials must never be entered on a domain that has not been independently verified. (Use the password manager's domain matching capabilities to reduce the risk of credential submission to fraudulent websites).

> - Credential Rotation
    Rotate credentials immediately after suspected compromise or unauthorized disclosure. (Routine password rotation without evidence of compromise is generally unnecessary).

> - Credential Auditing
    Periodically review stored credentials for duplicates, weak passwords and accounts that are no longer required.

> - Breach Monitoring
    Monitor accounts against known breach databases to identify exposed credentials before they are exploited.


==============
Layer 5: Alias
==============

The Alias layer is the outermost boundary of the security model. It defines how identity is projected across the internet through email addresses, online accounts, public personas and any other persistent identifier tied to online activity. If this layer is compromised or poorly compartmentalized, an adversary can correlate identities, recover accounts or propagate compromise across unrelated services.

Note: A dedicated anonymous identity with a disposable email handles all untrusted registrations. Alias forwarding services are intentionally out of scope.

----------
Components
----------

> - Digital Identities
> - Email Accounts
> - Online Accounts

---------
Principle
---------

Your real identity is a liability on the open internet. Every service that knows your real name, email or phone number is a potential breach vector. The less your real identity appears in external systems, the smaller the target.

---------
Objective
---------

Establish compartmentalized digital identities that minimize trust relationships, limit the impact of compromise and preserve long-term control over every account.

--------
Controls
--------

> - Identity Separation
    Separate identities according to their purpose. A root, professional, personal and a disposable identity must never share identifiers or linked accounts. (An identity should never become a single point of failure, every alias must be intentionally scoped, independently recoverable and isolated from unrelated activities, a breach of one service exposes only that alias, not the primary address or any other account).

> - Email Provider Selection
    Use an open-source, security-focused email provider that supports strong account protection, modern authentication mechanisms and transparent privacy practices based outside high-surveillance jurisdictions.

> - Dedicated Email Addresses
    Use separate email addresses for root (primary email), professional (work, school, etc), personal (social media, etc) and disposable identity.

> - Primary Email Protection
    The primary email account is the root of account recovery for most services. It must receive the strongest available protections, including unique password, MFA and recovery code storage.

> - Primary Email Exposure Minimization
    The primary email address must never appear in public registrations, forums, social profiles or any externally visible field. Treat it as a private internal routing address.

> - Phone Number Exposure
    Avoid associating your primary phone number with services unless required. Where appropriate, use separate numbers for different trust domains.

> - Minimal Personal Disclosure
    When creating accounts, provide the absolute bare minimum required data to satisfy the system registration constraints. Optional profile fields should remain empty unless there is a legitimate need. (Every field completed is a data point available to scrapers and advertisers).

> - Federated Login
    Avoid authenticating to external services through third-party identity providers (e.g. "Sign in with Google"). Federated login ties your primary identity account directly to every connected service and creates a single point of failure across all of them.

> - Identity Consistency
    Every account should conform to the standards established in the Credentials layer. No account should exist outside the password manager or without appropriate authentication protections when supported.

> - Account Minimization
    Maintain the fewest external accounts necessary. Every account is a potential breach vector and an identity footprint that must be managed indefinitely.

> - Security Notifications
    Enable login alerts and account security notifications wherever available to detect unauthorized access promptly.

> - Breach Response
    If an identity is suspected of compromise, immediately rotate credentials, invalidate active sessions, review recovery settings and notify affected services where appropriate.

> - Account Decommissioning
    Accounts that are no longer required must be deleted rather than abandoned. Abandoned accounts accumulate personal data and become targets for credential stuffing and takeover. (Dormant accounts expand the attack surface and are often forgotten).

> - Recovery Path Review
    Periodically verify recovery email addresses, recovery phone numbers and trusted devices. Every recovery path must remain accurate, intentional and under your control.

> - Third-Party Authorization Review
    Periodically review applications and services that have been granted access to online accounts. Revoke access that is no longer required.

> - Session Management
    Periodically review active sessions and revoke devices that are no longer recognized or trusted.

..........................................................................................

Trust is cumulative. Every layer inherits its trust from the integrity of the layer beneath it. No control implemented above a compromised layer can fully compensate for the loss of trust below it.

..........................................................................................

About

The starting point of a personal secure system

Topics

Resources

License

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors