{"id":1219,"date":"2025-09-06T16:51:49","date_gmt":"2025-09-06T14:51:49","guid":{"rendered":"https:\/\/sven-seeberg.de\/wp\/?p=1219"},"modified":"2025-09-06T17:38:31","modified_gmt":"2025-09-06T15:38:31","slug":"operating-an-offline-network-behind-a-data-diode","status":"publish","type":"post","link":"https:\/\/sven-seeberg.de\/wp\/?p=1219","title":{"rendered":"Operating an Offline Network Behind a Data Diode"},"content":{"rendered":"\n<p>I&#8217;m now using an offline network behind a <a href=\"https:\/\/github.com\/svenseeberg\/data-diode\">data diode<\/a> for several years. The data diode allows only transferring data from the internet into the offline network, but there is no back channel to the internet. Since I switched from a serial to a fiber optics connection, the speeds are suitable for day to day use. In this post I want to share my use cases and experiences.<\/p>\n\n\n\n<p>My goals of using an offline network:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Securely creating and storing private keys, for example PGP. The private keys are copied to hardware security modules (Yubikeys\/Nitrokeys) for online usage.<\/li>\n\n\n\n<li>Backup of highly important data, for example .kdbx files.<\/li>\n\n\n\n<li>Offline knowledge management for very private information.<\/li>\n<\/ul>\n\n\n\n<p>Overview of my network topology:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"930\" height=\"957\" src=\"https:\/\/sven-seeberg.de\/wp\/wp-content\/uploads\/2025\/09\/data-diode-network-topo.png\" alt=\"\" class=\"wp-image-1224\" srcset=\"https:\/\/sven-seeberg.de\/wp\/wp-content\/uploads\/2025\/09\/data-diode-network-topo.png 930w, https:\/\/sven-seeberg.de\/wp\/wp-content\/uploads\/2025\/09\/data-diode-network-topo-292x300.png 292w, https:\/\/sven-seeberg.de\/wp\/wp-content\/uploads\/2025\/09\/data-diode-network-topo-768x790.png 768w\" sizes=\"auto, (max-width: 930px) 100vw, 930px\" \/><\/figure>\n\n\n\n<p>I generally use sshfs to transfer data between the devices in the online and internal offline network.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the online network, the desktop devices use sshfs to mount the &#8220;send&#8221; directory of the public facing Raspberry Pi of the data diode.<\/li>\n\n\n\n<li>In the offline network, the desktop devices use sshfs to mount the &#8220;receive&#8221; directory of the internal facing Raspberry Pi of the data diode.<\/li>\n\n\n\n<li>Additionally, the internal facing Raspberry Pi runs the OpenBSD httpd server to serve a mirror of the OpenBSD install, syspatch, packages and firmware directories for the amd64 and arm64 architectures.<\/li>\n<\/ul>\n\n\n\n<p>In the offline network, I currently use the following OpenBSD packages for a very light weight setup:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/zim-wiki.org\/\">Zim<\/a> for managing information<\/li>\n\n\n\n<li><a href=\"https:\/\/git-scm.com\/\">git<\/a> for versioning the Notebook directories created by Zim<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/libfuse\/sshfs\">sshfs<\/a> for mounting the diode directories<\/li>\n\n\n\n<li><a href=\"https:\/\/keepassxc.org\/\">KeePassXC<\/a> for reading and managing kdbx backups and secrets that are only stored in the offline network<\/li>\n\n\n\n<li><a href=\"https:\/\/midnight-commander.org\/\">mc<\/a> (Midnight Commander) for managing files<\/li>\n\n\n\n<li><a href=\"https:\/\/i3wm.org\/\">i3<\/a> with i3lock and i3status as a desktop manager<\/li>\n\n\n\n<li><a href=\"https:\/\/www.gnupg.org\/\">gnupg<\/a> for managing PGP keys<\/li>\n<\/ul>\n\n\n\n<p>My experiences so far:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The data diode speed of about 0.5 MB\/s is sufficiently fast to transfer OpenBSD updates and the limited set of packages in a reasonable amount of time into the internal network. It takes me 1 to 2 hours to download and transfer all files for a new OpenBSD major release.<\/li>\n\n\n\n<li>I rarely have issues with OpenBSD in the offline network. Managing a mirror with all required files and packages does not require a lot of effort. I use the normal tools (sysupgrade, syspatch, pkg_add, fw_update) to manage the software.<\/li>\n\n\n\n<li>The offline desktop devices uses the OpenBSD full disk encryption. As I have a screen and a keyboard, I can directly unlock the disk during boot.<\/li>\n\n\n\n<li>The offline server only encrypts the \/home directory so that it can boot without me attending the process. To mount the \/home partition, I enter the disk password via SSH from a desktop device. <\/li>\n\n\n\n<li>I use the \/home directory on the internal server as a backup destination for the files I work with on the offline desktop devices:\n<ul class=\"wp-block-list\">\n<li>git repos are directly synchronized with git push<\/li>\n\n\n\n<li>other files are copied via sshfs and mc<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>I boot up the devices in the offline network only a few times a year. This usually happens when I need to rotate keys, create backups of new important secrets, or update the OpenBSDs in the internal network.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;m now using an offline network behind a data diode for several years. The data diode allows only transferring data from the internet into the offline network, but there is no back channel to the internet. Since I switched from &hellip; <a href=\"https:\/\/sven-seeberg.de\/wp\/?p=1219\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1219","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1219"}],"version-history":[{"count":17,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1219\/revisions"}],"predecessor-version":[{"id":1239,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1219\/revisions\/1239"}],"wp:attachment":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}