Security Design & Unattended Updates

This section focuses on NetAccel’s three security pillars:

1. Full-disk encryption and unique device identity
2. Two-phase provisioning and encrypted container migration
3. Unattended security updates and auditability

1. Full-Disk Encryption (LUKS) & Unique Device Identity

NetAccel’s root partition is protected with LUKS full-disk encryption. The decryption key is derived from multiple sources, such as:

• Hardware ID of the SoC/board (e.g., chipset SID)
• Serial number of the microSD card or SSD
• A high-entropy lab-controlled key (lab key)

The netaccel-unique-id service generates and fixes a persistent device identity during early boot, which is used for:

• Naming and mounting paths for encrypted containers
• Uniquely identifying the device in the Liaison dashboard
• Ensuring “this device is still the same device” during configuration migrations

1.1 Boot Process & Identity Chain (Mermaid)

flowchart TD
    A[Power On / Boot] --> B[U-Boot / Bootloader]
    B --> C[Load Kernel + initramfs]
    C --> D[initramfs: Unlock LUKS Root Partition
Using Key Derived from SID + Serial + Lab Key]
    D --> E[Mount Encrypted Root /]
    E --> F[systemd: Start netaccel-unique-id]
    F --> G[Generate /etc/netaccel/unique-id
for Use by Subsequent Services]
    G --> H[Normal Userspace Startup
(network, dnsmasq, Clash, Beacon, etc.)]
  

Even if the storage medium is physically stolen, the root partition cannot be decrypted without the combination of the hardware SID and the lab-controlled key.

2. Two-Phase Provisioning & Encrypted Container Migration

To support scenarios involving a “golden image” deployed across multiple production devices, NetAccel uses a two-phase provisioning model:

1. Phase 1 (first-boot-provision):
   Handles generic image initialization—e.g., regenerating machine ID, creating the initial unique ID file,
   setting up log directories, and performing the first beacon registration.
2. Phase 2 (lock-and-config):
   After the device has confirmed a stable IP/subnet, it locks network settings,
   writes persistent configuration files, and finalizes the encrypted container layout.

This design allows the same golden image to be cloned across many devices, while ensuring each ends up with its own unique identity and cryptographic material.

3. Unattended Security Updates

Since NetAccel is designed to run unattended for extended periods, its security update strategy is critical.

• Uses the distribution’s unattended-upgrades (or equivalent) to automatically install security patches.
• Writes logs to the encrypted partition to prevent sensitive runtime data from being exposed if the device is stolen.
• Applies conservative policies for kernel/bootloader upgrades to avoid remote updates that could break bootability.

3.1 Unattended Update Pipeline (Mermaid)

flowchart LR
    subgraph SCHED["Scheduled Task / systemd Timer"]
      A[Trigger Daily / Weekly]
    end

    A --> B[Check Network Availability
(Optional: Run Only During Allowed Windows)]
    B --> C[apt update / Fetch Security Updates]
    C --> D[apt upgrade --with-security
or unattended-upgrades]
    D --> E[Log to /var/log/netaccel
(on Encrypted Partition)]

    E --> F[[Reboot Required?]]
    F -->|Yes| G[Schedule Delayed Reboot
and Write Marker File]
    F -->|No| H[Continue Running]

    G --> I[Auto-Reboot During Safe Window]
    I --> J[Clean Up Reboot Marker After Successful Boot]
  

Update policies can be tailored to deployment environments—for example, student dorms, homes, or hospital server rooms—each with different “allowed reboot windows.”

4. Logging & Auditability

Balancing privacy and operational transparency, NetAccel’s logging policy follows these principles:

• Sensitive runtime information is written to log directories on the encrypted partition (e.g., /var/log/netaccel).
• Beacon/Liaison records upload only essential device status—never user traffic details.
• An optional “extended logging mode” is available for operators to temporarily enable during network troubleshooting.

For doctors, schools, and research institutions, this design ensures that:

• It’s possible to prove the device was “operating normally” during a given period.
• Issues can be diagnosed without inspecting actual user content.
• Even if stolen, logs won’t reveal traffic or usage details.