Does anybody want to brainstorm about securing hidden services? Here's my ideal setup. You need two dedicated servers. One is the workstation and the other is the gateway. The workstation hosts the web and database servers. It runs the web site. The gateway hosts two Tor clients. One client is directed at the SOCKS port of the other client, so its Tor circuits run through the other client's Tor circuits. The gateway has two network interface cards. One is connected to the internet, the other is connected via a crossover ethernet cable to the workstation. The workstation can only access the internet through the gateway. The gateway contains iptables rules to force all connections from the workstation over Tor. That way, even if the workstation is pwned, the attacker can't determine the IP address. Running Tor over Tor makes certain attacks on hidden service entry guards harder. Both servers run security-hardened kernels with patches like TRESOR to put encryption keys in CPU registers instead of RAM. They use full disk encryption and SE Linux or AppArmor with strict access control policies. I haven't found a good example of how to do this, but I would prefer to booby trap the cases with a special lock. A specific key or code must be entered. If the case is opened any other way, it initiates a shut down sequence that scrambles RAM and overwrites the first gigabyte of the hard disk, destroying the encryption key. Alternatively, the key could be stored in the TPM, but I don't know how safe that is. Hardware manufacturers may provide backdoors for LE. All of this is setup in a secure, private location and the servers are shipped to the data center. The technician simply installs the servers in a rack, connects the ethernet cables and turns them on. What am I missing? How could this be made safer?