coelner/gnupg-root
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
a project to sum up all those steps which i take to get a root CA for my gnupg keys. The system is based up on alpineOS.
8 Commits 1 Branch 0 Tags 41 KiB
Shell 100%
master
Go to file
coelner 34649eeff9 formatting
2022-12-31 09:06:45 +01:00
.gitignore alpine 3.12.3 fiddling 2021-01-13 11:28:08 +01:00
00-initial.sh WIP 2020-09-10 18:02:20 +02:00
cmdline.txt current state 2022-01-07 19:22:39 +01:00
gpg-howto.md fix merge conflicts artefacts 2022-06-05 11:49:31 +02:00
raspbian.txt current state 2022-01-07 19:22:39 +01:00
README.md formatting 2022-12-31 09:06:45 +01:00
usercfg.txt fix merge conflicts artefacts 2022-06-05 11:49:31 +02:00

README.md

GnuPG root

To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base. Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.

Prerequisites

  1. small embedded linux powered device
  2. easily available and widely used platform
  3. security orientated os
  4. offline
  5. RO system
  6. persistance with overlay
  7. possible file integrity checks
  8. USB-A connector(s) for the GNUK token/SmartCard Reader

terminal user interface

main page - overview

  1. Integrity OK/Fail
  2. /root filesystem
  3. user config
  4. .gnupg path
  5. rootCA/MasterKey SmartCard/GNUK available
  6. user SmartCard/GNUK available
  7. RNG status
  8. RTC/Time/Date status
  9. Key Expire failure/warning
  10. Key length Failure/Warning (BSI recommendation)
  11. revocation certificate available

00-preparation

  1. format sd card with 3 partitions
  2. MBR 'msdos'
  3. 256MB FAT32 for /boot partition
  4. 2GB ext4 for overlay
  5. extract image: tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner
  6. edit cmdline.txt
  7. create usercfg.txt
  8. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, pinentry, ccid, opensc, pcsc-lite-libs, tmux, htop, exfat-utils, cryptsetup, mkinitfs, squashfs-tools, p7zip libusb, hwids-usb {pcsc-lite libudev-zero fsverity-utils} ) [70MB]
  9. connect UART TX/RX/GND to pin 8/10/6 green/white/black
  10. boot rpi
  11. mount second partition to folder /media/mmcblk0p2
  12. change /etc/lbu/lbu.conf
  13. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
  14. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
  15. add community repo (ccid, opensc)
  16. rc- del acpid default (arm only)

persistent /usr

  1. dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152
  2. apk add e2fsprogs
  3. mkfs.ext4 /media/mmcblk0p2/persist.img
  4. echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
  5. mkdir /media/persist
  6. mount -a
  7. mkdir /media/persist/usr
  8. mkdir /media/persist/.work
  9. echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab
  10. mount -a
  11. lbu commit

rng

  • the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
  • haveged speeds up the random process to 40seconds
  • rngd speeds up this to 52 seconds
  • an added BT4.0 usb adapter speeds up this to 20seconds
  • an added usb stick speeds up this to 5 seconds
  • lbu include /var/lib/misc/random-seed [needs confirm]

rtc

  • a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231' [ 29.896261] rtc-ds1307 1-0068: registered as rtc0
  • glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352 CONFIG_RTC_HCTOSYS not set

encrypted container (encrypted storage)

apk add cryptsetup
fallocate -l 10MB PRIVATE [minimal 20MB]
cryptsetup -v luksFormat PRIVATE [takes some seconds]
--use secure passphrase
cryptsetup -v luksOpen /mnt/mmcblk0p2/PRIVATE private_file
mkfs -t ext4 /dev/mapper/private_file
mkdir /mnt/private_file
ln -s /mnt/private_file/user/.gnupg /home/user/.gnupg
ln -s /mnt/private_file/root/.gnupg /root/.gnupg
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file

mkdir /mnt/private_file/user/.gnupg
chmod 750 /mnt/private_file/user
chown user:user /mnt/private_file/user/.gnupg

edit /etc/mdev.conf for usb tokens [ToDo] killall gpg-agent

#mount encrypted container

cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file

##kernel update [inProgress]

##kernel [inProgress] related: [https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980]

gnupg-root:/media/mmcblk0p2# mkdir modloopfs
gnupg-root:/media/mmcblk0p2# cd modloopfs/
gnupg-root:/media/mmcblk0p2/modloopfs# unsquashfs /media/mmcblk0p1/boot/modloop-
rpi
Parallel unsquashfs: Using 1 processor
1814 inodes (2087 blocks) to write
created 1814 files
created 359 directories
created 0 symlinks
created 0 devices
created 0 fifos
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# mount | grep modloop
/media/mmcblk0p1/boot/modloop-rpi on /.modloop type squashfs (ro,relatime)
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx    1 root     root            17 Jan  1  1970 /lib/modules -> /.modloop/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# rm /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ln -s /media/mmcblk0p2/modloopfs/squashfs-root/modules /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx    1 root     root            48 Sep 26 13:58 /lib/modules -> /media/mmcblk0p2/modloopfs/squashfs-root/modules

mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
apk add linux-rpi

generic image upgrade

[offline]

  1. extract original image to first partion
  2. restore cmdline and usercfg.txt
  • [root] delete from overlay partition the cache folder
  1. in case of a folder (delete from overlay the /usr)
  2. in case of an image
  • rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715
  • mkfs.ext4 persist.img

[online]

  1. recreate .work folder under /media/persist
  2. recreate usr folder under /media/persist
  3. mkdir /mnt/private_file
  4. check mountpoint for /usr | mount /usr
  5. fix the repository
  6. fix the network interface
  7. apk update
  8. apk upgrade
  9. 're-add' installed packages [e.g. 00-preparation]
  10. remount /media/mmcblk0p1 rewritable
  11. mount -o rw,remount /media/mmcblk0p1/
  12. cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf
  13. lsblk
  14. ln -s /media/mmcblk0p1/boot boot
  15. mkinitfs
  16. reboot without lbu commit

fast major release update

  1. delete content of first partition
  2. extract original image to first partion
  3. restore cmdline and usercfg.txt
  • modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200
  • usercfg.txt
  1. delete from overlay the cache folder
  2. boot RPI zero
  3. change /etc/apk/repositories
  4. lbu commit
  5. reboot
  6. apk update
  7. apk upgrade
  8. reboot

generic minor (to install it into ram)

  1. apk
  2. apk upgrade
  3. lbu commit

1.44" OLED and button

create a overlay for /usr otherwise space is missing https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing] apk add python2 #obsolete apk add build-base #binary is build for rpi3 // ToDo sudo modprobe fbtft_device name=adafruit18_green gpios=reset:27,dc:25,cs:8,led:24 height=128 width=128 rotate=180 fps=30 bgr=1 speed=40000000 debug=$((1<<5)) vi /etc/modprobe.d/fbtft.conf options fbtft_device name=fb_st7735r gpios=reset:27,dc:25,led:18 speed=16000000 bgr=1 custom=1 width=128 height=128

python approach

pip install --user RPi.GPIO pip install --user spidev

modern kernel approach

wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6 apk add raspberrypi-dev

nitrokey

 apk add py-pip build-base python3-dev py3-wheel [240Mb]
 apk add libffi-dev [7Mb]
 apk add openssl-dev rust cargo [337Mb]	
 #pip install --user setuptools_rust
 apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo
 apk add py3-pep517 py3-cryptography
//see https://cryptography.io/en/latest/installation/
reboot
lbu inc /home
lbu inc /root
 pip3 install --user wheel 
 pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]

#fix $PATH to /root/.local/bin in /etc/profile #need mdev/udev rules to grant access for user #libudev-zero is a replacement, which is needed for pcscd

ToDo

#tmux #camera to scan QR code #predefine common action scheme #general reconsideration of usefulness

links

[https://github.com/hashbang/airgap] [https://riseup.net/de/security/message-security/openpgp/gpg-best-practices] [https://vincentserpoul.github.io/post/alpine-linux-rpi0/]