86 lines
2.9 KiB
Markdown
86 lines
2.9 KiB
Markdown
|
# GnuPG root
|
||
|
To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base.
|
||
|
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
|
||
|
|
||
|
|
||
|
# Prerequisites
|
||
|
|
||
|
1. small embedded linux powered device
|
||
|
2. easily available and widely used platform
|
||
|
3. security orientated os
|
||
|
4. offline update
|
||
|
5. RO system
|
||
|
6. persistance with overlay
|
||
|
7. possible file integrity checks
|
||
|
8. USB-A connector(s) for the GNUK token/SmartCard Reader
|
||
|
|
||
|
# terminal user interface
|
||
|
|
||
|
## main page - overview
|
||
|
|
||
|
1. Integrity OK/Fail
|
||
|
1. /root filesystem
|
||
|
2. user config
|
||
|
3. .gnupg path
|
||
|
2. rootCA/MasterKey SmartCard/GNUK available
|
||
|
3. user SmartCard/GNUK available
|
||
|
4. RNG status
|
||
|
5. RTC/Time/Date status
|
||
|
6. Key Expire failure/warning
|
||
|
7. Key length Failure/Warning (BSI recommendation)
|
||
|
8. revocation certificate available
|
||
|
|
||
|
# Links
|
||
|
https://vincentserpoul.github.io/post/alpine-linux-rpi0/
|
||
|
|
||
|
## 00-preparation
|
||
|
1. format sd card with 3 partitions
|
||
|
1. MBR 'msdos'
|
||
|
2. 256MB FAT32 for /boot partition
|
||
|
3. 2GB ext4 for overlay
|
||
|
2. extract image: tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner
|
||
|
3. edit cmdline.txt
|
||
|
4. create usercfg.txt
|
||
|
5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, ccid, opensc, tmux, htop, exfat-utils, cryptsetup, mkinitfs )
|
||
|
6. connect UART TX/RX/GND to pin 8/10/6
|
||
|
7. boot rpi
|
||
|
8. mount second partition to folder /media/mmcblk0p2
|
||
|
9. change /etc/lbu/lbu.conf
|
||
|
10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm])
|
||
|
11. fix chrony and rtc (rc-update add hwclock boot, rc-update -u [confirm])
|
||
|
12. add community repo (ccid, opensc)
|
||
|
13. rc-update del acpid default (arm only)
|
||
|
|
||
|
|
||
|
|
||
|
## rng
|
||
|
the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
|
||
|
haveged speeds up the random process to 40seconds
|
||
|
rngd speeds up this to 52 seconds
|
||
|
an added BT4.0 usb adapter speeds up this to 20seconds
|
||
|
an added usb stick speeds up this to 5 seconds
|
||
|
lbu include /var/lib/misc/random-seed [needs confirm]
|
||
|
|
||
|
## rtc
|
||
|
a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
|
||
|
[ 29.896261] rtc-ds1307 1-0068: registered as rtc0
|
||
|
glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
|
||
|
CONFIG_RTC_HCTOSYS not set
|
||
|
|
||
|
|
||
|
## encrypted container (encrypted storage)
|
||
|
|
||
|
fallocate -l 100MB PRIVATE
|
||
|
cryptsetup -v luksFormat PRIVATE
|
||
|
--use secure passphrase
|
||
|
cryptsetup -v luksOpen PRIVATE private_file
|
||
|
mkdir /mnt/private_file
|
||
|
mount /dev/mapper/private_file /mnt/private_file
|
||
|
--Umount and close file
|
||
|
umount /mnt/private_file
|
||
|
cryptsetup luksClose private_file
|
||
|
|
||
|
|
||
|
|
||
|
### links
|
||
|
https://github.com/hashbang/airgap
|