coelner/gnupg-root
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

formatting

Browse Source
This commit is contained in:
coelner 2022-12-31 09:06:45 +01:00
parent d1f72ce4a0
commit 34649eeff9
1 changed files with 24 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
README.md
View File

@ -3,7 +3,7 @@ To get the hole gpg thing working, you should use a offline computer. This syste
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
# Prerequisites
## Prerequisites
1. small embedded linux powered device
2. easily available and widely used platform
@ -14,9 +14,9 @@ Most people do not have laying around a lot of hardware, which the would spend u
7. possible file integrity checks
8. USB-A connector(s) for the GNUK token/SmartCard Reader
# terminal user interface
## terminal user interface
## main page - overview
### main page - overview
1. Integrity OK/Fail
1. /root filesystem
@ -30,8 +30,6 @@ Most people do not have laying around a lot of hardware, which the would spend u
7. Key length Failure/Warning (BSI recommendation)
8. revocation certificate available
# Links
[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]
## 00-preparation
1. format sd card with 3 partitions
@ -109,12 +107,14 @@ edit /etc/mdev.conf for usb tokens [ToDo]
killall gpg-agent
#mount encrypted container
```
cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file
```
##kernel update [inProgress]
@ -152,28 +152,29 @@ apk add linux-rpi
[offline]
1. extract original image to first partion
2. restore cmdline and usercfg.txt
[root] delete from overlay partition the cache folder
- [root] delete from overlay partition the cache folder
1. in case of a folder (delete from overlay the /usr)
2. in case of an image
- `rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715`
- `mkfs.ext4 persist.im`
- `mkfs.ext4 persist.img`
[online]
1. recreate .work folder under /media/persist
2. recreate usr folder under /media/persist
3. `mkdir /mnt/private_file
3. `mkdir /mnt/private_file`
4. check mountpoint for /usr | mount /usr
5. fix the repository
6. fix the network interface
7. apk update
8. apk upgrade
9. 're-add' installed packages [e.g. 00-preparation]
10. `remount /media/mmcblk0p1 rewritable`
10. remount /media/mmcblk0p1 rewritable
11. `mount -o rw,remount /media/mmcblk0p1/`
12. `cp apk to /media/mmcblk0p1/apk/armh`
-lsblk
-mkinitfs
reboot without lbu commit
12. `cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf`
13. `lsblk`
14. `ln -s /media/mmcblk0p1/boot boot`
15. `mkinitfs`
16. reboot without lbu commit
## fast major release update
1. delete content of first partition
@ -190,13 +191,13 @@ reboot without lbu commit
10. apk upgrade
11. reboot
##generic minor (to install it into ram)
## generic minor (to install it into ram)
1. apk
2. apk upgrade
3. lbu commit
## 1.44" OLED and button
#create a overlay for /usr otherwise space is missing
create a overlay for /usr otherwise space is missing
https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing]
apk add python2 #obsolete
apk add build-base #binary is build for rpi3
@ -210,13 +211,14 @@ pip install --user RPi.GPIO
pip install --user spidev
##modern kernel approach
## modern kernel approach
wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip
cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6
apk add raspberrypi-dev
## nitrokey
```
apk add py-pip build-base python3-dev py3-wheel [240Mb]
apk add libffi-dev [7Mb]
apk add openssl-dev rust cargo [337Mb]
@ -229,7 +231,8 @@ lbu inc /home
lbu inc /root
pip3 install --user wheel
pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]
```
#fix $PATH to /root/.local/bin in /etc/profile
#need mdev/udev rules to grant access for user
#libudev-zero is a replacement, which is needed for pcscd
@ -241,5 +244,6 @@ lbu inc /root
#general reconsideration of usefulness
### links
https://github.com/hashbang/airgap
https://riseup.net/de/security/message-security/openpgp/gpg-best-practices
[https://github.com/hashbang/airgap]
[https://riseup.net/de/security/message-security/openpgp/gpg-best-practices]
[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]