coelner/gnupg-root
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

WIP

Browse Source
This commit is contained in:
coelner 2020-09-10 18:02:20 +02:00
commit be19c89568
2 changed files with 96 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
00-initial.sh Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/env bash
echo $1
sudo parted --script -a optimal $1 \
mkpart primary fat32 0% 256MiB \
mkpart primary ext4 256MiB 2GiB \
mkpart primary ext4 2GiB 100% \
set 1 boot on &&
sudo mkfs.vfat -F 32 $1p1 &&
sudo mkfs.ext4 $1p2 &&
sudo mkfs.ext4 $1p3

86
README.md Normal file
View File

@ -0,0 +1,86 @@
# GnuPG root
To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base.
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
# Prerequisites
1. small embedded linux powered device
2. easily available and widely used platform
3. security orientated os
4. offline update
5. RO system
6. persistance with overlay
7. possible file integrity checks
8. USB-A connector(s) for the GNUK token/SmartCard Reader
# terminal user interface
## main page - overview
1. Integrity OK/Fail
1. /root filesystem
2. user config
3. .gnupg path
2. rootCA/MasterKey SmartCard/GNUK available
3. user SmartCard/GNUK available
4. RNG status
5. RTC/Time/Date status
6. Key Expire failure/warning
7. Key length Failure/Warning (BSI recommendation)
8. revocation certificate available
# Links
https://vincentserpoul.github.io/post/alpine-linux-rpi0/
## 00-preparation
1. format sd card with 3 partitions
1. MBR 'msdos'
2. 256MB FAT32 for /boot partition
3. 2GB ext4 for overlay
2. extract image: tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner
3. edit cmdline.txt
4. create usercfg.txt
5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, ccid, opensc, tmux, htop, exfat-utils, cryptsetup, mkinitfs )
6. connect UART TX/RX/GND to pin 8/10/6
7. boot rpi
8. mount second partition to folder /media/mmcblk0p2
9. change /etc/lbu/lbu.conf
10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm])
11. fix chrony and rtc (rc-update add hwclock boot, rc-update -u [confirm])
12. add community repo (ccid, opensc)
13. rc-update del acpid default (arm only)
## rng
the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
haveged speeds up the random process to 40seconds
rngd speeds up this to 52 seconds
an added BT4.0 usb adapter speeds up this to 20seconds
an added usb stick speeds up this to 5 seconds
lbu include /var/lib/misc/random-seed [needs confirm]
## rtc
a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
[ 29.896261] rtc-ds1307 1-0068: registered as rtc0
glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
CONFIG_RTC_HCTOSYS not set
## encrypted container (encrypted storage)
fallocate -l 100MB PRIVATE
cryptsetup -v luksFormat PRIVATE
--use secure passphrase
cryptsetup -v luksOpen PRIVATE private_file
mkdir /mnt/private_file
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
umount /mnt/private_file
cryptsetup luksClose private_file
### links
https://github.com/hashbang/airgap