commit be19c8956895e830c24ce3bd3ac42bf962df01f0 Author: coelner Date: Thu Sep 10 18:02:20 2020 +0200 WIP diff --git a/00-initial.sh b/00-initial.sh new file mode 100755 index 0000000..6f67c18 --- /dev/null +++ b/00-initial.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +echo $1 +sudo parted --script -a optimal $1 \ + mkpart primary fat32 0% 256MiB \ + mkpart primary ext4 256MiB 2GiB \ + mkpart primary ext4 2GiB 100% \ + set 1 boot on && +sudo mkfs.vfat -F 32 $1p1 && +sudo mkfs.ext4 $1p2 && +sudo mkfs.ext4 $1p3 diff --git a/README.md b/README.md new file mode 100644 index 0000000..b22d11c --- /dev/null +++ b/README.md @@ -0,0 +1,86 @@ +# GnuPG root +To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base. +Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important. + + +# Prerequisites + + 1. small embedded linux powered device + 2. easily available and widely used platform + 3. security orientated os + 4. offline update + 5. RO system + 6. persistance with overlay + 7. possible file integrity checks + 8. USB-A connector(s) for the GNUK token/SmartCard Reader + +# terminal user interface + +## main page - overview + +1. Integrity OK/Fail + 1. /root filesystem + 2. user config + 3. .gnupg path +2. rootCA/MasterKey SmartCard/GNUK available +3. user SmartCard/GNUK available +4. RNG status +5. RTC/Time/Date status +6. Key Expire failure/warning +7. Key length Failure/Warning (BSI recommendation) +8. revocation certificate available + +# Links +https://vincentserpoul.github.io/post/alpine-linux-rpi0/ + +## 00-preparation + 1. format sd card with 3 partitions + 1. MBR 'msdos' + 2. 256MB FAT32 for /boot partition + 3. 2GB ext4 for overlay + 2. extract image: tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner + 3. edit cmdline.txt + 4. create usercfg.txt + 5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, ccid, opensc, tmux, htop, exfat-utils, cryptsetup, mkinitfs ) + 6. connect UART TX/RX/GND to pin 8/10/6 + 7. boot rpi + 8. mount second partition to folder /media/mmcblk0p2 + 9. change /etc/lbu/lbu.conf + 10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm]) + 11. fix chrony and rtc (rc-update add hwclock boot, rc-update -u [confirm]) + 12. add community repo (ccid, opensc) + 13. rc-update del acpid default (arm only) + + + +## rng +the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y) +haveged speeds up the random process to 40seconds +rngd speeds up this to 52 seconds +an added BT4.0 usb adapter speeds up this to 20seconds +an added usb stick speeds up this to 5 seconds +lbu include /var/lib/misc/random-seed [needs confirm] + +## rtc +a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231' +[ 29.896261] rtc-ds1307 1-0068: registered as rtc0 +glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352 +CONFIG_RTC_HCTOSYS not set + + +## encrypted container (encrypted storage) + +fallocate -l 100MB PRIVATE +cryptsetup -v luksFormat PRIVATE +--use secure passphrase +cryptsetup -v luksOpen PRIVATE private_file +mkdir /mnt/private_file +mount /dev/mapper/private_file /mnt/private_file +--Umount and close file +umount /mnt/private_file +cryptsetup luksClose private_file + + + +### links +https://github.com/hashbang/airgap \ No newline at end of file