WIP
This commit is contained in:
commit
be19c89568
10
00-initial.sh
Executable file
10
00-initial.sh
Executable file
@ -0,0 +1,10 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
echo $1
|
||||||
|
sudo parted --script -a optimal $1 \
|
||||||
|
mkpart primary fat32 0% 256MiB \
|
||||||
|
mkpart primary ext4 256MiB 2GiB \
|
||||||
|
mkpart primary ext4 2GiB 100% \
|
||||||
|
set 1 boot on &&
|
||||||
|
sudo mkfs.vfat -F 32 $1p1 &&
|
||||||
|
sudo mkfs.ext4 $1p2 &&
|
||||||
|
sudo mkfs.ext4 $1p3
|
86
README.md
Normal file
86
README.md
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
# GnuPG root
|
||||||
|
To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base.
|
||||||
|
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
|
||||||
|
|
||||||
|
|
||||||
|
# Prerequisites
|
||||||
|
|
||||||
|
1. small embedded linux powered device
|
||||||
|
2. easily available and widely used platform
|
||||||
|
3. security orientated os
|
||||||
|
4. offline update
|
||||||
|
5. RO system
|
||||||
|
6. persistance with overlay
|
||||||
|
7. possible file integrity checks
|
||||||
|
8. USB-A connector(s) for the GNUK token/SmartCard Reader
|
||||||
|
|
||||||
|
# terminal user interface
|
||||||
|
|
||||||
|
## main page - overview
|
||||||
|
|
||||||
|
1. Integrity OK/Fail
|
||||||
|
1. /root filesystem
|
||||||
|
2. user config
|
||||||
|
3. .gnupg path
|
||||||
|
2. rootCA/MasterKey SmartCard/GNUK available
|
||||||
|
3. user SmartCard/GNUK available
|
||||||
|
4. RNG status
|
||||||
|
5. RTC/Time/Date status
|
||||||
|
6. Key Expire failure/warning
|
||||||
|
7. Key length Failure/Warning (BSI recommendation)
|
||||||
|
8. revocation certificate available
|
||||||
|
|
||||||
|
# Links
|
||||||
|
https://vincentserpoul.github.io/post/alpine-linux-rpi0/
|
||||||
|
|
||||||
|
## 00-preparation
|
||||||
|
1. format sd card with 3 partitions
|
||||||
|
1. MBR 'msdos'
|
||||||
|
2. 256MB FAT32 for /boot partition
|
||||||
|
3. 2GB ext4 for overlay
|
||||||
|
2. extract image: tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner
|
||||||
|
3. edit cmdline.txt
|
||||||
|
4. create usercfg.txt
|
||||||
|
5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, ccid, opensc, tmux, htop, exfat-utils, cryptsetup, mkinitfs )
|
||||||
|
6. connect UART TX/RX/GND to pin 8/10/6
|
||||||
|
7. boot rpi
|
||||||
|
8. mount second partition to folder /media/mmcblk0p2
|
||||||
|
9. change /etc/lbu/lbu.conf
|
||||||
|
10. run setup-alpine ( rc-update add wpa_supplicant boot [confirm])
|
||||||
|
11. fix chrony and rtc (rc-update add hwclock boot, rc-update -u [confirm])
|
||||||
|
12. add community repo (ccid, opensc)
|
||||||
|
13. rc-update del acpid default (arm only)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## rng
|
||||||
|
the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
|
||||||
|
haveged speeds up the random process to 40seconds
|
||||||
|
rngd speeds up this to 52 seconds
|
||||||
|
an added BT4.0 usb adapter speeds up this to 20seconds
|
||||||
|
an added usb stick speeds up this to 5 seconds
|
||||||
|
lbu include /var/lib/misc/random-seed [needs confirm]
|
||||||
|
|
||||||
|
## rtc
|
||||||
|
a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
|
||||||
|
[ 29.896261] rtc-ds1307 1-0068: registered as rtc0
|
||||||
|
glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
|
||||||
|
CONFIG_RTC_HCTOSYS not set
|
||||||
|
|
||||||
|
|
||||||
|
## encrypted container (encrypted storage)
|
||||||
|
|
||||||
|
fallocate -l 100MB PRIVATE
|
||||||
|
cryptsetup -v luksFormat PRIVATE
|
||||||
|
--use secure passphrase
|
||||||
|
cryptsetup -v luksOpen PRIVATE private_file
|
||||||
|
mkdir /mnt/private_file
|
||||||
|
mount /dev/mapper/private_file /mnt/private_file
|
||||||
|
--Umount and close file
|
||||||
|
umount /mnt/private_file
|
||||||
|
cryptsetup luksClose private_file
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### links
|
||||||
|
https://github.com/hashbang/airgap
|
Loading…
Reference in New Issue
Block a user