coelner/gnupg-root
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
gnupg-root/README.md
coelner 34649eeff9 formatting
2022-12-31 09:06:45 +01:00

250 lines
8.5 KiB
Markdown
Raw Permalink Blame History

# GnuPG root
To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base.
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
## Prerequisites
1. small embedded linux powered device
2. easily available and widely used platform
3. security orientated os
4. offline
5. RO system
6. persistance with overlay
7. possible file integrity checks
8. USB-A connector(s) for the GNUK token/SmartCard Reader
## terminal user interface
### main page - overview
1. Integrity OK/Fail
1. /root filesystem
2. user config
3. .gnupg path
2. rootCA/MasterKey SmartCard/GNUK available
3. user SmartCard/GNUK available
4. RNG status
5. RTC/Time/Date status
6. Key Expire failure/warning
7. Key length Failure/Warning (BSI recommendation)
8. revocation certificate available
## 00-preparation
1. format sd card with 3 partitions
1. MBR 'msdos'
2. 256MB FAT32 for /boot partition
3. 2GB ext4 for overlay
2. extract image: `tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner `
3. edit cmdline.txt
4. create usercfg.txt
5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, pinentry, ccid, opensc, pcsc-lite-libs, tmux, htop, exfat-utils, cryptsetup, mkinitfs, squashfs-tools, p7zip libusb, hwids-usb {pcsc-lite libudev-zero fsverity-utils} ) [70MB]
6. connect UART TX/RX/GND to pin 8/10/6 green/white/black
7. boot rpi
8. mount second partition to folder /media/mmcblk0p2
9. change /etc/lbu/lbu.conf
10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
12. add community repo (ccid, opensc)
13. rc- del acpid default (arm only)
## persistent /usr
1. `dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152`
2. `apk add e2fsprogs`
3. `mkfs.ext4 /media/mmcblk0p2/persist.img`
4. `echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab`
5. `mkdir /media/persist`
6. `mount -a`
7. `mkdir /media/persist/usr `
8. `mkdir /media/persist/.work `
9. `echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab `
10. `mount -a`
11. `lbu commit`
## rng
- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
- haveged speeds up the random process to 40seconds
- rngd speeds up this to 52 seconds
- an added BT4.0 usb adapter speeds up this to 20seconds
- an added usb stick speeds up this to 5 seconds
- lbu include /var/lib/misc/random-seed [needs confirm]
## rtc
- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
`[ 29.896261] rtc-ds1307 1-0068: registered as rtc0`
- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
`CONFIG_RTC_HCTOSYS not set`
## encrypted container (encrypted storage)
```
apk add cryptsetup
fallocate -l 10MB PRIVATE [minimal 20MB]
cryptsetup -v luksFormat PRIVATE [takes some seconds]
--use secure passphrase
cryptsetup -v luksOpen /mnt/mmcblk0p2/PRIVATE private_file
mkfs -t ext4 /dev/mapper/private_file
mkdir /mnt/private_file
ln -s /mnt/private_file/user/.gnupg /home/user/.gnupg
ln -s /mnt/private_file/root/.gnupg /root/.gnupg
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file
```
```
mkdir /mnt/private_file/user/.gnupg
chmod 750 /mnt/private_file/user
chown user:user /mnt/private_file/user/.gnupg
```
edit /etc/mdev.conf for usb tokens [ToDo]
killall gpg-agent
#mount encrypted container
```
cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
mount /dev/mapper/private_file /mnt/private_file
--Umount and close file
killall gpg-agent
umount /mnt/private_file
cryptsetup luksClose private_file
```
##kernel update [inProgress]
##kernel [inProgress]
related: [https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980]
```
gnupg-root:/media/mmcblk0p2# mkdir modloopfs
gnupg-root:/media/mmcblk0p2# cd modloopfs/
gnupg-root:/media/mmcblk0p2/modloopfs# unsquashfs /media/mmcblk0p1/boot/modloop-
rpi
Parallel unsquashfs: Using 1 processor
1814 inodes (2087 blocks) to write
created 1814 files
created 359 directories
created 0 symlinks
created 0 devices
created 0 fifos
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# mount | grep modloop
/media/mmcblk0p1/boot/modloop-rpi on /.modloop type squashfs (ro,relatime)
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx 1 root root 17 Jan 1 1970 /lib/modules -> /.modloop/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# rm /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ln -s /media/mmcblk0p2/modloopfs/squashfs-root/modules /lib/modules
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
lrwxrwxrwx 1 root root 48 Sep 26 13:58 /lib/modules -> /media/mmcblk0p2/modloopfs/squashfs-root/modules
```
```
mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
apk add linux-rpi
```
## generic image upgrade
[offline]
1. extract original image to first partion
2. restore cmdline and usercfg.txt
- [root] delete from overlay partition the cache folder
1. in case of a folder (delete from overlay the /usr)
2. in case of an image
- `rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715`
- `mkfs.ext4 persist.img`
[online]
1. recreate .work folder under /media/persist
2. recreate usr folder under /media/persist
3. `mkdir /mnt/private_file`
4. check mountpoint for /usr | mount /usr
5. fix the repository
6. fix the network interface
7. apk update
8. apk upgrade
9. 're-add' installed packages [e.g. 00-preparation]
10. remount /media/mmcblk0p1 rewritable
11. `mount -o rw,remount /media/mmcblk0p1/`
12. `cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf`
13. `lsblk`
14. `ln -s /media/mmcblk0p1/boot boot`
15. `mkinitfs`
16. reboot without lbu commit
## fast major release update
1. delete content of first partition
2. extract original image to first partion
3. restore cmdline and usercfg.txt
- `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
- usercfg.txt
4. delete from overlay the cache folder
5. boot RPI zero
6. change `/etc/apk/repositories`
7. lbu commit
8. reboot
9. apk update
10. apk upgrade
11. reboot
## generic minor (to install it into ram)
1. apk
2. apk upgrade
3. lbu commit
## 1.44" OLED and button
create a overlay for /usr otherwise space is missing
https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing]
apk add python2 #obsolete
apk add build-base #binary is build for rpi3
// ToDo
sudo modprobe fbtft_device name=adafruit18_green gpios=reset:27,dc:25,cs:8,led:24 height=128 width=128 rotate=180 fps=30 bgr=1 speed=40000000 debug=$((1<<5))
vi /etc/modprobe.d/fbtft.conf
options fbtft_device name=fb_st7735r gpios=reset:27,dc:25,led:18 speed=16000000 bgr=1 custom=1 width=128 height=128
## python approach
pip install --user RPi.GPIO
pip install --user spidev
## modern kernel approach
wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip
cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6
apk add raspberrypi-dev
## nitrokey
```
apk add py-pip build-base python3-dev py3-wheel [240Mb]
apk add libffi-dev [7Mb]
apk add openssl-dev rust cargo [337Mb]
#pip install --user setuptools_rust
apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo
apk add py3-pep517 py3-cryptography
//see https://cryptography.io/en/latest/installation/
reboot
lbu inc /home
lbu inc /root
pip3 install --user wheel
pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]
```
#fix $PATH to /root/.local/bin in /etc/profile
#need mdev/udev rules to grant access for user
#libudev-zero is a replacement, which is needed for pcscd
## ToDo
#tmux
#camera to scan QR code
#predefine common action scheme
#general reconsideration of usefulness
### links
[https://github.com/hashbang/airgap]
[https://riseup.net/de/security/message-security/openpgp/gpg-best-practices]
[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]
Reference in New Issue View Git Blame Copy Permalink