250 lines
8.5 KiB
Markdown
250 lines
8.5 KiB
Markdown
# GnuPG root
|
|
To get the hole gpg thing working, you should use a offline computer. This system needs to kept save and usually generates and/or store your master key. From this system you would also deliver those subkeys, which you can use on a daily base.
|
|
Most people do not have laying around a lot of hardware, which the would spend using for this. In general nobody uses a dedicated offline root CA, if I need to explain why privacy is important.
|
|
|
|
|
|
## Prerequisites
|
|
|
|
1. small embedded linux powered device
|
|
2. easily available and widely used platform
|
|
3. security orientated os
|
|
4. offline
|
|
5. RO system
|
|
6. persistance with overlay
|
|
7. possible file integrity checks
|
|
8. USB-A connector(s) for the GNUK token/SmartCard Reader
|
|
|
|
## terminal user interface
|
|
|
|
### main page - overview
|
|
|
|
1. Integrity OK/Fail
|
|
1. /root filesystem
|
|
2. user config
|
|
3. .gnupg path
|
|
2. rootCA/MasterKey SmartCard/GNUK available
|
|
3. user SmartCard/GNUK available
|
|
4. RNG status
|
|
5. RTC/Time/Date status
|
|
6. Key Expire failure/warning
|
|
7. Key length Failure/Warning (BSI recommendation)
|
|
8. revocation certificate available
|
|
|
|
|
|
## 00-preparation
|
|
1. format sd card with 3 partitions
|
|
1. MBR 'msdos'
|
|
2. 256MB FAT32 for /boot partition
|
|
3. 2GB ext4 for overlay
|
|
2. extract image: `tar -xzvf ~/Downloads/alpine-rpi-3.12.0-armhf.tar.gz -C /run/media/**** --no-same-owner `
|
|
3. edit cmdline.txt
|
|
4. create usercfg.txt
|
|
5. prepare /cache with useful apk (e2fsprogs, lsblk, vim, gnupg, gnupg-scdaemon, pinentry, ccid, opensc, pcsc-lite-libs, tmux, htop, exfat-utils, cryptsetup, mkinitfs, squashfs-tools, p7zip libusb, hwids-usb {pcsc-lite libudev-zero fsverity-utils} ) [70MB]
|
|
6. connect UART TX/RX/GND to pin 8/10/6 green/white/black
|
|
7. boot rpi
|
|
8. mount second partition to folder /media/mmcblk0p2
|
|
9. change /etc/lbu/lbu.conf
|
|
10. run setup-alpine ( rc- add wpa_supplicant boot [confirm])
|
|
11. fix chrony and rtc (rc- add hwclock boot, rc- del chronyd default rc- -u [confirm])
|
|
12. add community repo (ccid, opensc)
|
|
13. rc- del acpid default (arm only)
|
|
|
|
## persistent /usr
|
|
1. `dd if=/dev/zero of=/media/mmcblk0p2/persist.img bs=1024 count=0 seek=2097152`
|
|
2. `apk add e2fsprogs`
|
|
3. `mkfs.ext4 /media/mmcblk0p2/persist.img`
|
|
4. `echo "/media/mmcblk0p2/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab`
|
|
5. `mkdir /media/persist`
|
|
6. `mount -a`
|
|
7. `mkdir /media/persist/usr `
|
|
8. `mkdir /media/persist/.work `
|
|
9. `echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work 0 0" >> /etc/fstab `
|
|
10. `mount -a`
|
|
11. `lbu commit`
|
|
|
|
|
|
|
|
## rng
|
|
- the kernel has hwrnd support (CONFIG_HW_RANDOM_BCM2835=y)
|
|
- haveged speeds up the random process to 40seconds
|
|
- rngd speeds up this to 52 seconds
|
|
- an added BT4.0 usb adapter speeds up this to 20seconds
|
|
- an added usb stick speeds up this to 5 seconds
|
|
- lbu include /var/lib/misc/random-seed [needs confirm]
|
|
|
|
## rtc
|
|
- a ds3231 is added to the i2c pins and works due the added 'dtoverlay=i2c-rtc,ds3231'
|
|
`[ 29.896261] rtc-ds1307 1-0068: registered as rtc0`
|
|
- glibc posix api change and leads to hwclock openRC bug https://github.com/OpenRC/openrc/issues/352
|
|
`CONFIG_RTC_HCTOSYS not set`
|
|
|
|
|
|
## encrypted container (encrypted storage)
|
|
```
|
|
apk add cryptsetup
|
|
fallocate -l 10MB PRIVATE [minimal 20MB]
|
|
cryptsetup -v luksFormat PRIVATE [takes some seconds]
|
|
--use secure passphrase
|
|
cryptsetup -v luksOpen /mnt/mmcblk0p2/PRIVATE private_file
|
|
mkfs -t ext4 /dev/mapper/private_file
|
|
mkdir /mnt/private_file
|
|
ln -s /mnt/private_file/user/.gnupg /home/user/.gnupg
|
|
ln -s /mnt/private_file/root/.gnupg /root/.gnupg
|
|
mount /dev/mapper/private_file /mnt/private_file
|
|
--Umount and close file
|
|
killall gpg-agent
|
|
umount /mnt/private_file
|
|
cryptsetup luksClose private_file
|
|
```
|
|
|
|
```
|
|
mkdir /mnt/private_file/user/.gnupg
|
|
chmod 750 /mnt/private_file/user
|
|
chown user:user /mnt/private_file/user/.gnupg
|
|
```
|
|
|
|
edit /etc/mdev.conf for usb tokens [ToDo]
|
|
killall gpg-agent
|
|
|
|
#mount encrypted container
|
|
```
|
|
cryptsetup -v luksOpen /media/mmcblk0p2/PRIVATE private_file
|
|
mount /dev/mapper/private_file /mnt/private_file
|
|
--Umount and close file
|
|
killall gpg-agent
|
|
umount /mnt/private_file
|
|
cryptsetup luksClose private_file
|
|
```
|
|
|
|
##kernel update [inProgress]
|
|
|
|
##kernel [inProgress]
|
|
related: [https://gitlab.alpinelinux.org/alpine/aports/-/issues/11980]
|
|
|
|
```
|
|
gnupg-root:/media/mmcblk0p2# mkdir modloopfs
|
|
gnupg-root:/media/mmcblk0p2# cd modloopfs/
|
|
gnupg-root:/media/mmcblk0p2/modloopfs# unsquashfs /media/mmcblk0p1/boot/modloop-
|
|
rpi
|
|
Parallel unsquashfs: Using 1 processor
|
|
1814 inodes (2087 blocks) to write
|
|
created 1814 files
|
|
created 359 directories
|
|
created 0 symlinks
|
|
created 0 devices
|
|
created 0 fifos
|
|
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# mount | grep modloop
|
|
/media/mmcblk0p1/boot/modloop-rpi on /.modloop type squashfs (ro,relatime)
|
|
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
|
|
lrwxrwxrwx 1 root root 17 Jan 1 1970 /lib/modules -> /.modloop/modules
|
|
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# rm /lib/modules
|
|
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ln -s /media/mmcblk0p2/modloopfs/squashfs-root/modules /lib/modules
|
|
gnupg-root:/media/mmcblk0p2/modloopfs/squashfs-root# ls -l /lib/modules
|
|
lrwxrwxrwx 1 root root 48 Sep 26 13:58 /lib/modules -> /media/mmcblk0p2/modloopfs/squashfs-root/modules
|
|
```
|
|
```
|
|
mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments
|
|
apk add linux-rpi
|
|
```
|
|
|
|
## generic image upgrade
|
|
|
|
[offline]
|
|
1. extract original image to first partion
|
|
2. restore cmdline and usercfg.txt
|
|
- [root] delete from overlay partition the cache folder
|
|
1. in case of a folder (delete from overlay the /usr)
|
|
2. in case of an image
|
|
- `rm persist.img && dd if=/dev/zero of=persist.img bs=1024 count=0 seek=209715`
|
|
- `mkfs.ext4 persist.img`
|
|
|
|
[online]
|
|
1. recreate .work folder under /media/persist
|
|
2. recreate usr folder under /media/persist
|
|
3. `mkdir /mnt/private_file`
|
|
4. check mountpoint for /usr | mount /usr
|
|
5. fix the repository
|
|
6. fix the network interface
|
|
7. apk update
|
|
8. apk upgrade
|
|
9. 're-add' installed packages [e.g. 00-preparation]
|
|
10. remount /media/mmcblk0p1 rewritable
|
|
11. `mount -o rw,remount /media/mmcblk0p1/`
|
|
12. `cd /media/mmcblk0p2/cache && cp *.apk /media/mmcblk0p1/apks/armhf`
|
|
13. `lsblk`
|
|
14. `ln -s /media/mmcblk0p1/boot boot`
|
|
15. `mkinitfs`
|
|
16. reboot without lbu commit
|
|
|
|
## fast major release update
|
|
1. delete content of first partition
|
|
2. extract original image to first partion
|
|
3. restore cmdline and usercfg.txt
|
|
- `modules=loop,overlay,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable=0 console=tty1 console=ttyAMA0,115200`
|
|
- usercfg.txt
|
|
4. delete from overlay the cache folder
|
|
5. boot RPI zero
|
|
6. change `/etc/apk/repositories`
|
|
7. lbu commit
|
|
8. reboot
|
|
9. apk update
|
|
10. apk upgrade
|
|
11. reboot
|
|
|
|
## generic minor (to install it into ram)
|
|
1. apk
|
|
2. apk upgrade
|
|
3. lbu commit
|
|
|
|
## 1.44" OLED and button
|
|
create a overlay for /usr otherwise space is missing
|
|
https://gist.github.com/sdalu/4fd108e0a96d6b41d52fde7542cc95ce [not working fbtft module mossing]
|
|
apk add python2 #obsolete
|
|
apk add build-base #binary is build for rpi3
|
|
// ToDo
|
|
sudo modprobe fbtft_device name=adafruit18_green gpios=reset:27,dc:25,cs:8,led:24 height=128 width=128 rotate=180 fps=30 bgr=1 speed=40000000 debug=$((1<<5))
|
|
vi /etc/modprobe.d/fbtft.conf
|
|
options fbtft_device name=fb_st7735r gpios=reset:27,dc:25,led:18 speed=16000000 bgr=1 custom=1 width=128 height=128
|
|
|
|
## python approach
|
|
pip install --user RPi.GPIO
|
|
pip install --user spidev
|
|
|
|
|
|
## modern kernel approach
|
|
wget https://github.com/juj/fbcp-ili9341/archive/refs/heads/master.zip
|
|
cmake -DWAVESHARE_ST7735S_HAT=ON -DSPI_BUS_CLOCK_DIVISOR=6
|
|
apk add raspberrypi-dev
|
|
|
|
|
|
## nitrokey
|
|
```
|
|
apk add py-pip build-base python3-dev py3-wheel [240Mb]
|
|
apk add libffi-dev [7Mb]
|
|
apk add openssl-dev rust cargo [337Mb]
|
|
#pip install --user setuptools_rust
|
|
apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo
|
|
apk add py3-pep517 py3-cryptography
|
|
//see https://cryptography.io/en/latest/installation/
|
|
reboot
|
|
lbu inc /home
|
|
lbu inc /root
|
|
pip3 install --user wheel
|
|
pip3 install --user pynitrokey [takes about 35min, can fail due missing space left on device, but cbor fails nevertheless]
|
|
```
|
|
|
|
#fix $PATH to /root/.local/bin in /etc/profile
|
|
#need mdev/udev rules to grant access for user
|
|
#libudev-zero is a replacement, which is needed for pcscd
|
|
|
|
## ToDo
|
|
#tmux
|
|
#camera to scan QR code
|
|
#predefine common action scheme
|
|
#general reconsideration of usefulness
|
|
|
|
### links
|
|
[https://github.com/hashbang/airgap]
|
|
[https://riseup.net/de/security/message-security/openpgp/gpg-best-practices]
|
|
[https://vincentserpoul.github.io/post/alpine-linux-rpi0/]
|