public
/
airgap
4
0
Fork 1
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity
A live buildroot based Linux distribution designed for managing secrets offline.
168 Commits
4 Branches
0 Tags
818 MiB
Shell 61.6%
Makefile 38.4%
 
 
Go to file
Anton Livaja df223e6deb
fix: typo 		2024-03-28 19:55:28 -04:00
audits Updated cure53 audit with corrected authors list 2021-11-04 15:23:16 -07:00
config Enable kernel webcam support 2024-03-09 22:55:26 -05:00
dist chore: sign 2024.03.13 2024-03-28 18:56:12 -04:00
src update toolchain 2023-02-24 13:31:37 -08:00
.dockerignore Create .dockerignore, symlinked from .gitignore 2021-06-20 18:39:14 -04:00
.gitattributes lfs track dist/*.iso 2023-02-12 16:58:40 -08:00
.gitignore compatibility fixes with new toolchain version 2023-02-12 03:00:11 -08:00
.gitmodules use https for toolchain submodule 2023-02-13 12:31:04 -08:00
LICENSE.md add MIT license 2021-02-25 12:24:46 -08:00
Makefile RELEASE_DIR -> DIST_DIR 2023-02-13 04:01:16 -08:00
README.md fix: typo 2024-03-28 19:55:28 -04:00

README.md

AirgapOS

https://github.com/distrust-foundation/airgap

About

A live buildroot based Linux distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.

Uses

  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

Features

  • Deterministic iso generation for multi-party code->binary verification
  • Small footprint (< 100MB)
  • Immutable and Diskless: runs from initramfs
  • Network support and most drivers removed to minimize exfiltration vectors

Requirements

Software

  • docker 18+

Hardware

  • Recommended: PC running coreboot-heads
    • Allows for signed builds, and verification of signed sd card payloads
    • Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
  • Supported remote attestation key (Librem Key, Nitrokey, etc)
  • Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
  • Blank flash drive
  • Blank SD card

Build

Update git submodules

git submodule update --init --recursive

Build a new release

make release

Reproduce an existing release

make attest

Sign an existing release

make sign

Setup

Assumes target is running Pureboot or Coreboot/heads

  1. Boot to shell: Options -> Recovery Shell
  2. Mount SD card 
    mount-usb
mount -o remount,rw /media
  3. Insert chosen GPG Smartcard device
  4. Initialize smartcard 
    gpg --card-status
  5. Sign target iso 
    cd /media
gpg --armor --detach-sign airgap.iso
  6. Unmount 
    cd
umount /media
sync
  7. Reboot

Usage

  1. Insert remote attestation device
  2. Power on, and verify successful remote attestation
  3. Boot to airgap via: Options -> Boot Options -> USB Boot

Development

Build develop image

make

Boot image in qemu

make vm

Enter shell in build environment

make shell