A live buildroot based Linux distribution designed for managing secrets offline.
Go to file
Spencer Judd 7d9f87c976
Enable kernel webcam support
These four kernel config changes are sufficient to get the webcam
working on the Librem 14.
2024-03-09 22:55:26 -05:00
audits Updated cure53 audit with corrected authors list 2021-11-04 15:23:16 -07:00
config Enable kernel webcam support 2024-03-09 22:55:26 -05:00
dist add Matthew Brooks PGP signature 2023-02-28 12:44:06 -08:00
src update toolchain 2023-02-24 13:31:37 -08:00
.dockerignore Create .dockerignore, symlinked from .gitignore 2021-06-20 18:39:14 -04:00
.gitattributes lfs track dist/*.iso 2023-02-12 16:58:40 -08:00
.gitignore compatibility fixes with new toolchain version 2023-02-12 03:00:11 -08:00
.gitmodules use https for toolchain submodule 2023-02-13 12:31:04 -08:00
LICENSE.md add MIT license 2021-02-25 12:24:46 -08:00
Makefile RELEASE_DIR -> DIST_DIR 2023-02-13 04:01:16 -08:00
README.md document simplified build commands 2023-02-12 03:01:53 -08:00

README.md

AirgapOS

https://github.com/distrust-foundation/airgap

About

A live buildroot based Liux distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.

Uses

  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

Features

  • Determinsitic iso generation for multi-party code->binary verification
  • Small footprint (< 100MB)
  • Immutable and Diskless: runs from initramfs
  • Network support and most drivers removed to minimize exfiltration vectors

Requirements

Software

  • docker 18+

Hardware

  • Recommended: PC running coreboot-heads
    • Allows for signed builds, and verification of signed sd card payloads
    • Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
  • Supported remote attestation key (Librem Key, Nitrokey, etc)
  • Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
  • Blank flash drive
  • Blank SD card

Build

Build a new release

```
make release
```

Reproduce an existing release

```
make attest
```

Sign an existing release

```
make sign
```

Setup

Assumes target is running Pureboot or Coreboot/heads

  1. Boot to shell: Options -> Recovery Shell
  2. Mount SD card
    mount-usb
    mount -o remount,rw /media
    
  3. Insert chosen GPG Smartcard device
  4. Initialize smartcard
    gpg --card-status
    
  5. Sign target iso
    cd /media
    gpg --armor --detach-sign airgap.iso
    
  6. Unmount
    cd
    umount /media
    sync
    
  7. Reboot

Usage

  1. Insert remote attestation device
  2. Power on, and verify successful remote attestation
  3. Boot to airgap via: Options -> Boot Options -> USB Boot

Development

Build develop image

make

Boot image in qemu

make vm

Enter shell in build environment

make shell