A live buildroot based Linux distribution designed for managing secrets offline.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Matthew Brooks 767044dfd9
add Matthew Brooks PGP signature
7 months ago
audits Updated cure53 audit with corrected authors list 2 years ago
config don't overwrite VERSION in /etc/environment 7 months ago
dist add Matthew Brooks PGP signature 7 months ago
src update toolchain 7 months ago
.dockerignore Create .dockerignore, symlinked from .gitignore 2 years ago
.gitattributes lfs track dist/*.iso 7 months ago
.gitignore compatibility fixes with new toolchain version 8 months ago
.gitmodules use https for toolchain submodule 7 months ago
LICENSE.md add MIT license 3 years ago
Makefile RELEASE_DIR -> DIST_DIR 7 months ago
README.md document simplified build commands 8 months ago





A live buildroot based Liux distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.


  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger


  • Determinsitic iso generation for multi-party code->binary verification
  • Small footprint (< 100MB)
  • Immutable and Diskless: runs from initramfs
  • Network support and most drivers removed to minimize exfiltration vectors



  • docker 18+


  • Recommended: PC running coreboot-heads
    • Allows for signed builds, and verification of signed sd card payloads
    • Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
  • Supported remote attestation key (Librem Key, Nitrokey, etc)
  • Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
  • Blank flash drive
  • Blank SD card


Build a new release

make release

Reproduce an existing release

make attest

Sign an existing release

make sign


Assumes target is running Pureboot or Coreboot/heads

  1. Boot to shell: Options -> Recovery Shell
  2. Mount SD card
    mount -o remount,rw /media
  3. Insert chosen GPG Smartcard device
  4. Initialize smartcard
    gpg --card-status
  5. Sign target iso
    cd /media
    gpg --armor --detach-sign airgap.iso
  6. Unmount
    umount /media
  7. Reboot


  1. Insert remote attestation device
  2. Power on, and verify successful remote attestation
  3. Boot to airgap via: Options -> Boot Options -> USB Boot


Build develop image


Boot image in qemu

make vm

Enter shell in build environment

make shell