docs/quorum-key-management/src/one-time-use-airgapos.md

Set up AirgapOS

Because without a Librem 14 there is no easy way to have a secure boot sequence, instead the AirgapOS .iso image is flashed to an SD card, locked using sdtool and then verified using any machine.

Setup Steps

• Clone the latest AirgapOS version:

  • git clone git@distrust.co:public/airgap.git

• Build the image:

  • cd airgap && make

• Verify sha256sum of airgap matches hashes in /dist

• Verify signatures on the hashes in /dist. The maintainer pgp keys can be found on the Distrust contact page page.

• Flash airgap.iso to an SD Card:

  • dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress oflag=direct

• Use the sdtool to lock the SD Card:

  • git clone git@github.com:BertoldVdb/sdtool.git

  • cd sdtool

  • make

  • ./sdtool /dev/mmcblk permlock

  • Test that the card can't be written to:

    • dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress

• Verify that the hash of airgap.iso matches what's flashed on the SD card:

  • head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum
  • sha256sum out/airgap.iso