docs/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md

AirgapOS

Requirements

{{ #include ../../basic-requirements.md:requirements }}

• Tamper proofing evidence (photographs)

• SD Card Pack(s)

• High Visibility Storage

• 2 Computers

  • 1 computer should be able to boot AirgapOS (compatibility reference)

Procedure

1. Turn on one of the computers - this one will be used for writing the SD cards

2. Build the software according to the readme in the repository.

3. Use the make reproduce command

4. Unseal the SD Card Pack

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}

1. Label each SD card that will be used "AirgapOS [date]"

2. Place all the SD cards into High Visibility Storage

3. Retrieve a labelled SD card from High Visibility Storage, and plug it into the computer where AirgapOS will be built

4. {{ #include ../../../../component-documents/finding-device-name.md:content }}

5. Flash airgap.iso to an SD Card:

   • dd if=out/airgap.iso of=/dev/<device_name> bs=4M status=progress conv=fsync

6. Reset the computer, and boot the SD card

7. Once booted, the card needs to be locked using sdtool which is available in AirgapOS:

   • Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk

8. ./sdtool /dev/<device_name> permlock

9. Once burned, unplug the SD card

10. Plug the SD card into a different computer from the one that was used to write the SD card

11. Boot the computer

12. Open a terminal

13. Verify the card can't be written to:

    • echo "42" | dd of=/dev/<device_name>

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}