|
|
@ -4,7 +4,7 @@ Airgap Arch Linux with Keyfork is best used with a removable SD card to store
|
|
|
|
shard files and other persistent media. After inserting an SD card, run the
|
|
|
|
shard files and other persistent media. After inserting an SD card, run the
|
|
|
|
following command to mount any unmounted SD cards and find any Shard files:
|
|
|
|
following command to mount any unmounted SD cards and find any Shard files:
|
|
|
|
|
|
|
|
|
|
|
|
# discover-and-mount-sdcard
|
|
|
|
# discover-shard
|
|
|
|
|
|
|
|
|
|
|
|
This guide will assume the discovered Shard file is listed as:
|
|
|
|
This guide will assume the discovered Shard file is listed as:
|
|
|
|
/media/mmcblk0p1/shards.pgp
|
|
|
|
/media/mmcblk0p1/shards.pgp
|
|
|
@ -15,8 +15,9 @@ where M is the minimum amount of users required to recreate the secret and N is
|
|
|
|
is the total amount of shardholders. An additional value, K, will be used to
|
|
|
|
is the total amount of shardholders. An additional value, K, will be used to
|
|
|
|
denote the amount of smartcards (i.e., backups) to provision per shardholder.
|
|
|
|
denote the amount of smartcards (i.e., backups) to provision per shardholder.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# prepare-shard-media
|
|
|
|
# keyfork wizard generate-shard-secret --threshold \$M --max \$N
|
|
|
|
# keyfork wizard generate-shard-secret --threshold \$M --max \$N
|
|
|
|
--keys-per-shard \$K --output /media/mmcblk0p1/shards.pgp
|
|
|
|
--keys-per-shard \$K --output /media/sdcard/shards.pgp
|
|
|
|
|
|
|
|
|
|
|
|
The Keyfork server can be started using a Shard-secred secret locally, if all
|
|
|
|
The Keyfork server can be started using a Shard-secred secret locally, if all
|
|
|
|
shardholders are present, or using a QR-based remote recovery. The shard file
|
|
|
|
shardholders are present, or using a QR-based remote recovery. The shard file
|
|
|
@ -39,22 +40,48 @@ For more information, run:
|
|
|
|
EOF
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
discover-and-mount-sdcard() {
|
|
|
|
amount() {
|
|
|
|
|
|
|
|
partition="$1"
|
|
|
|
|
|
|
|
media="$1"
|
|
|
|
|
|
|
|
if [ ! -z "$2" ]; then
|
|
|
|
|
|
|
|
media="$2"
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "Automatically mounting /dev/$partition to /media/$media"
|
|
|
|
|
|
|
|
mkdir -p "/media/$media"
|
|
|
|
|
|
|
|
umount "/media/$partition" 2>/dev/null
|
|
|
|
|
|
|
|
mount $MOUNT_OPTS "/dev/$partition" "/media/$media"
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
discover-shard() {
|
|
|
|
MOUNT_OPTS="-o relatime,utf8,flush,umask=0000"
|
|
|
|
MOUNT_OPTS="-o relatime,utf8,flush,umask=0000"
|
|
|
|
|
|
|
|
|
|
|
|
lsblk -nlo NAME,FSTYPE | awk '$2 == "vfat" { print $1 }' | while read partition; do
|
|
|
|
lsblk -nlo NAME,FSTYPE | awk '$2 == "vfat" { print $1 }' | while read partition; do
|
|
|
|
echo "Automatically mounting /dev/$partition to /media/$partition"
|
|
|
|
amount "$partition"
|
|
|
|
mkdir -p "/media/$partition"
|
|
|
|
|
|
|
|
umount "/media/$partition" 2>/dev/null
|
|
|
|
|
|
|
|
mount $MOUNT_OPTS "/dev/$partition" "/media/$partition"
|
|
|
|
|
|
|
|
find "/media/$partition" -name '*.pgp' -maxdepth 2 | while read file; do
|
|
|
|
find "/media/$partition" -name '*.pgp' -maxdepth 2 | while read file; do
|
|
|
|
echo "Found potential shardfile: $file"
|
|
|
|
echo "Found potential shardfile: $file"
|
|
|
|
done
|
|
|
|
done
|
|
|
|
done
|
|
|
|
done
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
echo
|
|
|
|
prepare-shard-media() {
|
|
|
|
|
|
|
|
echo "Please re-insert the SD card"
|
|
|
|
|
|
|
|
udevadm monitor --udev | while read udev ts operation path type; do
|
|
|
|
|
|
|
|
if [ "$type" = "(block)" -a "$operation" = "add" ]; then
|
|
|
|
|
|
|
|
partition="$(echo "$path" | cut -d/ -f12)"
|
|
|
|
|
|
|
|
if [ ! -z "$partition" ]; then
|
|
|
|
|
|
|
|
amount "$partition" "sdcard"
|
|
|
|
|
|
|
|
# Weird quirk with bash: if udev doesn't have anything else printing,
|
|
|
|
|
|
|
|
# it won't trigger the start of the next loop, and therefore won't
|
|
|
|
|
|
|
|
# "break" the loop. Run `udevadm trigger` to give udevadm more things
|
|
|
|
|
|
|
|
# to send to `read`.
|
|
|
|
|
|
|
|
udevadm trigger
|
|
|
|
|
|
|
|
break
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
help
|
|
|
|
help
|
|
|
|
echo
|
|
|
|
echo
|
|
|
|
discover-and-mount-sdcard
|
|
|
|
discover-shard
|
|
|
|
echo
|
|
|
|
echo
|
|
|
|