Go to file
Ryan Heywood f0ec460729
configs: auto discover and mount on login
2024-02-02 22:26:35 -05:00
configs/airgap configs: auto discover and mount on login 2024-02-02 22:26:35 -05:00
.dockerignore add keyfork 2024-02-01 00:42:49 -05:00
.gitignore initial commit 2024-01-31 01:53:27 -05:00
Dockerfile add keyfork 2024-02-01 00:42:49 -05:00
Makefile add keyfork 2024-02-01 00:42:49 -05:00
PKGBUILD.keyfork keyfork: add keyfork-qrcode-scan debug binary 2024-02-02 22:26:04 -05:00
README.md README: Quick docs before incorporating into image 2024-02-02 01:57:15 -05:00

README.md

Airgap NG

A slim version of Arch Linux intended to run on airgapped (always-offline) systems. The builder runs in Docker using privileged mode.

Target Packages

Airgap NG is built for the purpose of providing an airgapped image of Keyfork. As such, it builds an Arch package for Keyfork and a local Arch package repository from which to install Keyfork. The base installation image will also include Nettle, PCSC Lite

Building

Requirements:

  • docker
  • make

The default target is the airgap image, but a different one can be specified.

config="airgap"
make "out/archlinux-baseline-arch-${config}-x86_64.iso"

Flashing

Assuming your block device is /dev/sdb:

pv < out/archlinux-baseline-arch-airgap-x86_64.iso | sudo dd of=/dev/sdb

Alternatively, if pv is not installed, the following can be run:

sudo dd if=out/archlinux-baseline-arch-airgap-x86_64.iso of=/dev/sdb

Running

Once the ISO image has been flashed to a USB drive, the drive can be used to boot Airgap Arch Linux. The following instructions have been tested on a Lenovo system but may be applicable to other systems:

Power on the device, and spam the F2 key. This will open the BIOS Setup Utility. In the BIOS Setup Utility, the "Secure Boot" option (often under a submenu "Boot") should be disabled. Save the settings (typically F10) and reboot, spamming the F12 key to open the EFI boot menu. Select the EFI USB Device option to boot Airgap Arch Linux. The default terminal should be automatically logged in as root. Once Airgap Arch Linux has been started, the boot drive may optionally be removed.

Using Keyfork: Mounting a Shardfile

This guide assumes an SD card is plugged in with a shards.pgp file. The SD card should be an unmounted card, named something like mmcblk1p1, with a single partition. There may be a similar device with multiple partitions, but that is the boot drive, and most likely does not contain the shard file. The shard partition may be mounted using:

% lsblk
NAME         MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0          7:0    0 404.8M  1 loop /run/archiso/airootfs
sda            8:0    1  57.8G  0 disk 
├─sda1         8:1    1   466M  0 part 
└─sda2         8:2    1    13M  0 part 
mmcblk0      179:0    0  58.2G  0 disk 
├─mmcblk0p1  179:1    0   260M  0 part 
├─mmcblk0p2  179:2    0    16M  0 part 
├─mmcblk0p3  179:3    0    56G  0 part 
└─mmcblk0p4  179:4    0     2G  0 part 
mmcblk0boot0 179:8    0     4M  1 disk 
mmcblk0boot1 179:16   0     4M  1 disk 
mmcblk1      179:24   0  29.7G  0 disk 
└─mmcblk1p1  179:25   0  29.7G  0 part 
% mount /dev/mmcblk1p1 /mnt

Using Keyfork: Scanning QR Codes

When running keyfork recover remote-shard or keyfork shard transport, Keyfork may prompt for a QR code to be scanned. The QR code can be a screenshot but should not be skewed (it should show up square on the phone) and should take up the width of the phone's screen. The phone should be held between two to three inches from the camera, as holding it further away may lead to a "light bleeding" effect causing the QR code to become unreadable. The phone should be held as still as possible to avoid incorporating motion blur.