forked from public/airgap
Ryan Heywood 5904a22c80 | ||
---|---|---|
audits | ||
config | ||
dist | ||
rootfs | ||
sdcard | ||
.dockerignore | ||
.gitattributes | ||
.gitignore | ||
.gitmodules | ||
Containerfile | ||
LICENSE.md | ||
Makefile | ||
README.md |
README.md
AirgapOS
https://git.distrust.co/public/airgap
About
A full-source-bootstrapped, deterministic, minimal, immutable, and offline, workstation linux distribution designed for creating and managing secrets offline.
Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.
Uses
- Generate PGP keychain
- Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
- Signing cryptocurrency transactions
- Generate/backup BIP39 universal cryptocurrency wallet seed
- Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
Features
- Deterministic iso generation for multi-party code->binary verification
- Small footprint (< 100MB)
- Immutable and Diskless: runs from initramfs
- Network support and most drivers removed to minimize exfiltration vectors
Requirements
Software
- docker 26+
Hardware
- x86_64 PC or laptop
- linuxboot/heads firmware supported and recommended for multi-use machine
- Allows for signed builds, and verification of signed sd card payloads
- Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
- linuxboot/heads firmware supported and recommended for multi-use machine
- Blank flash drive
- Blank SD card
Build
Update git submodules
git submodule update --init --recursive
Build a new release
make release
Reproduce an existing release
make attest
Sign an existing release
make sign
Provisioning
-
Write airgap.iso to CD-ROM or SD Card a.
dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress
b.cdrecord out/airgap.iso
-
Verify media still produces expected hash
sha256sum out/airgap.iso
head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
Setup
Assumes target is running Pureboot or Coreboot/heads
- Boot to shell:
Options -> Recovery Shell
- Mount SD card
mount-usb mount -o remount,rw /media
- Insert chosen GPG Smartcard device
- Initialize smartcard
gpg --card-status
- Sign target iso
cd /media gpg --armor --detach-sign airgap.iso
- Unmount
cd umount /media sync
- Reboot
Usage
- Insert remote attestation device
- Power on, and verify successful remote attestation
- Boot to airgap via: Options -> Boot Options -> USB Boot
Development
Build develop image
make
Boot image in qemu
make vm
Enter shell in build environment
make shell