https://github.com/distrust-foundation/airgap
A live buildroot based Liux distribution designed for managing secrets offline.
Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.
- Generate GPG keychain
- Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
- Signing cryptocurrency transactions
- Generate/backup BIP39 universal cryptocurrency wallet seed
- Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
- Determinsitic iso generation for multi-party code->binary verification
- Small footprint (< 100MB)
- Immutable and Diskless: runs from initramfs
- Network support and most drivers removed to minimize exfiltration vectors
- docker 18+
- Recommended: PC running coreboot-heads
- Allows for signed builds, and verification of signed sd card payloads
- Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
- Supported remote attestation key (Librem Key, Nitrokey, etc)
- Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
- Blank flash drive
- Blank SD card
```
make VERSION=1.0.0rc1 release
```
```
make VERSION=1.0.0rc1 attest
```
```
make VERSION=1.0.0rc1 sign
```
Assumes target is running Pureboot or Coreboot/heads
- Boot to shell:
Options -> Recovery Shell
- Mount SD card
mount-usb mount -o remount,rw /media
- Insert chosen GPG Smartcard device
- Initialize smartcard
gpg --card-status
- Sign target iso
cd /media gpg --armor --detach-sign airgap.iso
- Unmount
cd umount /media sync
- Reboot
- Insert remote attestation device
- Power on, and verify successful remote attestation
- Boot to airgap via: Options -> Boot Options -> USB Boot
make
make vm
make shell