hashbang / airgap

Offline LiveUSB to generate and manage secret keys for things such as gpg, certificates, and cryptocurrency

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Airgap

https://github.com/lrvick/airgap

About

A live debian based distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet.

Use Cases

  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

For a full list of tools included see: tools

Requirements

Software

  • ansible
  • packer

Hardware

Any x86_64 laptop known to support Linux should work.

Chromebooks are also suitable if they have been placed into developer mode and setup with Seabios so they can boot traditional linux distributions.

Be sure any Wifi/Bluetooth modules removed before the system is ever powered on for the first time. You may also want to consider sourcing the machine from a random retail store in order to avoid supply chain attacks.

Build

make all

Install

Create bootable USB drive:

gunzip -c $(ls -1 dist/airgap-20*.raw.gz) | sudo dd bs=4M of=/dev/sda status=progress oflag=dsync

Note: The above assumes /dev/sda is a flash media device of 8GB or larger.

Examples

Development

Build Debugging

PACKER_LOG=1 ANSIBLE_ARGS="-vvvv" make all

Boot image in qemu

gunzip dist/airgap-latest.raw.gz
qemu-system-x86_64 \
  -m 512M \
  -machine type=pc,accel=kvm \
  -net nic -net user,hostfwd=tcp::2222-:22
  -drive format=raw,file=$(ls -1 dist/airgap-*.raw)

Run Ansible against running VM

ansible-playbook -k -b -u airgap -i "0.0.0.0:2222," ansible/main.yml

Note: Due to fsprotect being enabled, changes will not persist through reboots.

Notes

Things are still pretty early right now. Please report issues.

Use at your own risk. You may be eaten by a grue.

Questions/Comments?

About

Offline LiveUSB to generate and manage secret keys for things such as gpg, certificates, and cryptocurrency


Languages

Language:Shell 87.5%Language:Python 11.2%Language:Makefile 1.3%