prestonvanloon / airgap

Offline LiveUSB to generate and manage secret keys for things such as gpg, certificates, and cryptocurrency

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Airgap

https://github.com/lrvick/airgap

About

A live debian based distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet.

Use Cases

  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

Tools

Hardware Security Modules

  • btchip: Utilities to interact with Ledger hardware wallets
  • trezorctl: Utilities to interact with Trezor hardware wallet
  • keepkeyctl: Utilities to interact with Keepkey hardware wallets
  • yubico-piv-tool: Interact with PIV application on Yubikey
  • yubikey-hsm: Manage YubiHSM Hardware Security Modules for servers.
  • yhsm-tools: Various utilities for use of YubiHSM.
  • yubikey-personalization: Various settings management for yubikeys.
  • ykneomgr: Modify settings for Yubikey Neo

Cryptocurrency

  • gen-hdwallet: Simple script to export a bip44 wallet as jsony
  • bip32-utils: Generate/manage BIP32 cryptocurrency wallets
  • bx: Bitcoin tools for signing transactions, managing keys, etc.
  • electrum: Utilities for popular bitcoin wallet format

Entropy

  • haveged: Daemon that acts as a software random number generator
  • rng-tools: Daemon that supports many different hardware TRNG devices
  • infnoise: Fetch entropy from the Infinite Noise TRNG

Cryptography

  • gen-gpgchain: Generate 4096RSA gpg keychain suitable for a hardware token
  • gnupg: Perform PGP operations for local keys or smartcards
  • scrypt: creating password key derivations using the Script algorithm
  • ssdeep: Recursive piecewise hashing tool
  • hash-slinger: Create TLSA records for the DANE protocol
  • seccure: Tools for elliptic curve cryptography
  • monkeysphere: Utilities for extended use cases of OpenGPG
  • pgpgpg: Wrapper for using GnuPG in programs designed for PGP
  • signing-party: Various OpenPGP related tools for assisting with signing.
  • pius: Quick and easy signing of each UID on a PGP keyring
  • ssl-cert: Simple debconf wrapper for OpenSSL
  • openssl: Secure Socket Layer (SSL) binary and related cryptographic tools
  • gpgv: GNU privacy guard - signature verification tool
  • pgpdump: PGP packet visualizer
  • keyringer: Distributed secret management using GnuPG and Git
  • keyutils: Linux Key Management Utilities

Backup

  • ssss: Backup secrets into parts shared with multiple trusted individuals
  • paperkey: Backup PGP key to paper in a human friendly format
  • qrencode: Render data as QR code for easy transfer to mobile device
  • duplicity: GPG encrypted backup solution
  • rsync: Fast, versatile, remote (and local) file-copying tool

Password Management

  • pass: Simple text file based password manager based on GPG and Git
  • cpm: Curses based password manager using PGP
  • kpcli: Interact with KeePassX password manager databases
  • pwman3: Console password management application
  • passwordmaker-cli: Creates unique, secure passwords - CLI version
  • apg: Automated Password Generator - Standalone version
  • libpwqulity-tools: Tools for password quality checking and generation
  • pwgen: Automatic Password generation
  • donkey: One Time Password calculator
  • otpw-bin: Generate One Time Password lists
  • hashalot: Read and hash a passphrase
  • yapet: Yet Another Password Encryption Tool

Password Recovery

  • hydra: Very fast logon cracker
  • pdfcrack: PDF files password cracker.
  • fcrackzip: password cracker for zip archives
  • rarcrack: Password cracker for rar archives
  • ophcrack-cli: Microsoft Windows password cracker using rainbow tables
  • chntpw: NT SAM password recovery utility
  • john: Active password list creation and cracking tool
  • crack: Password guessing program
  • lcrack: A generic password cracker
  • nasty: recover the passphrase of your PGP or GPG-key

Release Management

  • twine: Prepare/Sign Python packages
  • debsigs: Sign Debian packages

RFID / NFC

  • mfoc: MiFare Password Cracker
  • mfcuk: MiFare Classic Universal toolKit (MFCUK)
  • libfreefare: Mifare/desfire manipulation tools
  • nfctool: Manage NFC devices and read/write tags via neard.
  • neard: Near Field Communication (NFC) management daemon
  • ndeftool: Create/Manipulate NDEF formatted packets
  • libchipcard-tools: Tools for accessing chipcards
  • rfdump: Tool to decode RFID tag data

Utilities

  • vim: Vi IMproved - enhanced vi editor
  • emacs: GNU Emacs editor (metapackage)
  • nano: Small, friendly text editor inspired by Pico
  • p7zip: 7z file archiver with high compression ratio
  • jq: Extract, manipulate, or create JSON
  • tmux: Terminal window manager and multiplexer
  • ncdu: Ncurses disk usage viewer
  • glances: CLI curses based monitoring tool
  • htop: Interactive processes viewer/manager
  • strace: A system call tracer
  • gdb: The GNU Debugger
  • guncat: Concatenates files while decrypting PGP-encrypted sections
  • zfsnap: Automatic snapshot creation and removal for ZFS
  • zfs-fuse: ZFS on FUSE
  • usbutils: Examine attached USB devices

Programming Languages

  • python: interactive high-level object-oriented language
  • nodejs: evented I/O for V8 javascript
  • perl: Larry Wall's Practical Extraction and Report Language

Install

Download:

wget https://github.com/lrvick/airgap/releases/download/v0.0.2/airgap-201709130827.raw.gz
wget https://github.com/lrvick/airgap/releases/download/v0.0.2/airgap-201709130827.raw.gz.sig

Verify

gpg --recv-key 8E47A1EC35A1551D
gpg --verify airgap-201706210145.raw.gz.sig

Create bootable USB drive:

gunzip airgap-201706210145.raw.gz | pv | sudo dd bs=1M count=128 of=/dev/sda conv=fdatasync

Note: The above assumes /dev/sda is a flash media device of 8GB or larger.

Examples

HD Cryptocurrency Wallet

Start Hardware Entropy Generator (Optional)

If you want to be extra paranoid you can use a hardware random number generator such as an Infinite Noise or a TrueRNG.

This will rule out the possibility of a flaw in the software random number generator built into your system that allows an attacker to predict it and re-create any secret keys you generate during this process.

In the case of an Infinite Noise device you can insert it and run:

sudo infnoise --dev-random &

Generate 24 Word Mnemonic Seed

Option 1: Symmetric Encryption (Passphrase)
bx seed -b 256 | bx mnemonic-new | gpg -ac > mnemonic.asc
Option 2: Asymmetric Encryption (To imported public key)

You will need to copy your GPG public keys to a flash drive on another system.

Assuming the drive is is /dev/sda you could do:

mount /dev/sda1 /mnt/
gpg --import /mnt/your-pubkey.asc
bx seed -b 256 | bx mnemonic-new | gpg -aer 0xYOURKEYID > mnemonic.asc

Backup

Option 1: Flash Drive

Identify attached flash drive:

lsblk

Format (assuming drive is /dev/sdb):

sudo mkfs.ext4 -j /dev/sdb

Mount filesystem:

sudo mkdir /mnt/backup
sudo mount /dev/sdb /mnt/backup

Copy backup file:

cp mnemonic.asc /mnt/backup/

Unmount drive:

unmount /mnt/backup
Option 2: NFC Tag
Convert GPG to NDEF
ndeftool text "'$(cat mnemonic.asc)'" save mnemonic.ndef
Write NDEF

Mifare Classic tag:

mifare-classic-write-ndef -y -i mnemonic.ndef

Forum 2 tag:

tagtool load mnemonic.ndef
Read NDEF

Mifare Classic tag:

mifare-classic-read-ndef -y -o mnemonic.ndef

Forum 2 tag:

tagtool dump -o mnemonic.ndef
Convert NDEF to GPG
ndeftool load mnemonic.ndef print | sed 's/^[^-]\+\-/-/g' > mnemonic.asc
Decrypt GPG
gpg -d mnemonic.asc

Initialize Hardware Wallet

Trezor
trezorctl recovery_device -w 24 -t matrix
Keepkey
keepkeyctl recovery_device -w 24
Ledger

You will need to choose a pin code.

Assuming you choose PIN 12345678:

btchip_setup \
  "WALLET" \
  "RFC6979" \
  "" \
  "" \
  "12345678" # Your pin here \
  "" \
  "QWERTY" \
  "$(bx mnemonic-to-seed --language en $(gpg -d mnemonic.asc))" \
  "" \
  ""

Development

To build an image suitable for a liveusb do:

make all

Boot image in qemu

gunzip dist/airgap-latest.raw.gz
qemu-system-x86_64 \
  -m 512M \
  -machine type=pc,accel=kvm \
  -drive format=raw,file=$(ls -1 dist/airgap-*.raw)

Notes

Things are still pretty early right now. Please report issues.

Use at your own risk. You may be eaten by a grue.

Questions/Comments?

Reach out to me on IRC at:

You can also find me on the web via:

Email | Blog | Twitter | Facebook | Google+ | YouTube | Last.fm | LinkedIn | Github

About

Offline LiveUSB to generate and manage secret keys for things such as gpg, certificates, and cryptocurrency


Languages

Language:Python 55.4%Language:Shell 40.2%Language:Makefile 4.4%