- Shell 56.5%
- Dockerfile 32.1%
- Makefile 9.1%
- Python 2.3%
| audits | Updated cure53 audit with corrected authors list | |
| dist | Release 2026020 | |
| sdcard | Virtual sd card support | |
| src | host/etc/profile: specify TERM=linux-16color when TERM like linux | |
| .dockerignore | Create .dockerignore, symlinked from .gitignore | |
| .gitattributes | track dist/airgap.iso in lfs | |
| .gitignore | ignore additional folders | |
| .gitmodules | refactor: replace buildroot/toolchain with stagex | |
| Containerfile | host: add tmux, drop into tmux by default on console | |
| LICENSE.md | add MIT license | |
| Makefile | Makefile: add system-vm target and GUI=true option | |
| README.md | fix readme with make reproduce command | |
AirgapOS
https://git.distrust.co/public/airgap
About
A full-source-bootstrapped, deterministic, minimal, immutable, and offline, workstation linux distribution designed for creating and managing secrets offline.
Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.
Uses
- Generate PGP keychain
- Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
- Signing cryptocurrency transactions
- Generate/backup BIP39 universal cryptocurrency wallet seed
- Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
Features
- Deterministic iso generation for multi-party code->binary verification
- Small footprint (< 100MB)
- Immutable and Diskless: runs from initramfs
- Network support and most drivers removed to minimize exfiltration vectors
Requirements
Software
- docker 26+
Hardware
- x86_64 PC or laptop
- linuxboot/heads firmware supported and recommended for multi-use machine
- Allows for signed builds, and verification of signed sd card payloads
- Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
- linuxboot/heads firmware supported and recommended for multi-use machine
- Blank flash drive
- Blank SD card
Build
Update git submodules
git submodule update --init --recursive
Build a new release
make release
Reproduce an existing release
make reproduce
Sign an existing release
make sign
Provisioning
-
Write airgap.iso to CD-ROM or SD Card a.
dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progressb.cdrecord out/airgap.iso -
Verify media still produces expected hash
sha256sum out/airgap.iso
head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
Setup
Assumes target is running Pureboot or Coreboot/heads
- Boot to shell:
Options -> Recovery Shell - Mount SD card
mount-usb mount -o remount,rw /media - Insert chosen GPG Smartcard device
- Initialize smartcard
gpg --card-status - Sign target iso
cd /media gpg --armor --detach-sign airgap.iso - Unmount
cd umount /media sync - Reboot
Usage
- Insert remote attestation device
- Power on, and verify successful remote attestation
- Boot to airgap via: Options -> Boot Options -> USB Boot
Development
Build develop image
make
Boot image in qemu
make vm
Enter shell in build environment
make shell
Hardware Compatibility
Tested Models
-
Purism Librem 14
-
HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD 179ドル.99
-
Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD 379ドル.99
Disabling Secure Boot
AirgapOS can't be booted using secure boot. Therefore it has to be disabled. Alternative systems like Heads may be used.
Instructions to Disable Secure Boot in BIOS
-
Restart your computer
-
Enter BIOS/UEFI Setup:
- As your computer starts up, press the appropriate key to enter the BIOS/UEFI setup. Common keys include:
- F2 (Dell, Acer, Lenovo)
- Delete (ASUS, MSI)
- F10 (HP)
- Esc (Some systems)
- You may see a prompt on the screen indicating which key to press
- As your computer starts up, press the appropriate key to enter the BIOS/UEFI setup. Common keys include:
-
Navigate to the Secure Boot Option:
- Once in the BIOS/UEFI setup, use the arrow keys to navigate through the menus. Look for a tab or section labeled "Boot," "Security," or "Authentication."
- The exact location of the Secure Boot option can vary, so you may need to explore a bit
-
Locate Secure Boot:
- Find the Secure Boot option within the selected menu. It may be listed as "Secure Boot Control" or simply "Secure Boot."
-
Disable Secure Boot:
- Select the Secure Boot option and change its setting to Disabled. This is usually done by pressing Enter and then selecting Disabled from the options.
-
Save Changes and Exit:
- After disabling Secure Boot, navigate to the Exit tab or section.
- Choose the option to Save Changes and Exit. Confirm any prompts that appear to save your changes.
-
Reboot Your Computer:
- Your computer will restart. Secure Boot should now be disabled.