Archived
3
0
Fork
You've already forked airgap
0
This repository has been moved to https://git.distrust.co/public/airgap
This repository has been archived on 2023年07月28日. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
  • Shell 61.6%
  • Makefile 38.4%
2023年02月28日 12:44:06 -08:00
audits Updated cure53 audit with corrected authors list 2021年11月04日 15:23:16 -07:00
config don't overwrite VERSION in /etc/environment 2023年02月15日 04:52:28 -08:00
dist add Matthew Brooks PGP signature 2023年02月28日 12:44:06 -08:00
src update toolchain 2023年02月24日 13:31:37 -08:00
.dockerignore Create .dockerignore, symlinked from .gitignore 2021年06月20日 18:39:14 -04:00
.gitattributes lfs track dist/*.iso 2023年02月12日 16:58:40 -08:00
.gitignore compatibility fixes with new toolchain version 2023年02月12日 03:00:11 -08:00
.gitmodules use https for toolchain submodule 2023年02月13日 12:31:04 -08:00
LICENSE.md add MIT license 2021年02月25日 12:24:46 -08:00
Makefile RELEASE_DIR -> DIST_DIR 2023年02月13日 04:01:16 -08:00
README.md document simplified build commands 2023年02月12日 03:01:53 -08:00

AirgapOS

https://github.com/distrust-foundation/airgap

About

A live buildroot based Liux distribution designed for managing secrets offline.

Built for those of us that want to be -really- sure our most important secrets are managed in a clean environment with an "air gap" between us and the internet with high integrity on the supply chain of the firmware and OS used.

Uses

  • Generate GPG keychain
  • Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
  • Signing cryptocurrency transactions
  • Generate/backup BIP39 universal cryptocurrency wallet seed
  • Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger

Features

  • Determinsitic iso generation for multi-party code->binary verification
  • Small footprint (< 100MB)
  • Immutable and Diskless: runs from initramfs
  • Network support and most drivers removed to minimize exfiltration vectors

Requirements

Software

  • docker 18+

Hardware

  • Recommended: PC running coreboot-heads
    • Allows for signed builds, and verification of signed sd card payloads
    • Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
  • Supported remote attestation key (Librem Key, Nitrokey, etc)
  • Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
  • Blank flash drive
  • Blank SD card

Build

Build a new release

```
make release
```

Reproduce an existing release

```
make attest
```

Sign an existing release

```
make sign
```

Setup

Assumes target is running Pureboot or Coreboot/heads

  1. Boot to shell: Options -> Recovery Shell
  2. Mount SD card
    mount-usb
    mount -o remount,rw /media
    
  3. Insert chosen GPG Smartcard device
  4. Initialize smartcard
    gpg --card-status
    
  5. Sign target iso
    cd /media
    gpg --armor --detach-sign airgap.iso
    
  6. Unmount
    cd
    umount /media
    sync
    
  7. Reboot

Usage

  1. Insert remote attestation device
  2. Power on, and verify successful remote attestation
  3. Boot to airgap via: Options -> Boot Options -> USB Boot

Development

Build develop image

make

Boot image in qemu

make vm

Enter shell in build environment

make shell