Provision AirgapOS

Requirements

  • Tamper proofing equipment

  • SD card(s)

  • 2 Computers

Procedure

  1. Turn on one of the computers - this one will be used for writing the SD cards

  2. Build the software according to the readme in the repository.

  3. Use the make reproduce command

  4. Unseal the SD Card Pack

    Vacuum sealing based tamper proofing

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

    Safe based tamper proofing

    1. Inspect the safe for any signs of tampering

    2. Retrieve items from the safe

  5. Label each SD card that will be used "AirgapOS [date]"

  6. Place all the SD cards into High Visibility Storage

  7. Retrieve a labelled SD card from High Visibility Storage, and plug it into the computer where AirgapOS will be built

  8. Look for the SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<device_name> /media

  9. Hash the .iso file and make note of it (it will be required later)

    • sha256sum out/airgap.iso

  10. Flash airgap.iso to an SD Card:

    • dd if=out/airgap.iso of=/dev/<device_name> bs=4M conv=fsync

  11. Reset the computer, and boot the SD card

  12. Once booted, the card needs to be locked using sdtool which is available in AirgapOS:

    • Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk

  13. ./sdtool /dev/<device_name> permlock

  14. Once burned, unplug the SD card

  15. Plug the SD card into a different computer from the one that was used to write the SD card

  16. Boot the computer

  17. Open a terminal

  18. Verify the card can't be written to:

    • echo "42" | dd of=/dev/<device_name>

  19. Verify the contents on the SD card match the recorded hash

    • Build AirgapOS once more according to the readme in the repository.

      • Ensure it's the same version as in the previous step

    • head -c $(stat -c '%s' out/airgap.iso) /dev/<device_name> | sha256sum

    • Additionally, the user can refer to the StageX hashes of AirgapOS for a given version

    Vacuum sealing based tamper proofing

    1. Insert object(s) into plastic sealing bag

    2. Fill bag with enough plastic beads that most of the object is surrounded

    3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move

    4. Take photographs of both sides of the sealed object using both the digital and polaroid camera

    5. Date and sign the polaroid photographs and store them in a local lock box

    6. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.

    Safe based tamper proofing

    1. Place items into safe

    2. Ensure the safe is properly locked