Provision Entropy & PGP Keypair

This step does two things:

1. Establishes the root entropy

2. Derives a PGP key which is used for protecting data

Requirements

• Airgapped bundle consisting of:

  • Provisioned laptop

  • Provisioned AirgapOS

  • Smart Card(s): at least 1 - but 2 or 3 is recommended

  • SD Cards(s): at least 1 but 2 or 3 is recommended

Procedure

1. Boot AirgapOS Laptop

2. Insert an SD card into the system

3. Change working directory to SD card mount location

   $ cd /media/TRANSFER
   

4. Insert all smartcards to be provisioned into the system.

5. Set expiry time via environment variable - you can update 2y to desired value:

   $ export KEYFORK_OPENPGP_EXPIRE=2y
   

6. Generate a mnemonic, and shard (encrypt) it to the newly-generated key:

   Ensure the User ID is your name and your email.

   $ keyfork mnemonic generate --encrypt-to-self encrypted.asc --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"'
   

   The --provision-count option can be provided to ensure the correct amount of smartcards is provisioned - the program will error if the amount of smartcards available is not equal to the count requested.

   Note: The PIN can't use sequential numbers, characters or repeated patterns.

   ---

   Alternatively, if the user wants to see the mnemonic, and encrypt it in a different manner, the --encrypt-to-self encrypted.asc portion of the command can be ommited and the command piped into a file by appending > mnemonic.txt to the end of the command.

   $ keyfork mnemonic generate --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"' > mnemonic.txt
   

7. Plug in fresh SD card and save data you wish to store (encrypted.asc, <key_id>.asc, mnenmonic.txt.asc, mnemonic.txt etc.)

   • WARNING: If you store your mnemonic in plaintext, if someone gains access to it, your Trove system will be fully compromised.

8. Power down AirgapOS Laptop