Personal PGP Key Provisioning

Requirements

  • AirgapOS SD card

  • AirgapOS Laptop

  • Linux Workstation (online machine)

    • Any internet connected computer with a Linux shell will suffice

  • 1+ Smart Card

    • At least 1 primary smart card
    • Any number of backup smart cards

  • 1 Transfer SD card

    • Document will assume the card is labelled as "TRANSFER"

Process

  1. If using pre-sealed Cold Bundle unseal as follows:

    Vacuum sealing based tamper proofing

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

    Safe based tamper proofing

    1. Inspect the safe for any signs of tampering

    2. Retrieve items from the safe

  2. Boot AirgapOS Laptop

  3. Insert an SD card into the system

  4. Change working directory to SD card mount location

    $ cd /media/TRANSFER

  5. Insert all smartcards to be provisioned into the system.

  6. Set expiry time via environment variable - you can update 2y to desired value:

    $ export KEYFORK_OPENPGP_EXPIRE=2y

  7. Generate a mnemonic, and shard (encrypt) it to the newly-generated key:

    Ensure the User ID is your name and your email.

    $ keyfork mnemonic generate --encrypt-to-self encrypted.asc --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"'

    The --provision-count option can be provided to ensure the correct amount of smartcards is provisioned - the program will error if the amount of smartcards available is not equal to the count requested.

    Note: The PIN can't use sequential numbers, characters or repeated patterns.

    Alternatively, if the user wants to see the mnemonic, and encrypt it in a different manner, the --encrypt-to-self encrypted.asc portion of the command can be ommited and the command piped into a file by appending > mnemonic.txt to the end of the command.

    $ keyfork mnemonic generate --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"' > mnemonic.txt

  8. Power down AirgapOS Laptop

  9. Switch to Linux Workstation

  10. Attach SD card from AirgapOS machine

  11. Attach smartcard provisioned with AirgapOS machine

  12. Import newly generated public key into local keychain

    $ gpg --import /media/TRANSFER/*.pub.asc

  13. Retrieve the value of your PGP key ID from smartcard

    gpg --card-status

  14. Configure git to sign commits with smartcard

    $ git config --global user.name <name>
$ git config --global user.email <email>
$ git config --global user.signingKey <pgp_key_id>
$ git config --global commit.gpgsign true
$ git config --global commit.merge true

  15. Configure ssh to authenticate with smartcard

    $ echo 'export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"' > ~/.bashrc
$ source ~/.bashrc

    Note: If you use another shell such as zsh, adjust acccordingly

  16. Push new key material to Vaults repository

    a. Clone repository (if not done previously)

    $ git clone <vaults_repository_url> ~/trove

    b. Checkout main branch

    $ cd ~/trove
$ git checkout main
$ git pull origin main

    c. Commit and push modifications

    $ cp /media/TRANSFER/*.asc keys/all
$ git add .
$ git commit -S -m "add <name> pgp key"
$ git push origin main

  17. Communicate your new key fingerprint to all other participants:

    • Preferred: In person

    • Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)

  18. Get confirmation they have imported your key to their keychains

    • e.g. gpg --import <your_key_id>.asc
    • Confirm this is done for keyrings on workstations used to interact with the Vaults repository