AirgapOS

Requirements

• 2 individuals with appropriate role

  • Each needs a Personal PGP key pair

• Tamper-proofing equipment

• Tamper proofing evidence (photographs)

• SD Card Pack(s)

• High Visibility Storage

• 2 Computers

  • 1 computer should be able to boot AirgapOS (compatibility reference)

Procedure

1. Turn on one of the computers - this one will be used for writing the SD cards

2. Build the software according to the readme in the repository.

3. Use the make reproduce command

4. Unseal the SD Card Pack

   Vacuum sealing based tamper proofing

   a. Retrieve digital/physical photographs of both sides of sealed bundle

   b. Compare all photographs to object for differences

   c. Proceed with unsealing the object if no differences are detected

   Safe based tamper proofing

   1. Inspect the safe for any signs of tampering

   2. Retrieve items from the safe

5. Label each SD card that will be used "AirgapOS [date]"

6. Place all the SD cards into High Visibility Storage

7. Retrieve a labelled SD card from High Visibility Storage, and plug it into the computer where AirgapOS will be built

8. Look for the SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

   • Mount the device using: sudo mount /dev/<device_name> /media

9. Flash airgap.iso to an SD Card:

   • dd if=out/airgap.iso of=/dev/<device_name> bs=4M conv=fsync

10. Reset the computer, and boot the SD card

11. Once booted, the card needs to be locked using sdtool which is available in AirgapOS:

    • Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk

12. ./sdtool /dev/<device_name> permlock

13. Once burned, unplug the SD card

14. Plug the SD card into a different computer from the one that was used to write the SD card

15. Boot the computer

16. Open a terminal

17. Verify the card can't be written to:

    • echo "42" | dd of=/dev/<device_name>
    Vacuum sealing based tamper proofing

    1. Insert object(s) into plastic sealing bag

    2. Fill bag with enough plastic beads that most of the object is surrounded

    3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move

    4. Take photographs of both sides of the sealed object using both the digital and polaroid camera

    5. Date and sign the polaroid photographs and store them in a local lock box

    6. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.

    Safe based tamper proofing

    1. Place items into safe

    2. Ensure the safe is properly locked