Overview

Quickstart / Testing it

Code

The project is in Git, you can fetch it and run it like this to make a clean room CD/DVD:

sudo apt-get install git live-build debootstrap growisofs rsync
git clone https://anonscm.debian.org/git/collab-maint/make-pgp-clean-room.git
cd make-pgp-clean-room
./scripts/make-pgpcleanroom

and you can browse the repository online

Known risks

There is no perfect security. The proposed solution aims to provide strong security. There are known risks that users have to manage using their own knowledge and experience:

Packages

Packages to install

Packages to modify

Packages to omit

Parameters

Default parameters in a configuration file. Eventually offer an advanced menu for users to change the parameters at runtime.

Flash card layout

Filesystem: ext4? btrfs?

Private key flash

master/${FINGERPRINT}/*        -- GnuPG home directory for private key identified by ${FINGERPRINT}

Public key interchange flash

master/${FINGERPRINT}.asc        -- Public key export for private key identified by ${FINGERPRINT}

signing/pending/${FINGERPRINT}.asc        -- key to be signed

signing/done/${FINGERPRINT}.asc           -- signed key

Alternative flash card layouts

Use Shamir secret sharing: libgfshare or keysafe (tutorial).

Workflow

ls /proc/sys/net/ipv4/conf | egrep -v '^(lo|all)$'

ls /dev/disk/by-label/PGPMK*

ls /dev/disk/by-id/usb-*

First time workflow

This workflow is used if there are no flash drives containing an existing master key.

$ cat > ~/.gnupg/gpg.conf << !
no-emit-version
no-comments
keyid-format 0xlong
with-fingerprint
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
!

Subsequent workflow

This workflow is used if a flash drive is detected with an existing master key on it.

Finishing session

Networked application workflow

This application runs on a networked computer:

Smartcard initialization

Implementation

Actions required

Other points for discussion and wishlist items

Hardware

Multiple flash card readers

041211_rg_TheCollector_02.jpg

References