AirgapOS Setup

This section can be completed on any machine.

AirgapOS has keyfork built into it for cryptographic operations such as key derivation.

  1. Clone the AirgapOS repository locally or download it as a zip

    To clone use the following command in the terminal:

    cd ~
git clone git@distrust.co:public/airgap.git

    To download as a ZIP from https://git.distrust.co/public/airgap: Downloading AirgapOS as ZIP

  2. Navigate into the airgap repository locally, and build the iso image.

    cd ~/airgap
make reproduce

The resulting iso will be located in airgap/out/

  1. Place signed .iso on a storage device

    a. Import the public key for the PureBoot Smart Card from Initialize PureBoot Smart Card guide.

    gpg --import <ID>.asc

    b. Get the GPG key ID using the command:

    gpg --list-keys

    It should look something like 6B61ECD76088748C70590D55E90A401336C8AAA9

    c. Sign the airgap.iso image using the "PureBoot Smart Card", which is set up in Initalize PureBoot Smart Card guide.

    gpg --detach-sign --armor --default-key <ID> airgap.iso

  2. Copy airgap.iso and detached signature to a storage device a. Select a new Storage Device which has no other files on it and plug it into the machine that has the airgap.iso file and the detached GPG signature.

    b. Find the name of the Storage Device using this guide

    d. Use the mount command to mount the drive

    e. Copy both the airgap.iso and detached signature to the drive.

  3. Make sure to note the sha256sum hash of the airgap.iso and write it down on a piece of paper.

  4. Multiple members of your team should build the airgap.iso image independently and use sha256sum airgap.iso in order to hash it, then record the value for later use. This value will be checked during Ceremonies before booting the ISO image to ensure it can be trusted.