~nytpu/sbhk

Simple Bootable Hardware Keystore
bump version to r5 and change versioning scheme
fix issue with lingering GPG-agent processes
fix another bug

clone

read-only
https://git.sr.ht/~nytpu/sbhk
read/write
git@git.sr.ht:~nytpu/sbhk

You can also use your local clone with git send-email.

#SBHK — Simple Bootable Hardware Keystore

SBHK is an extrordinarily minimalist—the full system image is only ~35 MB—system that helps you manage and store PGP and other encryption and signing keys.

SBHK was originally inspired by a post by @epoch@tilde.zone. That thread also contains my justifications on why you'd use this over something like Tails.

#Features

  • No networking drivers or capability. Still not as secure as a truly airgapped computer, but as secure as you'll get with software.
  • Ephemeral root partition, reset back to the original state after every reboot. The encrypted and unencrypted persistent partitions are not affected.
  • Contains GnuPG and OpenBSD's signify utility for high-reliability signing and encryption operations.
  • Full-strength LUKS encryption support for the encrypted “keystore” partition
  • Full busybox coreutils and useful custom scripts
  • Full documentation on setup and usage included both online and offline in the distribution itself.

#Caveats

I am not a cryptography or security expert. I am not an expert at hardening systems. While SBHK's security setup makes use of existing software and common sense configuration, I make no guarantees that I didn't miss some setting that would've improved security. If you can make a suggestion or improvement, please email me privately at <alex [at] nytpu.com>.

Note that one of the primary goals for SBHK was to not write anything I don't have to myself. I tried to "stand on the shoulders of giants" and rely on software written by people that actually know what they're doing, and I'm mostly gluing them together into a coherent distribution.

On randomness when encrypting drives and generating passwords: I include various daemons and tools such as jitter-entropy and haveged to ensure that the randomness pool will stay updated with randomness, but I still recommend typing and doing something to seed the randomness pool before encrypting or generating anything secure.

Finally, I must draw attention to the final three paragraphs in Copyright and Legal

#Installing

#Requirements

  • x86 or x86_64 system capable of booting from external media
  • >30 MiB external media to boot off of such as a CD or USB drive (USB drive recommended). The entire disk will be wiped.
  • Two data partitions (>=50 MiB each recommended) on external media that you don't mind reformatting.

Using one USB drive with three partitions (one boot, two data) is the recommended setup.

#Downloading

ISOs for SBHK Release 5 can be downloaded from https://nytpu.com/releases/sbhk/. Also make sure to download the checksums and signatures! My GPG key is available via gpg --locate-external-key alex@nytpu.com and my signify key can be found at https://nytpu.com/about.gmi.

It is recommended to download the x86_64 version unless you know you'll be using it on a 32-bit computer. While the plain x86 distribution should work on 64-bit computers, I've run into bizarre issues and I can't recommend it unless you know you need it.

If you'd like to make modifications or be able to fully audit the build yourself you can follow the compiling directions.

#Installing

See the device setup guide

#Compiling

#Requirements

#Building

Forewarning: On my 2015 Macbook Pro running Linux, it takes around 45 minutes for a fresh build not including the source code downloads. YMMV, but expect a from-scratch build to take a long time.

git clone https://git.sr.ht/~nytpu/sbhk && cd sbhk
make

You will find the ISO at images/rootfs.iso9660.

#Contributing

The upstream URL of this project is https://sr.ht/~nytpu/sbhk. Send suggestions, bugs, patches, and other contributions to ~nytpu/public-inbox@lists.sr.ht. For help sending a patch through email, see https://git-send-email.io. You can browse the list archives at https://lists.sr.ht/~nytpu/public-inbox. View bug reports at https://todo.sr.ht/~nytpu/general.

#See Also

Copyright (C) 2021 nytpu <alex [at] nytpu.com>.

Licensed under the terms of the GNU General Public License, version 3. You can view a copy of the GNU GPL in LICENSE or at https://www.gnu.org/licenses/gpl-3.0.html.

The documentation for SBHK in doc/ is licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license. You can view a copy of the CC BY-SA 4.0 in doc/LICENSE or at https://creativecommons.org/licenses/by-sa/4.0/.

SBHK uses numerous utilities that are built by buildroot, all of which have their own licenses. The source code is either unmodified or provided with SBHK. You can run make legal-info in a local clone of the repository to get all of the licenses and source code modifications collated into one directory.

DISCLAIMER: I am not a security expert. I wouldn't even say that I have “above average” knowledge of system hardening compared to the average programmer. As such, I must emphasize the following paragraphs of the license:

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.