Personal PGP Key Provisioning

Requirements

• AirgapOS SD card

  • Provided by Air-Gapped Bundle
  • Alternative: Create your own from documentation in AirgapOS Repository

• AirgapOS Laptop

  • Provided by Air-Gapped Bundle
  • Alternative: Computer that can load AirgapOS (compatibility reference)

• Linux Workstation (online machine)

  • Any internet connected computer with a Linux shell will suffice

• 1+ Smart Card

  • At least 1 primary smart card
  • Any number of backup smart cards

• 1 Transfer SD card

  • Document will assume the card is labelled as "TRANSFER"

Process

1. If using pre-sealed Cold Bundle unseal as follows:

   a. Retrieve digital/physical photographs of both sides of sealed bundle

   b. Compare all photographs to object for differences

   c. Proceed with unsealing the object if no differences are detected

2. Boot AirgapOS Laptop

3. Insert an SD card into the system

4. Change working directory to SD card mount location

   $ cd /media/TRANSFER
   

5. Insert all smartcards to be provisioned into the system.

6. Set expiry time via environment variable - you can update 2y to desired value:

   $ export KEYFORK_OPENPGP_EXPIRE=2y
   

7. Generate a mnemonic, encrypting to a newly-generated key:

   Ensure the User ID is your name and your email.

   $ keyfork mnemonic generate --encrypt-to-self encrypted.asc --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"'
   

   The --provision-count option can be provided to ensure the correct amount of smartcards is provisioned - the program will error if the amount of smartcards available is not equal to the count requested.

   Note: The PIN can't use sequential numbers, characters or repeated patterns.

8. Power down AirgapOS Laptop

9. Switch to Linux Workstation

10. Attach SD card from AirgapOS machine

11. Attach smartcard provisioned with AirgapOS machine

12. Import newly generated public key into local keychain

    $ gpg --import /media/TRANSFER/*.pub.asc
    

13. Retrieve the value of your PGP key ID from smartcard

    gpg --card-status
    

14. Configure git to sign commits with smartcard

    $ git config --global user.name <name>
    $ git config --global user.email <email>
    $ git config --global user.signingKey <pgp_key_id>
    $ git config --global commit.gpgsign true
    $ git config --global commit.merge true
    

15. Configure ssh to authenticate with smartcard

    $ echo 'export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"' > ~/.bashrc
    $ source ~/.bashrc
    

    Note: If you use another shell such as zsh, adjust acccordingly

16. Push new key material to Vaults repository

    a. Clone repository (if not done previously)

    $ git clone <vaults_repository_url> ~/vaults
    

    b. Checkout main branch

    $ cd ~/vaults
    $ git checkout main
    $ git pull origin main
    

    c. Commit and push modifications

    $ cp /media/TRANSFER/*.asc keys/all
    $ git add .
    $ git commit -S -m "add <name> pgp key"
    $ git push origin main
    

17. Communicate your new key fingerprint to all other participants:

    • Preferred: In person

    • Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)

18. Get confirmation they have imported your key to their keychains

    • e.g. gpg --import <your_key_id>.asc
    • Confirm this is done for keyrings on workstations used to interact with the Vaults repository