s83/YubiKey-Guide
1
0
Fork 0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2025-05-31 02:37:14 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add notes for restarting gpg-agent if connection to HSM is lost between $GNUPGHOME directories

Browse source 
Cleanup heading with procedure verbiage:
- Install Offline Packages for GnuPG
- Verify the Environment
This commit is contained in:
Matt Borja 2025-05-19 02:29:37 +00:00
parent 0d709dd9ba
commit dc2221e7de
No known key found for this signature in database
GPG key ID: C3F69D1BE6BCBD16
1 changed files with 13 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

20
SECENV.md
View file

@ -64,7 +64,7 @@ root@host:~$ umount /mnt
**CI/CD Considerations.** It is curate a clean, custom bootable image of Alpine Linux with these same offline packages using a CI/CD pipeline if carefully designed to also demonstrate software provenance and image signing before release. **CI/CD Considerations.** It is curate a clean, custom bootable image of Alpine Linux with these same offline packages using a CI/CD pipeline if carefully designed to also demonstrate software provenance and image signing before release.
## Stage 2. Secure Environment ## Stage 2. Using the Secure Environment
At this point, the newly provisioned secure environment should be booted, free of any extraneous peripheral attachments, with networking completely disabled. At this point, the newly provisioned secure environment should be booted, free of any extraneous peripheral attachments, with networking completely disabled.
@ -78,7 +78,7 @@ Additional setup requirements within the secure environment may include:
- Adding entropy sources - Adding entropy sources
- Importing keys - Importing keys
### 2.1 Installing Offline Packages ### 2.1 Install Offline Packages for GnuPG
After booting into the secure environment, the user proceeds to verify the SHA256 checksums of the previously GPG-verified APK packages download to removable storage: After booting into the secure environment, the user proceeds to verify the SHA256 checksums of the previously GPG-verified APK packages download to removable storage:
```shell ```shell
@ -94,15 +94,21 @@ Once verified and extracted from the tarball, the user issues the following comm
root@host:~$ apk --allow-untrusted --force-non-repository add *.apk root@host:~$ apk --allow-untrusted --force-non-repository add *.apk
``` ```
### 2.2 GPG Environment ### 2.2 Verify the Environment
At this point, the user can now begin [working with GPG](https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#prepare-gnupg) and smart cards in their new environment: At this point, the user can now begin [working with GPG](https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#prepare-gnupg) and smart cards in their new environment:
```shell ```shell
$ gpg --import yubikey.pub root@host:~$ gpg --import yubikey.pub
$ gpg --card-status root@host:~$ gpg --card-status
$ gpg --list-secret-keys root@host:~$ gpg --list-secret-keys
```
**Important.** If you run into issues detecting your YubiKey switching between `$GNUPGHOME` directories (common during heavy key management operations such as ring transfers, etc.), try restarting the `gpg-agent` as follows:
```shell
root@host:~$ pkill gpg-agent
root@host:~$ gpg --card-status
``` ```
## Stage 3. Takedown ## Stage 3. Takedown
When finished performing tasks, the secure environment should either be a) promptly destroyed or b) properly secured away; to close the window on unknown threats to a dormant system (e.g., physical, technological, theoretical, unknown). When finished performing tasks, the secure environment should either be a) promptly destroyed or b) properly secured away; to close the window on unknown threats to a dormant system (e.g., physical, technological, theoretical, unknown).