drduh
Proposal: Guidelines for Creating a Secure Environment (Standalone, CI/CD)
Purpose
[!NOTE] Requested via: https://github.com/drduh/YubiKey-Guide/issues/498#issuecomment-2861168043
To provide guidance for creating a standalone secure environment for performing essential key management tasks and also inform the design of prospective CI/CD pipelines producing secure images to bootstrap setup requirements.
Prerequisites
Hardware
- Trusted USB flash drives (1-2)
- Trusted powered USB hub
- Supported ARM platform (e.g., RPi)
- SD card and reader
Base Image: Alpine Linux
Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and Busybox. Learn more...
Checksum Snapshot:
https://wayback-api.archive.org/web/20250508063014/https://downloads.raspberrypi.com/os_list_imagingutility_v4.json
{
"name": "Alpine Linux",
"description": "A security-oriented, lightweight Linux distribution based on musl libc and busybox",
"icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
"random": false,
"subitems": [
{
"name": "Alpine Linux 3.21.3 (32bit)",
"description": "Small OS for RPi 1 and Zero/W",
"icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
"url": "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/armhf/alpine-rpi-3.21.3-armhf.img.gz",
"extract_size": 79691776,
"extract_sha256": "2eaccef44d960416a7a248d6b738bfca19787a69c1700c11b64cb07462776036",
"image_download_size": 64267967,
"image_download_sha256": "09e909a2d4d3b9d86b2c1a07ad77c684d6982ef3fcc4ab475abd955dbeed1baa",
"release_date": "2025-02-13",
"init_format": "none",
"devices": ["pi1-32bit"]
},
{
"name": "Alpine Linux 3.21.3 (32bit)",
"description": "Small OS for RPi 2 and 3",
"icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
"url": "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/armv7/alpine-rpi-3.21.3-armv7.img.gz",
"extract_size": 78643200,
"extract_sha256": "01518f1edd1c6ee861ab7c93855ce5cd24cf07cc9bfd062f044e08fa84ed7b7e",
"image_download_size": 63866848,
"image_download_sha256": "f9753ea7d39146563c7cdaa4988f94b0cf5efc47284e0bbc5f4f2d46b49974bd",
"release_date": "2025-02-13",
"init_format": "none",
"devices": ["pi2-32bit", "pi3-32bit"]
},
{
"name": "Alpine Linux 3.21.3 (64bit)",
"description": "Small OS for RPi 3, 4 and 5",
"icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
"url": "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/aarch64/alpine-rpi-3.21.3-aarch64.img.gz",
"extract_size": 99614720,
"extract_sha256": "fad4c92273b1d1b7bce52f056045c456cb793f3e748c6987506249259c43ae79",
"image_download_size": 70374630,
"image_download_sha256": "e2ae40d0eaeff3d9a4e71176eeb4980205d8e9974dde8b560a71341e4ef53c60",
"release_date": "2025-02-13",
"init_format": "none",
"devices": ["pi3-64bit", "pi4-64bit", "pi5-64bit"]
}
]
}
Offline configuration
Recommended to have downloaded in advance:
Post-Installation
Offline APK packages for GnuPG utilities (pending):
#!/bin/sh
apk --allow-untrusted --force-non-repository add /path/to/offline/*.apk
Readers can then resume from Prepare GnuPG in the original guide. 😊
I really like the idea of having a low-cost device in a small form factor that can be kept offline for key operations, especially on an alternative platform like ARM. this work may enable such a setup.
personally I am partial to Debian, but look forward to testing an Alpine implementation. do you want to send a PR with a new markdown file? thanks!
Finally found my notes :P
Have a couple small corrections to make and need to get it converted to Markdown, but should then be good to go. I'll try to get you a PR by this weekend, if not sooner.