OpenPGP Key Generation With Backup: which Nitrokey distro for air-gapped key generation?

I am searching for a downloadable (Linux) ISO which i can burn to CDROM in order to have all the necessary tools on there to run on an air-gapped machine and to create and transfer GPG keys to multiple Nitrokey Pro devices. Is there anything out there which is recommendable? (preferrably with a verifyable ISO-checksum). I guess the nitrokey app would be the possible missing bottleneck on standard distros.

Thanks!

Hello!

For example you can use a Live-CD from Ubuntu, Linux Mint, Debian or any other distro which allows a “Live-Modus”.
For me personally, the best variant turned out to be the use of a Raspberry Pi without an internet connection.
The Nitrokey app is not really necessary to create a key.
GnuPG recognizes the Nitrokey, when all needed modules are installed correctly on the system.

best regards
Jürgen

Hi microangelo and thanks for the reply!

As a said before i wanted to use an air-gapped machine, so ‘all needed modules installed’ is really the bottleneck possibly, as i wanted to make sure the private keys are only with the nitrokey plus the backup device. While the app of course is not necessary it still is needed to transfer the keys to the Nitrokey Pro, correct?

Hi @k33crypt!

Tails have GnuPG 2.2.12 installed out of the box. You can download it from here. This should provide properly configured OS.

Alternatively, if you do not want to run Tails or any other privacy oriented distro, you could download the packages and install them offline, as with this script (taken from [1]):

#!/bin/bash
folder=`mktemp -d`
packages="scdaemon libccid pcscd rng-tools"

cd $folder
for p in $packages; do
 echo -e "\n====> downloading \"$p\""
 apt download $p
 apt-cache depends -i $p | awk '/Depends:/ {print $2}' | grep -v '^<' | xargs apt-get download
done
cd $OLDPWD
echo -e "\nPackages available in \"$folder\""

and later installed with:

$ sudo dpkg -i *.deb

In [1] you can read about packages verification on the receiving side. About the rng-tools mentioned there you would need to investigate further, whether this would be required (mind the article is 3 years old, but probably yes).

[1] https://research.kudelskisecurity.com/2017/04/28/configuring-yubikey-for-gpg-and-u2f/

Edit: more about rng-tools: https://wiki.archlinux.org/index.php/Rng-tools

1 Like

Hello @k33crypt!

First … the hint of @szszszsz with tails is very good, i had this distro in mind but couldnt name it ‘that quickly’.

Then… the Nitrokey App is NOT necessary to transfer key to Nitrokey Start/Pro. This is done with a simple command (‘keytocard’) in GnuPG. The only requirement is, that the library ‘scdeamon’ and a few others are installed in the system you use.

best regards

1 Like