Proposal: Guidelines for Creating a Secure Environment (Standalone, CI/CD)

[mattborja]

Purpose

Note

Requested via: #498 (comment)

To provide guidance for creating a standalone secure environment for performing essential key management tasks and also inform the design of prospective CI/CD pipelines producing secure images to bootstrap setup requirements.

Prerequisites

Hardware

• Trusted USB flash drives (1-2)
• Trusted powered USB hub
• Supported ARM platform (e.g., RPi)
• SD card and reader

Base Image: Alpine Linux

Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and Busybox. Learn more...

Checksum Snapshot:
https://wayback-api.archive.org/web/20250508063014/https://downloads.raspberrypi.com/os_list_imagingutility_v4.json

{
  "name": "Alpine Linux",
  "description": "A security-oriented, lightweight Linux distribution based on musl libc and busybox",
  "icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
  "random": false,
  "subitems": [
    {
      "name": "Alpine Linux 3.21.3 (32bit)",
      "description": "Small OS for RPi 1 and Zero/W",
      "icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
      "url": "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/armhf/alpine-rpi-3.21.3-armhf.img.gz",
      "extract_size": 79691776,
      "extract_sha256": "2eaccef44d960416a7a248d6b738bfca19787a69c1700c11b64cb07462776036",
      "image_download_size": 64267967,
      "image_download_sha256": "09e909a2d4d3b9d86b2c1a07ad77c684d6982ef3fcc4ab475abd955dbeed1baa",
      "release_date": "2025-02-13",
      "init_format": "none",
      "devices": ["pi1-32bit"]
    },
    {
      "name": "Alpine Linux 3.21.3 (32bit)",
      "description": "Small OS for RPi 2 and 3",
      "icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
      "url": "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/armv7/alpine-rpi-3.21.3-armv7.img.gz",
      "extract_size": 78643200,
      "extract_sha256": "01518f1edd1c6ee861ab7c93855ce5cd24cf07cc9bfd062f044e08fa84ed7b7e",
      "image_download_size": 63866848,
      "image_download_sha256": "f9753ea7d39146563c7cdaa4988f94b0cf5efc47284e0bbc5f4f2d46b49974bd",
      "release_date": "2025-02-13",
      "init_format": "none",
      "devices": ["pi2-32bit", "pi3-32bit"]
    },
    {
      "name": "Alpine Linux 3.21.3 (64bit)",
      "description": "Small OS for RPi 3, 4 and 5",
      "icon": "https://alpinelinux.org/alpinelinux-logo-icon.svg",
      "url": "https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/aarch64/alpine-rpi-3.21.3-aarch64.img.gz",
      "extract_size": 99614720,
      "extract_sha256": "fad4c92273b1d1b7bce52f056045c456cb793f3e748c6987506249259c43ae79",
      "image_download_size": 70374630,
      "image_download_sha256": "e2ae40d0eaeff3d9a4e71176eeb4980205d8e9974dde8b560a71341e4ef53c60",
      "release_date": "2025-02-13",
      "init_format": "none",
      "devices": ["pi3-64bit", "pi4-64bit", "pi5-64bit"]
    }
  ]
}

Offline configuration

Recommended to have downloaded in advance:

• gpg.conf

Post-Installation

Offline APK packages for GnuPG utilities (pending):

#!/bin/sh
apk --allow-untrusted --force-non-repository add /path/to/offline/*.apk

Readers can then resume from Prepare GnuPG in the original guide. 😊

[drduh]

I really like the idea of having a low-cost device in a small form factor that can be kept offline for key operations, especially on an alternative platform like ARM. this work may enable such a setup.

personally I am partial to Debian, but look forward to testing an Alpine implementation. do you want to send a PR with a new markdown file? thanks!

[mattborja]

Finally found my notes :P

Have a couple small corrections to make and need to get it converted to Markdown, but should then be good to go. I'll try to get you a PR by this weekend, if not sooner.

[drduh]

We can keep this open for testing and feedback, up to you @mattborja