Re: dedicated live CD for PGP master key management

[Adam Borowski <kilobyte@angband.pl>]

On Mon, Apr 25, 2016 at 10:15:02AM +0200, Daniel Pocock wrote:
> There are various blogs guiding people to use a Debian Live CD for
> managing PGP master keys
> 
> Has anybody thought of making a dedicated live CD image for this
> purpose, with some kind of PGP quick setup wizard and attempting to
> enforce a sane and secure workflow?
>[...]
> Some specific things that the live image could do:
> - verifying there is no network connection, no DHCP daemon,
> automatically shutting down if a network connection becomes active

You can't verify that in software, at the very least not on Intel CPUs with
an Intel network chipset.  The AMT has its separate CPU, whole network
stack, a separate MAC address and complete access to the network card /
memory / main CPU.  Thus there's no way to be secure other than telling the
user to physically yank the network cable.

The AMD equivalent has AFAIK no such tight coupling with network cards but
it can probably still be nasty enough.  Fortunately pretty recent AMD CPUs
(Bulldozer/Piledriver?) are not yet backdoored, but as the time passes,
they'll become less and less recent.

-- 
A tit a day keeps the vet away.