Re: dedicated live CD for PGP master key management
On 25/04/16 21:51, Adam Borowski wrote:
> On Mon, Apr 25, 2016 at 10:15:02AM +0200, Daniel Pocock wrote:
>> There are various blogs guiding people to use a Debian Live CD for
>> managing PGP master keys
>> Has anybody thought of making a dedicated live CD image for this
>> purpose, with some kind of PGP quick setup wizard and attempting to
>> enforce a sane and secure workflow?
>> Some specific things that the live image could do:
>> - verifying there is no network connection, no DHCP daemon,
>> automatically shutting down if a network connection becomes active
> You can't verify that in software, at the very least not on Intel CPUs with
> an Intel network chipset. The AMT has its separate CPU, whole network
> stack, a separate MAC address and complete access to the network card /
> memory / main CPU. Thus there's no way to be secure other than telling the
> user to physically yank the network cable.
> The AMD equivalent has AFAIK no such tight coupling with network cards but
> it can probably still be nasty enough. Fortunately pretty recent AMD CPUs
> (Bulldozer/Piledriver?) are not yet backdoored, but as the time passes,
> they'll become less and less recent.
One of those ARM-based Chromebooks could be a useful solution to that.
I've added a section on known risks now: