The Secure Environment

The secure environment is used for everything that involves the master key. Whenever you need the master key for a certain task, every action should be done in this environment.

In my case that means I will boot a Linux live system that has never and will never be connected to the Internet. I use Tails for my secure environment.

You will need one USB flash drive with 8 GB minimum for the next steps.

Install Tails on Flash Drive

Tails is a Linux live system which runs on a USB flash drive. They have a very good documentation about how to create that bootable flash drive here.

First you have to download the image from the Tails website. Since GnuPG is already installed, you can also verify the download.

Verify the Download of Tails

For that you have to download the signature of the Tails image you've downloaded in the past step. This file is also available on the Tails download page in the section "Verify using OpenPGP".

Now import the Tails signing key:

> curl -sSL https://tails.boum.org/tails-signing.key | gpg --import

After that the download can be verified with the following command:

> gpg --verify /path/to/tails/image/signature.sig /path/to/tails/image/file.img

In my case the output looked like the following:

> gpg --verify ~/Downloads/tails-amd64-4.2.2.img.sig ~/Downloads/tails-amd64-4.2.2.img
gpg: Signature made Mon Jan 13 11:49:48 2020 CET
gpg:                using RSA key 05469FB85EAD6589B43D41D3D21DAD38AF281C0B
gpg: Good signature from "Tails developers <tails@boum.org>" [unknown]
gpg:                 aka "Tails developers (offline long-term identity key) <tails@boum.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
     Subkey fingerprint: 0546 9FB8 5EAD 6589 B43D  41D3 D21D AD38 AF28 1C0B

The warning here can be ignored. This happened because I didn't sign the key the imported key and didn't provide any trust level, which is indicated by the [unknown] part in the output. However "Good signature" part indicates that the download is what it is supposed to be.

Write Tails Image to Flash Drive

To write the image to the USB flash drive, you have to find out its device identifier first. On macOS this can be done via diskutil list. It will print all disks in your system. The name and the size might be a good indicator to find the correct drive.

Find Device Identifier

In my case the device identifier was disk2. Below you can find the example output with the identifier in last column. Note that I stripped some parts of the output here.

> diskutil list
...
/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *31.5 GB    disk2
   1:                 DOS_FAT_32 INTENSO                 31.5 GB    disk2s1

Make sure that you don't need any data that is stored on the flash drive anymore. All data will be lost when writing the image.

Unmount Flash Drive

> diskutil unmountDisk /dev/<DEVICE IDENTIFIER>

Write the Image

> dd if=/path/to/tails/image/file.img of=/dev/<DEVICE IDENTIFIER> bs=16m; sync

Following the examples above. The command to write the image to the USB flash drive would look like that.

> dd if=~/Downloads/tails-amd64-4.2.2.img of=/dev/disk2 bs=16m; sync

This might take some minutes. Afterwards shut down your system and boot from the flash drive by holding down the ⌥ key during the boot process. This will show a boot menu where you can select the flash drive.

Keep in mind, that the secure environment should never be connected to the Internet, so you may want to open this site on another device to be able to follow the steps in the next sections.