Secure Offline Storage
Introduction
CIYAM Safe is a solution for cold storage that uses 100% air-gapped communications (i.e. there is no wire connection made from the online computer to the offline computer). The recommended way to use the system is to install the Live OS to a USB flash drive which later will only ever be plugged into the offline computer.
The offline computer must use an x86-64 bit CPU and have at least 2GB of memory. For the Live OS itself a 4GB USB flash drive is the minimum size recommended and although VM images are also provided the safest approach is to use the Live OS version. It should not matter about whatever OS might already be installed on the offline computer as the BIOS settings should be changed to ensure that the Live OS is always booted from USB (and maybe consider formatting or even physically removing the offline computer's hard disk).
To further ensure the integrity of a CIYAM Safe system it is recommended to remove hardware such as the WiFi card from the offline computer so that it cannot be connected to the internet (or any other networked device). In the same manner if the computer currently has a standard ethernet socket then it is recommended to install a plug that will prevent it from being normally used (to make it very unlikely that the computer will be accidentally connected to a network).
Installation
Download the Live OS archive and then extract the OS image file
CIYAM_Safe.x86_64-0.1.25.raw
that it contains.
Windows
To extract the OS image a utility such as 7-Zip
would be recommended.
Download ImageWriter.exe and run this program. Next from the Windows Explorer simply drag and drop the
CIYAM_Safe.x86_64-0.1.25.raw
file into the application's main window and then plug in the USB flash drive
and follow the application's instructions.
Linux - SUSE
To extract the OS image simply right click on the archive file and then select the appropriate Extract
action
Next install the imagewriter
software package using yast
(if it is not
already present) and then run this application. Using the GUI's file manager drag the OS image file onto the application's main window
and then plug in the USB flash drive and then follow the application's instructions.
Linux - Console
To extract the OS image issue the following command:
> tar -zxvf CIYAM_Safe.x86_64-0.1.25.oem.tar.gz
Plug in the USB flash drive to be formatted and issue the following command (issue it once before plugging in to be sure that the last entry appearing is only appearing after you have plugged in the USB flash drive):
> lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT ... sdb 8:16 1 14.9G 0 disk └─sdbX 8:17 1 14.9G 0 part
Next copy the OS image to the device
DANGER: This will erase the contents of /dev/sdbX so don't run this unless you are sure it is the correct device!
> dd if=CIYAM_Safe.x86_64-0.1.25.raw of=/dev/sdbX bs=4k
NOTE: This command make take a few minutes to complete.
To verify that the write worked correctly the output of the following two commands should match:
> md5sum CIYAM_Safe.x86_64-0.1.25.raw > md5sum /dev/sdb1
In order for the LiveOS to also have persistence it will require another partition which can be created as follows:
> fdisk /dev/sdb1 Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 2 First cylinder (661-3935, default 661): Using default value 661 Last cylinder, +cylinders or +size{K,M,G} (661-3935, default 3935): Using default value 3935 Command (m for help): w The partition table has been altered!
Live OS Setup
After booting the Live OS from the USB flash drive in the offline computer you can log in by clicking on the user name
tux
and then typing the password linux
. As the private keys will
be locked using a different password there is no need to change the password for the Live OS user.
To install the CIYAM Safe scripts and code type the following from a console window:
> ./install
At this stage you might wish to use the include Firefox web browser to look at the file usage.html
which contains instructions for using the CIYAM Safe software itself after which you would start with the following command:
> ./init
Special Notes
If zbarcam
does not work with your webcam then use the included wxcam
application in order to take snapshot pictures which can be scanned using zbarimg
instead.
Virtual Machine Images
Whilst not recommended for normal usage the following can be helpful for testing and development purposes.
CIYAM_Safe.x86_64-0.1.25.qcow2 for KVM/QEMU.
CIYAM_Safe.x86_64-0.1.25.vmx.tar.gz for VMware/VirtualBox.