Finally, we need to automate this process. When the BBB boots, we want it to collect the code, extend the PCR, and unwrap the GPG keys so that they are ready to use. We'll make an init.d
script that will handle this, but we still need to deal with the GPG key. We don't want an unwrapped GPG key lying around the disk, even if it is protected with a password. Instead, we'll keep the GPG keys on a ramfs
, which will never touch persistent storage.
To create the ramfs
, add the following to /etc/fstab
:
ramfs /mnt/ramdisk ramfs nodev,nosuid,noexec,nodiratime,size=1M,uid=1000,gid=1002 0 0
Be sure to replace your uid and gid with the appropriate values for your user. This can be obtained by running the id
command. Either reboot or run mount -a
to reload the fstab
. Since GPG expects the secring.gpg
to live in ~/.gnupg/secring.gpg
, we'll create a link from there to the ramdisk. Create the following symlink:
ln -s /mnt/ramdisk/secring.gpg ~/.gnupg/secring.gpg
Now, we...