.. _gpg-setup: Encryption Setup ================ GnuPG is used for encryption: * Create your own key, this is the key you will use to sign your distributions, .. code-block:: bash $ gpg --gen-key ... $ gpg -K ... sec 4096R/6EB7E943 ... $ gpg --export-secret-key -a > secret.key # BACK THIS UP! ... * Back this key up. It will be the only key your machines will trust! * You will need this key on your build machines to perform the encryption * Create a keyring that will be installed on the embedded platform, this is, by default, located at `/etc/fussy/keys` .. code-block:: bash $ mkdir -p /etc/fussy/keys $ chmod 0700 /etc/fussy/keys $ gpg --export -a 6EB7E943 | GNUPGHOME=/etc/fussy/keys gpg --import $ GNUPGHOME=/etc/fussy/keys gpg --edit-key 6EB7E943 trust quit # Mark as ultimately trusted... * Optionally, generate a private key for the machines to allow for obfuscating the firmware with encryption .. code-block:: bash $ GNUPGHOME=/etc/fussy/keys gpg --gen-key $ GNUPGHOME=/etc/fussy/keys gpg -K ... sec 4096R/C064B21C $ GNUPGHOME=/etc/fussy/keys gpg --export -a C064B21C | gpg --import * Anyone with access to the machine can trivially extract the key *or* the unpacked content of your packages, do *not* rely on the encryption to prevent access to the package contents. * Install the /etc/fussy/keys key-ring on your "embedded" servers (i.e. add the directory to your system-build process)