Encryption SetupΒΆ

GnuPG is used for encryption:

  • Create your own key, this is the key you will use to sign your distributions,
$ gpg --gen-key
$ gpg -K
sec   4096R/6EB7E943
$ gpg --export-secret-key -a > secret.key # BACK THIS UP!
  • Back this key up. It will be the only key your machines will trust!
  • You will need this key on your build machines to perform the encryption
  • Create a keyring that will be installed on the embedded platform, this is, by default, located at /etc/fussy/keys
$ mkdir -p /etc/fussy/keys
$ chmod 0700 /etc/fussy/keys
$ gpg --export -a 6EB7E943 | GNUPGHOME=/etc/fussy/keys gpg --import
$ GNUPGHOME=/etc/fussy/keys gpg --edit-key 6EB7E943 trust quit
# Mark as ultimately trusted...
  • Optionally, generate a private key for the machines to allow for obfuscating the firmware with encryption
  $ GNUPGHOME=/etc/fussy/keys gpg --gen-key
  $ GNUPGHOME=/etc/fussy/keys gpg -K
  sec   4096R/C064B21C
  $ GNUPGHOME=/etc/fussy/keys gpg --export -a C064B21C | gpg --import

* Anyone with access to the machine can trivially extract the key *or* the
  unpacked content of your packages, do *not* rely on the encryption to
  prevent access to the package contents.
  • Install the /etc/fussy/keys key-ring on your “embedded” servers (i.e. add the directory to your system-build process)

Project Versions

Previous topic

Fussy Firmware Packager

Next topic

Packing Your Firmware

This Page