Encryption Setup

GnuPG is used for encryption:

• Create your own key, this is the key you will use to sign your distributions,

$ gpg --gen-key
...
$ gpg -K
...
sec   4096R/6EB7E943
...
$ gpg --export-secret-key -a > secret.key # BACK THIS UP!
...

• Back this key up. It will be the only key your machines will trust!
• You will need this key on your build machines to perform the encryption
• Create a keyring that will be installed on the embedded platform, this is, by default, located at /etc/fussy/keys

$ mkdir -p /etc/fussy/keys
$ chmod 0700 /etc/fussy/keys
$ gpg --export -a 6EB7E943 | GNUPGHOME=/etc/fussy/keys gpg --import
$ GNUPGHOME=/etc/fussy/keys gpg --edit-key 6EB7E943 trust quit
# Mark as ultimately trusted...

• Optionally, generate a private key for the machines to allow for obfuscating the firmware with encryption

  $ GNUPGHOME=/etc/fussy/keys gpg --gen-key
  $ GNUPGHOME=/etc/fussy/keys gpg -K
  ...
  sec   4096R/C064B21C
  $ GNUPGHOME=/etc/fussy/keys gpg --export -a C064B21C | gpg --import

* Anyone with access to the machine can trivially extract the key *or* the
  unpacked content of your packages, do *not* rely on the encryption to
  prevent access to the package contents.

• Install the /etc/fussy/keys key-ring on your “embedded” servers (i.e. add the directory to your system-build process)