Week 9b: Building Airgapped Systems & Data Transfer

Goal

Build a functional airgapped system and learn secure methods for transferring data to and from it without network connectivity.

Prerequisites: Week 9a (Physical Security Fundamentals)

This is Part 2 of 3 - Covers system setup and data transfer workflows.

1. Building Your Airgapped System

Operating System Setup

Recommended: Minimal Debian or Arch

# Create bootable USB installer (on networked machine)
dd if=debian-netinst.iso of=/dev/sdX bs=4M status=progress

# Boot target airgap machine from USB
# During installation:
# - Do NOT configure network (skip this step)
# - Enable full-disk encryption (LUKS)
# - Set strong passphrase (20+ characters)
# - Minimal package selection (no desktop if CLI-only)

Post-Install Hardening

# 1. Verify no network interfaces active
ip link show
# Should show only 'lo' (loopback) - no eth0, wlan0, etc.

# 2. Disable all network services permanently
sudo systemctl disable NetworkManager
sudo systemctl mask NetworkManager
sudo systemctl disable systemd-networkd
sudo systemctl mask systemd-networkd
sudo systemctl disable bluetooth
sudo systemctl mask bluetooth

# 3. Remove network packages (optional, extreme)
sudo apt purge network-manager wpasupplicant bluetooth bluez

# 4. Verify networking is truly disabled
sudo systemctl list-units --type=service --state=running | grep -i net
# Should return nothing

# 5. Set BIOS password to prevent boot order changes
# (Enter BIOS setup during boot, varies by manufacturer)

2. Secure Data Transfer Methods

Option 1: QR Code Transfer (Small Text Data)

When to use: GPG public keys, Bitcoin addresses, short messages, signatures

Advantages:

• Visual verification (can review QR on screen)
• No USB connection required
• Difficult to intercept remotely

Disadvantages:

• Limited data size (~3KB per QR max)
• Requires camera or scanner
• Slower for large data

Encode Data as QR

# Install tools
sudo apt install qrencode zbar-tools

# Encode text file
cat gpg-pubkey.asc | qrencode -o pubkey-qr.png

# Or encode directly from clipboard
echo "important message" | qrencode -t ansiutf8
# Displays QR in terminal (for phone camera scan)

# For larger files, split into multiple QRs
split -b 2000 large-file.txt chunk-
for file in chunk-*; do
  qrencode -o "$file.png" < "$file"
done

Decode QR on Airgap

# From image file
zbarimg pubkey-qr.png > decoded.txt

# From webcam (if you kept it connected)
zbarcam > decoded.txt
# Hold QR up to camera

# Verify decoded data matches original
sha256sum decoded.txt
# Compare hash with source system

Option 2: Encrypted USB Transfer (Larger Files)

When to use: Software updates, large documents, encrypted backups

Threat model: Assumes USB might be compromised - need cryptographic verification

Prepare Encrypted Transfer USB

# ON SOURCE (NETWORKED) MACHINE:

# 1. Identify USB device
lsblk
# Note device name (e.g., /dev/sdb)

# 2. Wipe USB completely
sudo dd if=/dev/zero of=/dev/sdb bs=4M status=progress
# WARNING: This erases ALL data on the USB!

# 3. Encrypt with LUKS
sudo cryptsetup luksFormat /dev/sdb
# Enter strong passphrase (different from airgap passphrase!)

# 4. Open encrypted USB
sudo cryptsetup luksOpen /dev/sdb transfer_usb

# 5. Create filesystem
sudo mkfs.ext4 /dev/mapper/transfer_usb

# 6. Mount it
sudo mkdir /mnt/transfer
sudo mount /dev/mapper/transfer_usb /mnt/transfer

# 7. Copy files AND create verification hashes
sudo cp important-file.bin /mnt/transfer/
sha256sum important-file.bin > important-file.bin.sha256
sudo cp important-file.bin.sha256 /mnt/transfer/

# 8. Unmount and close
sudo umount /mnt/transfer
sudo cryptsetup luksClose transfer_usb

Verify and Use on Airgap

# ON AIRGAP MACHINE:

# 1. Open encrypted USB
sudo cryptsetup luksOpen /dev/sdb transfer_usb
sudo mount /dev/mapper/transfer_usb /mnt/transfer

# 2. CRITICAL: Verify cryptographic hash BEFORE using file
cd /mnt/transfer
sha256sum -c important-file.bin.sha256
# Must show: important-file.bin: OK

# 3. Only if hash matches, copy to airgap
cp important-file.bin ~/verified-data/

# 4. Clean up USB before returning to networked machine
sudo shred -vfz -n 3 /mnt/transfer/*
sudo umount /mnt/transfer
sudo cryptsetup luksClose transfer_usb

Option 3: Paper Backups (Ultimate Offline)

When to use: GPG revocation certificates, seed phrases, emergency recovery keys

# Print GPG key to paper with QR backup
gpg --armor --export [email protected] > gpg-key.asc
qrencode -o gpg-key-qr.png < gpg-key.asc
lpr gpg-key.asc  # Print text version
lpr gpg-key-qr.png  # Print QR version

# Store in fireproof safe or safety deposit box

Best practices:

• Use acid-free archival paper
• Laser printer (won’t smudge if wet)
• Multiple copies in separate physical locations
• Laminate or use waterproof sleeves
• Test recovery procedure annually

3. Hands-On Labs

Lab 1: Build a Basic Airgap System

Objective: Create a truly airgapped device from old hardware

Materials needed:

• Old laptop or Raspberry Pi
• USB drive with Debian installer
• Screwdriver (for hardware modifications)

Steps:

1. Back up any data on the old laptop
2. Physically remove Wi-Fi card from motherboard (YouTube guides for your model)
3. Boot from Debian installer USB
4. Install with full-disk encryption, NO network configuration
5. After installation, verify no network interfaces: ip link show
6. Test: Try to ping anything - should fail completely
7. Create access log system as documented above

Deliverable: Fully offline, network-incapable Linux system

Lab 2: QR Code Transfer Workflow

Objective: Transfer GPG public key from networked machine to airgap via QR

Steps:

1. On networked machine:

   gpg --armor --export [email protected] > pubkey.asc
   qrencode -o pubkey-qr.png < pubkey.asc
   display pubkey-qr.png  # or open in image viewer
   

2. On airgap machine (with webcam):

   zbarcam > received-key.asc
   # Hold QR code up to camera
   # Ctrl+C when complete
   

3. Verify integrity:

   # Compare fingerprints
   gpg --show-keys received-key.asc
   # Should match original key fingerprint
   

4. Import to airgap keyring:

   gpg --import received-key.asc
   

Deliverable: GPG key successfully transferred and verified via QR

Lab 3: Encrypted USB Data Transfer with Verification

Objective: Securely transfer a file from networked machine to airgap with cryptographic verification

Scenario: You need to transfer a security tool update to your airgap machine

Steps:

1. On networked machine:

   # Prepare transfer USB
   sudo cryptsetup luksFormat /dev/sdb
   sudo cryptsetup luksOpen /dev/sdb transfer
   sudo mkfs.ext4 /dev/mapper/transfer
   sudo mount /dev/mapper/transfer /mnt/transfer
   
   # Copy file and create hash
   wget https://example.com/tool.tar.gz
   sha256sum tool.tar.gz > tool.tar.gz.sha256
   sudo cp tool.tar.gz tool.tar.gz.sha256 /mnt/transfer/
   
   # Unmount
   sudo umount /mnt/transfer
   sudo cryptsetup luksClose transfer
   

2. On airgap machine:

   # Open transfer USB
   sudo cryptsetup luksOpen /dev/sdb transfer
   sudo mount /dev/mapper/transfer /mnt/transfer
   
   # CRITICAL: Verify hash FIRST
   cd /mnt/transfer
   sha256sum -c tool.tar.gz.sha256
   # Must show: tool.tar.gz: OK
   
   # Only if verified, copy
   cp tool.tar.gz ~/verified-tools/
   
   # Wipe USB
   sudo shred -vfz -n 3 /mnt/transfer/*
   sudo umount /mnt/transfer
   sudo cryptsetup luksClose transfer
   

Deliverable: File successfully transferred with cryptographic verification

Up Next

Week 9c covers USB threat mitigation (usbguard), building your cypherpunk field kit, and strategic decision-making for physical security scenarios.

Key Takeaways

• Minimal OS installation - Skip network configuration entirely during setup
• Verify network isolation - ip link show should only show loopback
• QR codes for small data - Visual, verifiable, no USB risk
• Encrypted USB for large files - LUKS encryption + hash verification
• Paper backups for critical keys - Ultimate offline storage
• Always verify before trusting - Hash checks are non-negotiable