Document Use Case: Offline Archive Storage

[justintroutman]

Feature Request

Description

Document the use case of storing "shards" offline for safe archival.

[garrettr]

I think this issue's OP is slightly confused, and certainly lacks sufficient detail. IIRC from the conversations around the time this issue was created, the goal was to clearly document how to use Sunder to encrypt the passphrase for a Veracrypt volume, with the following requirements:

1. The Veracrypt volume should be stored on an airgapped machine
2. We should document how to set up Veracrypt and Sunder on an airgapped computer.
   • Installing Sunder on an airgapped Linux computer is nontrivial at the moment, due to Add mention of required packages for Debian #18
3. We should document how to set up the Veracrypt volume, including:
   • Generating a strong passphrase for the volume. This passphrase is the secret that will be shared.

Furthermore, I think this was all supposed to be done on Tails, which introduces some significant challenges.

[garrettr]

I'm doing some research and testing now to see how viable the above proposal is.

[garrettr]

Tails' support for Veracrypt is mediocre at best. Here are some of the pain points I encountered while testing with Tails 3.5:

• Veracrypt is not preinstalled in Tails
• There is no veracrypt apt package. Installing veracrypt is fairly involved and requires using the Terminal:
  1. Download Linux .tar.bz2 from https://www.veracrypt.fr/en/Downloads.html
     • Optionally download PGP key and signature and verify package. Without additional instructions for using the GPG web of trust to verify the Veracrypt PGP key, this provides no additional security for all of the hassle involved.
  2. Unpack .tar.bz2 by double-clicking or with tar on command line
  3. In unpacked directory, find and run correct setup script. There is no way to run the setup script from the GUI—I had to use the command line.
  4. Click through and agree to various prompts in setup script. The setup script requires an administrator password to be set.
  5. Run veracrypt from the command line. It did not setup a graphical alias in the Tails menus (like Sunder's .deb does) and I found no way to make it do so.
• Veracrypt volumes interact confusingly with the Tails file manager (e.g. unmounting a volume from Nautilus does something different from unmounting a volume inside Veracrypt).

There is a detailed design document for Tails/Veracrypt integration, but AFAICT none of it has been implemented yet.

[garrettr]

The Sunder/Veracrypt integration works on Tails, which is nice.

[garrettr]

I could not find any reasonable way to persist an installation of Sunder or Veracrypt on Tails. I tried enabling the APT Packages and APT Lists persistence options, and added the packages I wanted to persist to live-additional-software.conf per the documentation for the experimental "additional software packages" feature. I was able to persist a package that is not included in the default Tails install but is available through the package manager (I used htop for testing). Unfortunately, I was not able to persist either sunder (installed via dpkg) or veracrypt (installed via install script).

As a result, I believe this issue is impossible to resolve with documentation alone. I see a few options:

1. Write helper scripts for Tails to persist Sunder and Veracrypt across restarts
   • Possible starting point: https://www.reddit.com/r/tailswiki/wiki/index/tails-install-verycrypt
2. Drop requirement to use Tails, and document using a different base OS for the airgapped computer (e.g. Debian or Ubuntu)
3. Drop requirement to use Linux, and document using a different base OS for the airgapped computer (e.g. macOS)