SBHK is an extrordinarily minimalist—the full system image is only ~35 MB—system that helps you manage and store PGP and other encryption and signing keys.
SBHK was originally inspired by a post by @epoch@tilde.zone. That thread also contains my justifications on why you'd use this over something like Tails.
I am not a cryptography or security expert. I am not an expert at hardening systems. While SBHK's security setup makes use of existing software and common sense configuration, I make no guarantees that I didn't miss some setting that would've improved security. If you can make a suggestion or improvement, please email me privately at <alex [at] nytpu.com>.
Note that one of the primary goals for SBHK was to not write anything I don't have to myself. I tried to "stand on the shoulders of giants" and rely on software written by people that actually know what they're doing, and I'm mostly gluing them together into a coherent distribution.
On randomness when encrypting drives and generating passwords: I include various daemons and tools such as jitter-entropy and haveged to ensure that the randomness pool will stay updated with randomness, but I still recommend typing and doing something to seed the randomness pool before encrypting or generating anything secure.
Finally, I must draw attention to the final three paragraphs in Copyright and Legal
Using one USB drive with three partitions (one boot, two data) is the recommended setup.
ISOs for SBHK Release 5 can be downloaded from
https://nytpu.com/releases/sbhk/. Also make sure to download the checksums
and signatures! My GPG key is available via gpg --locate-external-key alex@nytpu.com and my signify key can be found at
https://nytpu.com/about.gmi.
It is recommended to download the x86_64 version unless you know you'll be using it on a 32-bit computer. While the plain x86 distribution should work on 64-bit computers, I've run into bizarre issues and I can't recommend it unless you know you need it.
If you'd like to make modifications or be able to fully audit the build yourself you can follow the compiling directions.
Forewarning: On my 2015 Macbook Pro running Linux, it takes around 45 minutes for a fresh build not including the source code downloads. YMMV, but expect a from-scratch build to take a long time.
git clone https://git.sr.ht/~nytpu/sbhk && cd sbhk
make
You will find the ISO at images/rootfs.iso9660.
The upstream URL of this project is https://sr.ht/~nytpu/sbhk. Send suggestions, bugs, patches, and other contributions to ~nytpu/public-inbox@lists.sr.ht. For help sending a patch through email, see https://git-send-email.io. You can browse the list archives at https://lists.sr.ht/~nytpu/public-inbox. View bug reports at https://todo.sr.ht/~nytpu/general.
Copyright (C) 2021 nytpu <alex [at] nytpu.com>.
Licensed under the terms of the GNU General Public License, version 3. You can view a copy of the GNU GPL in LICENSE or at https://www.gnu.org/licenses/gpl-3.0.html.
The documentation for SBHK in doc/ is licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0 International license. You can view a copy of the CC BY-SA 4.0 in doc/LICENSE or at https://creativecommons.org/licenses/by-sa/4.0/.
SBHK uses numerous utilities that are built by buildroot, all of which
have their own licenses. The source code is either unmodified or provided with
SBHK. You can run make legal-info in a local clone of the repository to get
all of the licenses and source code modifications collated into one directory.
DISCLAIMER: I am not a security expert. I wouldn't even say that I have “above average” knowledge of system hardening compared to the average programmer. As such, I must emphasize the following paragraphs of the license:
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.