How to Use Hardware Security Modules > Prepare the air-gapped computer

Prepare the air-gapped computer

Acquire the following equipment:
- Raspberry Pi
  - For development and testing, we used a Raspberry Pi 4 Model B (Purchased as a preassembled kit (PI4-2GB-EXT128EW-C8-BLK-A).
- MicroSD Card (included in the kit above).
Download the Raspberry Pi OS Image
- Raspberry Pi OS Lite (64-bit, no desktop) – Release date: December 11th 2023. Based on Debian 12 (Bookworm). Ref: Image link
- Validate the image (hash: 9ce5e2c8c6c7637cd2227fdaaf0e34633e6ebedf05f1c88e00f833cbb644db4b)
Prepare the SD Card with the OS image:
- Download and install the Raspberry Pi Imager: https://www.raspberrypi.com/software/
- Write the image to the SD Card
Start and login to the Raspberry Pi

Install and verify the YubiHSM Shell:

Download the YubiHSM SDK package (version 2023-11) that will match the OS version (Debian 12) from the Releases page
Download the signature
Verify the package

Install the package:

$ tar -xvf yubihsm2-sdk-2023-11-debian12-amd64.tar.gz
$ sudo dpkg -i \
    yubihsm2-sdk/libykhsmauth1_*.deb \
    yubihsm2-sdk/libyubihsm1_*.deb \
    yubihsm2-sdk/libyubihsm-http1_*.deb \
    yubihsm2-sdk/libyubihsm-usb1_*.deb \
    yubihsm2-sdk/yubihsm-auth_*.deb \
    yubihsm2-sdk/yubihsm-connector_*.deb \
    yubihsm2-sdk/yubihsm-pkcs11_*.deb \
    yubihsm2-sdk/yubihsm-setup_*.deb \
    yubihsm2-sdk/yubihsm-shell_*.deb \
    yubihsm2-sdk/yubihsm-wrap_*.deb

(Optionally) Re-export the image for easier re-use by other keyholders.
Shut down the Raspberry Pi
Disconnect it from the network. This is now the “air-gapped computer” referenced in subsequent processes. From now on, this device should no longer be connected to any networks.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.