Field Doctrine for Sovereign Operators in Contested Reality Zones
Not for the cautious. For the untraceable.
A cryptographic initiation for those who suspect the keyboard may already be compromised.
- Assume every packet is being logged
- Your motherboard was manufactured by your adversary
- Your OS vendor is compromised
- Your social graph is weaponized
- And yes, rubber-hose decryption is still in play
Do you trust your screen? Your keyboard? Your memory? Good. Then burn this after reading.
"Buy nothing online. Connect nothing. Plug in nothing without three separate wipes and a prayer."
- β Burner laptop (cash only, never online)
- β Faraday cage (bag, box, or coffin)
- β USB drives from unrelated vendors
- β Steel dice (plastic is for tourists)
- β Pen + archival ink paper (pencil is forgeable)
# Dockerfile.blacksite
FROM alpine:edge
RUN apk add --no-cache \
gnupg \
pwgen \
rng-tools \
diceware \
paperkey \
ssss \
qrencode \
zbar \
steghide \
bash
COPY entropy-mixer.sh /usr/local/bin/
COPY cleanup.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/*.sh
ENTRYPOINT ["/bin/bash"]# docker-compose.blacksite.yml
version: '3.8'
services:
vault:
build:
context: .
dockerfile: Dockerfile.blacksite
container_name: gpg_blacksite
network_mode: none
cap_drop: [ALL]
cap_add: [DAC_OVERRIDE]
read_only: true
security_opt:
- no-new-privileges:true
tmpfs:
- /secure:exec,nosuid,nodev,size=100m
- /tmp:exec,nosuid,nodev,size=50m
devices:
- /dev/hwrng:/dev/hwrng:ro
- /dev/random:/dev/randomAvoid PRNG mixing unless derived with intent.
# Just use the dice entropy β raw and sacred
mv /secure/dice-entropy.bin /secure/final-entropy.binOptional Derived Mode:
sha256sum /secure/dice-entropy.bin > /secure/dice.hash
sha256sum /dev/random > /secure/system.hash
blake2bsum <(cat /secure/dice.hash /secure/system.hash) > /secure/final-entropy.binentropy-mixer.sh
#!/bin/bash
echo "Roll a 6-sided die 64 times and paste the result:"
read -r dice
echo "$dice" | grep -o . | awk '{printf "%03b", $1-1}' | fold -w8 | while read -r b; do
printf "\x%02x" "$((2#$b))"
done > /secure/dice-entropy.binexport GNUPGHOME=/secure/.gnupg
mkdir -p $GNUPGHOME && chmod 700 $GNUPGHOME
export RANDFILE=/secure/final-entropy.bin
gpg --expert --full-generate-key
# ECC preferred β Curve25519
# Separate keys: Certify (C), Sign (S), Encrypt (E), Auth (A)gpg --export-secret-keys > secret.asc
paperkey --secret-key secret.asc --output paper.txt
ssss-split -t 3 -n 5 < paper.txt
split -b 1000 paper.txt qr_
for part in qr_*; do
qrencode -o "$part.png" < "$part"
done
steghide embed -cf ./img/vacation.jpg -ef secret.asc -p "$STEG_PW"gpg --export-secret-subkeys > subkeys.asc
gpg --import subkeys.asc
gpg --list-secret-keys --with-keygrip # should show stub only
gpg --edit-key [KEYID]
> keytocard#!/bin/bash
find /secure -type f -exec shred -vfz -n 5 {} \;
sync; echo 3 > /proc/sys/vm/drop_caches; syncgpg --output revoke.asc --gen-revoke [KEYID]
ssss-split -t 2 -n 3 < revoke.asc > revoke-shares.txt- Signal (sealed fingerprint pre-exchanged)
- Tox (shared QR offline)
- Dead drops (geo-coordinated)
- IPFS bulletin board (signed updates)
- Mastodon alt with vanity keygrip
- Ham radio w/ pre-coded call-signs
- No cross-project identity reuse
- No signing of social content
- No passive metadata
- Annual subkey rotation
- Plausible deniability always
- Burner machine configured
- Vault built and verified
- Keys generated under ritual
- Backups split and secured
- Emergency plans rehearsed
- Trusted contact protocol defined
βYou are not paranoid if they are logging every keystroke.β β Unknown Operator, 2017