quorum-vault-system: use new mnemonic generation system

This commit is contained in:
Ryan Heywood 2025-02-25 22:52:14 -05:00
parent c49352a622
commit 2237d0cd21
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
4 changed files with 18 additions and 20 deletions

View File

@ -9,14 +9,14 @@ This setup can be done on any machine.
* In your Terminal use this command: `vi autorun.sh`
* Once you are in the editor press "i" to enter "insert mode"
* Type in the contents, replacing <N> and <M> with your chosen threshold numbers according to your [Quorum](selecting-quorum.md):
* Type in the contents, replacing <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with your chosen threshold numbers according to your [Quorum](selecting-quorum.md):
```sh
#!/bin/sh
keyfork wizard generate-shard-secret --threshold <M> --max <N> --output shards.pgp
keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smart_cards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'
```
* Press "esc"
* Press ":"
* Press "x"
@ -38,4 +38,4 @@ This setup can be done on any machine.
c. Copy the `autorun.sh` file to the Storage Device
1. Make note of this hash on a piece of paper or print it as you will need it to verify the file during Ceremonies.
1. Make note of this hash on a piece of paper or print it as you will need it to verify the file during Ceremonies.

View File

@ -28,12 +28,12 @@ as such need to be set up in a manner that minimizes exposure risks.
Ensure the User ID is your name and your email.
```
$ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name <your@email.co>"
$ keyfork mnemonic generate --encrypt-to-self encrypted.asc --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"'
```
The `count=` variable can be provided to `provision` to ensure the correct
amount of smartcards is provisioned - the program will error if the amount
of smartcards available is not equal to the count requested.
The `--provision-count` option can be provided to ensure the correct amount
of smartcards is provisioned - the program will error if the amount of
smartcards available is not equal to the count requested.
Note: The PIN can't use sequential numbers, characters or repeated patterns.

View File

@ -20,9 +20,9 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
* Replace the values: <path_to_input_shard>
* Replace the values: <path_to_input_shard>, <pgp_user_id>
* `keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --encrypto-to-self encryption_certificate.asc,userid=<namespace>`
* `keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'
1. Unseal an SD card pack
@ -35,9 +35,10 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Back up the files
```
$ cp shardfile.asc /media/vaults/<namespace>/
TODO (NOT IMPLEMENTED): $ cp encryption_certificate.asc /media/vaults/<namespace>/
$ cp certificate.asc /media/vaults/<namespace>/
$ cp -r /media/vaults /root/
```
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Plug in fresh SD card

View File

@ -18,15 +18,12 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
{{ #include template-ceremony-setup.md:content }}
1. Run the relevant keyfork wizard to perform the ceremony:
1. Run the relevant keyfork operation to perform the ceremony:
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_cert_id> with appropriate values
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc`
* `keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'`
* TODO - NOT IMPLEMENTED:
`--derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>`
1. Unseal an SD card pack by following tamper proofing steps:
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
@ -39,7 +36,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
```
$ cp shardfile.asc /media/vaults/<namespace>/
$ cp keyring.asc /media/vaults/<namespace>/
TODO (NOT IMPLEMENTED): $ cp encryption_cert.asc /media/vaults/<namespace>/
$ cp certificate.asc /media/vaults/<namespace>/
$ cp -r /media/vaults /root/
```