quorum-vault-system: use new mnemonic generation system
This commit is contained in:
parent
c49352a622
commit
2237d0cd21
|
@ -9,14 +9,14 @@ This setup can be done on any machine.
|
|||
* In your Terminal use this command: `vi autorun.sh`
|
||||
|
||||
* Once you are in the editor press "i" to enter "insert mode"
|
||||
|
||||
* Type in the contents, replacing <N> and <M> with your chosen threshold numbers according to your [Quorum](selecting-quorum.md):
|
||||
|
||||
|
||||
* Type in the contents, replacing <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with your chosen threshold numbers according to your [Quorum](selecting-quorum.md):
|
||||
|
||||
```sh
|
||||
#!/bin/sh
|
||||
keyfork wizard generate-shard-secret --threshold <M> --max <N> --output shards.pgp
|
||||
keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smart_cards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'
|
||||
```
|
||||
|
||||
|
||||
* Press "esc"
|
||||
* Press ":"
|
||||
* Press "x"
|
||||
|
@ -38,4 +38,4 @@ This setup can be done on any machine.
|
|||
|
||||
c. Copy the `autorun.sh` file to the Storage Device
|
||||
|
||||
1. Make note of this hash on a piece of paper or print it as you will need it to verify the file during Ceremonies.
|
||||
1. Make note of this hash on a piece of paper or print it as you will need it to verify the file during Ceremonies.
|
||||
|
|
|
@ -28,12 +28,12 @@ as such need to be set up in a manner that minimizes exposure risks.
|
|||
Ensure the User ID is your name and your email.
|
||||
|
||||
```
|
||||
$ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name <your@email.co>"
|
||||
$ keyfork mnemonic generate --encrypt-to-self encrypted.asc --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"'
|
||||
```
|
||||
|
||||
The `count=` variable can be provided to `provision` to ensure the correct
|
||||
amount of smartcards is provisioned - the program will error if the amount
|
||||
of smartcards available is not equal to the count requested.
|
||||
The `--provision-count` option can be provided to ensure the correct amount
|
||||
of smartcards is provisioned - the program will error if the amount of
|
||||
smartcards available is not equal to the count requested.
|
||||
|
||||
Note: The PIN can't use sequential numbers, characters or repeated patterns.
|
||||
|
||||
|
|
|
@ -20,9 +20,9 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
|
|||
|
||||
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
|
||||
|
||||
* Replace the values: <path_to_input_shard>
|
||||
* Replace the values: <path_to_input_shard>, <pgp_user_id>
|
||||
|
||||
* `keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --encrypto-to-self encryption_certificate.asc,userid=<namespace>`
|
||||
* `keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'
|
||||
|
||||
1. Unseal an SD card pack
|
||||
|
||||
|
@ -35,9 +35,10 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
|
|||
1. Back up the files
|
||||
```
|
||||
$ cp shardfile.asc /media/vaults/<namespace>/
|
||||
TODO (NOT IMPLEMENTED): $ cp encryption_certificate.asc /media/vaults/<namespace>/
|
||||
$ cp certificate.asc /media/vaults/<namespace>/
|
||||
$ cp -r /media/vaults /root/
|
||||
```
|
||||
|
||||
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
|
||||
|
||||
1. Plug in fresh SD card
|
||||
|
|
|
@ -18,15 +18,12 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
{{ #include template-ceremony-setup.md:content }}
|
||||
|
||||
1. Run the relevant keyfork wizard to perform the ceremony:
|
||||
1. Run the relevant keyfork operation to perform the ceremony:
|
||||
|
||||
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_cert_id> with appropriate values
|
||||
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values
|
||||
|
||||
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc`
|
||||
* `keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'`
|
||||
|
||||
* TODO - NOT IMPLEMENTED:
|
||||
`--derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>`
|
||||
|
||||
1. Unseal an SD card pack by following tamper proofing steps:
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
@ -39,7 +36,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
```
|
||||
$ cp shardfile.asc /media/vaults/<namespace>/
|
||||
$ cp keyring.asc /media/vaults/<namespace>/
|
||||
TODO (NOT IMPLEMENTED): $ cp encryption_cert.asc /media/vaults/<namespace>/
|
||||
$ cp certificate.asc /media/vaults/<namespace>/
|
||||
$ cp -r /media/vaults /root/
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in New Issue