fix: update location key ceremony

2024-08-05 15:55:11 -04:00 · 2024-08-05 15:55:11 -04:00 · 265add34f5
parent 52ebb41eb8
commit 265add34f5
1 changed files with 51 additions and 17 deletions
--- a/quorum-key-management/src/location-key-provisioning.md
+++ b/quorum-key-management/src/location-key-provisioning.md
@ -28,18 +28,12 @@ or the [One Time Use Airgap-OS](one-time-use-airgapos.md)
    * Load your personal PGP certificate which will be used as the Operator
    Key in to the local keyring

-        * `gpg --import <your_key_id>`
+        * `gpg --import /media/<operator_key_id>`

    * Generate the mnemonic:

        * `keyfork mnemonic generate --size 256 > mnemonic.txt`

-    * Encrypt the mnemonic to the Operator Key
-
-        * `gpg -er <your_key_id> mnemonic.txt`
-
-    * Save the encrypted mnemonic, `mnemonic.txt.gpg` to two SD cards
-
    * Write the mnemonic on a small piece of paper as you will need to enter the
    words in the next step. After entering the words, set the piece of paper
    on fire (that's why it should be small enough - to make burning it easy)
@ -58,26 +52,66 @@ or the [One Time Use Airgap-OS](one-time-use-airgapos.md)

    * Derive PGP keypair:

-        * `keyfork derive openpgp "Location Key: Distrust Disaster Recovery" > priv.asc`
+        * `keyfork derive openpgp "Location Key: Distrust Disaster Recovery" > location.priv.asc`

-    * Provision a YubiKey:
+    * Provision two YubiKey:

-        * `oct list`
+        * To get the `smart_card_id`: `oct list`

-        * `oct admin --card <your_card_id> import priv.asc`
+        * `oct admin --card <smart_card_id> import location.priv.asc`
+
+        *  `keyfork mnemonic generate --size 256 | awk '{ print $1, $2, $3, $4, $5 }' > smart-card-pin.txt`
+
+        * `cat smart-card-pin.txt`
+
+        * `oct pin --card <smart_card_id> set-user`
+
+            * Enter the <smart_card_pin>
+
+        * `oct pin --card <smart_card_id> set-admin`
+
+            * Enter the <smart_card_pin>

    * Import PGP key into keyring

-        * `gpg --import priv.asc`
+        * `gpg --import location.priv.asc`

-    * Export PGP Public Certificate
+    * Encrypt and back up the `mnemonic.txt`

-        * `gpg --armor --export <key_id> > pub.asc`
+        * `gpg -er <operator_key_id> mnemonic.txt`

-    * Save `pub.asc` to two SD cards
+        * `cp mnemonic.txt.gpg /media`

-    * Delete all the generated assets before shutting down computer, namely
-    `pub.asc`, `priv.asc`, `mnemonic.txt` and `mnemonic.txt.gpg`
+    * Encrypt and back up the `smart-card-pin`
+
+        * `gpg -er <operator_key_id> smart-card-pin.txt`
+
+        * `cp smart-card-pin.txt.gpg /media`
+
+    * Export and back up `location.pub.asc`
+
+        * `gpg --armor --export <location_key_id> > location.pub.asc`
+
+        * `cp location.pub.asc /media`
+
+    * Duplicate all backup files to a second SD card:
+
+        * `mnemonic.txt.gpg`, `smart-card-pin.gpg`, `location.pub.asc`
+
+    * For posterity, delete all the generated assets before shutting down
+    computer, namely:
+
+        * `mnemonic.txt`
+
+        * `mnemonic.txt.gpg`
+
+        * `smart-card-pin.txt`
+
+        * `smart-card-pin.txt.gpg`
+
+        * `location.pub.asc`
+
+        * `location.priv.asc`

 4. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
 for storage of the Operator Smart Cards and Location Smart Cards