public
/
docs
5
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

fix: update location key ceremony

This commit is contained in:
Anton Livaja 2024-08-05 15:55:11 -04:00
parent 52ebb41eb8
commit 265add34f5
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 51 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
quorum-key-management/src/location-key-provisioning.md
View File

@ -28,18 +28,12 @@ or the [One Time Use Airgap-OS](one-time-use-airgapos.md)
* Load your personal PGP certificate which will be used as the Operator * Load your personal PGP certificate which will be used as the Operator
Key in to the local keyring Key in to the local keyring
* `gpg --import <your_key_id>` * `gpg --import /media/<operator_key_id>`
* Generate the mnemonic: * Generate the mnemonic:
* `keyfork mnemonic generate --size 256 > mnemonic.txt` * `keyfork mnemonic generate --size 256 > mnemonic.txt`
* Encrypt the mnemonic to the Operator Key
* `gpg -er <your_key_id> mnemonic.txt`
* Save the encrypted mnemonic, `mnemonic.txt.gpg` to two SD cards
* Write the mnemonic on a small piece of paper as you will need to enter the * Write the mnemonic on a small piece of paper as you will need to enter the
words in the next step. After entering the words, set the piece of paper words in the next step. After entering the words, set the piece of paper
on fire (that's why it should be small enough - to make burning it easy) on fire (that's why it should be small enough - to make burning it easy)
@ -58,26 +52,66 @@ or the [One Time Use Airgap-OS](one-time-use-airgapos.md)
* Derive PGP keypair: * Derive PGP keypair:
* `keyfork derive openpgp "Location Key: Distrust Disaster Recovery" > priv.asc` * `keyfork derive openpgp "Location Key: Distrust Disaster Recovery" > location.priv.asc`
* Provision a YubiKey: * Provision two YubiKey:
* `oct list` * To get the `smart_card_id`: `oct list`
* `oct admin --card <your_card_id> import priv.asc` * `oct admin --card <smart_card_id> import location.priv.asc`
* `keyfork mnemonic generate --size 256 | awk '{ print $1, $2, $3, $4, $5 }' > smart-card-pin.txt`
* `cat smart-card-pin.txt`
* `oct pin --card <smart_card_id> set-user`
* Enter the <smart_card_pin>
* `oct pin --card <smart_card_id> set-admin`
* Enter the <smart_card_pin>
* Import PGP key into keyring * Import PGP key into keyring
* `gpg --import priv.asc` * `gpg --import location.priv.asc`
* Export PGP Public Certificate * Encrypt and back up the `mnemonic.txt`
* `gpg --armor --export <key_id> > pub.asc` * `gpg -er <operator_key_id> mnemonic.txt`
* Save `pub.asc` to two SD cards * `cp mnemonic.txt.gpg /media`
* Delete all the generated assets before shutting down computer, namely * Encrypt and back up the `smart-card-pin`
`pub.asc`, `priv.asc`, `mnemonic.txt` and `mnemonic.txt.gpg`
* `gpg -er <operator_key_id> smart-card-pin.txt`
* `cp smart-card-pin.txt.gpg /media`
* Export and back up `location.pub.asc`
* `gpg --armor --export <location_key_id> > location.pub.asc`
* `cp location.pub.asc /media`
* Duplicate all backup files to a second SD card:
* `mnemonic.txt.gpg`, `smart-card-pin.gpg`, `location.pub.asc`
* For posterity, delete all the generated assets before shutting down
computer, namely:
* `mnemonic.txt`
* `mnemonic.txt.gpg`
* `smart-card-pin.txt`
* `smart-card-pin.txt.gpg`
* `location.pub.asc`
* `location.priv.asc`
4. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide 4. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
for storage of the Operator Smart Cards and Location Smart Cards for storage of the Operator Smart Cards and Location Smart Cards