From 46a088b1b59d1fb57c981c6ed5399f7beae1560a Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Thu, 19 Dec 2024 16:05:45 -0500 Subject: [PATCH] refactor order of a few things and add context for SD cards and their inclusion in air gap bundle --- .../provisioner/procure-hardware.md | 76 ++++++++++--------- 1 file changed, 39 insertions(+), 37 deletions(-) diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md index 5f3047d..7bba3bb 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md @@ -73,8 +73,45 @@ SD cards don't require special chain of custody, but ideally should be purchased An SD card with AirgapOS written to it will be required to run ceremonies. +The AirgapOS SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle) + {{ #include ../../../../one-time-use-airgapos.md:steps }} +### Shardfile + +There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony. + +The Shardfile SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle) + +* Label: "Shardfile" + + +## Trusted Keys + +### Procedure + +This procedure requires 2 individuals in order to witness the process and verify that the data being burned to the card is correct. + +The Trusted Keys SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle) + +1. Get a freshly formatted SD card + +1. Plug it into a computer + +1. Navigate the the official Keychain repository of your organization + +1. Select provisioner and approver keys from the Keychain repository + +1. Download the desired keys along with detached signatures + +1. Copy the `.asc` and signature files to the SD card + +1. Use the `sdtool` to lock the card + +{{ #include ../../../../sdtool-instructions.md:steps }} + +1. Label the card "Trusted Keys " + ## Computer Procurement For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computers which are used for cryptographic material management and operations are required. @@ -87,43 +124,6 @@ For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computer 1. Follow the [chain of custody procurement procedure](../../../../hardware-procurement-and-chain-of-custody.md) -1. Apply [vaccum sealing with filler](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) tamper proofing. - - -### Shardfile - -There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony. - -* Label: "Shardfile" - -* This should be write-locked and stored in tamper proofing along with air-gapped machine - -## Trusted Keys - -### Procedure - -This procedure requires 2 individuals in order to witness the process. - -1. Get a freshly formatted SD card - -1. Plug it into a computer - -1. Navigate the the official Keychain repository of your organization - -1. Select provisioner and approver keys from the Keychain repository - -1. Export the keys using `gpg --armor --export > .asc` - - * Repeat step for all needed keys - -1. Copy the `.asc` files to the SD card - -1. Use the `sdtool` to lock the card - -{{ #include ../../../../sdtool-instructions.md:steps }} - -1. Label the card "Trusted Keys " - ## Air-gapped bundle * Tamper proof together the following objects: @@ -134,6 +134,8 @@ This procedure requires 2 individuals in order to witness the process. * [Trusted keys SD card](#trusted-keys) + * [Shardfile SD card](#shardfile) + ### Procedure {{ #include ../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing }}