refactor order of a few things and add context for SD cards and their

inclusion in air gap bundle
2024-12-19 16:05:45 -05:00 · 2024-12-19 16:05:45 -05:00 · 46a088b1b5
parent 57faca72fd
commit 46a088b1b5
1 changed files with 39 additions and 37 deletions
--- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
+++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
@ -73,8 +73,45 @@ SD cards don't require special chain of custody, but ideally should be purchased
 An SD card with AirgapOS written to it will be required to run ceremonies.
 The AirgapOS SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
 {{ #include ../../../../one-time-use-airgapos.md:steps }}
 ### Shardfile 
 There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony.
 The Shardfile SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
 * Label: "Shardfile"
 ## Trusted Keys
 ### Procedure
 This procedure requires 2 individuals in order to witness the process and verify that the data being burned to the card is correct.
 The Trusted Keys SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
 1. Get a freshly formatted SD card 
 1. Plug it into a computer
 1. Navigate the the official Keychain repository of your organization
 1. Select provisioner and approver keys from the Keychain repository
 1. Download the desired keys along with detached signatures
 1. Copy the `.asc` and signature files to the SD card
 1. Use the `sdtool` to lock the card
 {{ #include ../../../../sdtool-instructions.md:steps }}
 1. Label the card "Trusted Keys <date>"
 ## Computer Procurement
 For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computers which are used for cryptographic material management and operations are required.
@ -87,43 +124,6 @@ For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computer
 1. Follow the [chain of custody procurement procedure](../../../../hardware-procurement-and-chain-of-custody.md)
 1. Apply [vaccum sealing with filler](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) tamper proofing.
 ### Shardfile 
 There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony.
 * Label: "Shardfile"
 * This should be write-locked and stored in tamper proofing along with air-gapped machine
 ## Trusted Keys
 ### Procedure
 This procedure requires 2 individuals in order to witness the process.
 1. Get a freshly formatted SD card 
 1. Plug it into a computer
 1. Navigate the the official Keychain repository of your organization
 1. Select provisioner and approver keys from the Keychain repository
 1. Export the keys using `gpg --armor --export <key_id> > <key_id:individual_name>.asc`
    * Repeat step for all needed keys
 1. Copy the `.asc` files to the SD card
 1. Use the `sdtool` to lock the card
 {{ #include ../../../../sdtool-instructions.md:steps }}
 1. Label the card "Trusted Keys <date>"
 ## Air-gapped bundle
 * Tamper proof together the following objects:
@ -134,6 +134,8 @@ This procedure requires 2 individuals in order to witness the process.
    * [Trusted keys SD card](#trusted-keys)
    * [Shardfile SD card](#shardfile)
 ### Procedure
 {{ #include ../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing }}