public
/
docs
5
0
Fork 0
Code Issues 19 Pull Requests 1 Packages Projects Releases Wiki Activity

refactor order of a few things and add context for SD cards and their 

inclusion in air gap bundle
This commit is contained in:
Anton Livaja 2024-12-19 16:05:45 -05:00
parent 57faca72fd
commit 46a088b1b5
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 39 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md
View File

@ -73,8 +73,45 @@ SD cards don't require special chain of custody, but ideally should be purchased
An SD card with AirgapOS written to it will be required to run ceremonies.
The AirgapOS SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
{{ #include ../../../../one-time-use-airgapos.md:steps }}
### Shardfile
There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony.
The Shardfile SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
* Label: "Shardfile"
## Trusted Keys
### Procedure
This procedure requires 2 individuals in order to witness the process and verify that the data being burned to the card is correct.
The Trusted Keys SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
1. Get a freshly formatted SD card
1. Plug it into a computer
1. Navigate the the official Keychain repository of your organization
1. Select provisioner and approver keys from the Keychain repository
1. Download the desired keys along with detached signatures
1. Copy the `.asc` and signature files to the SD card
1. Use the `sdtool` to lock the card
{{ #include ../../../../sdtool-instructions.md:steps }}
1. Label the card "Trusted Keys <date>"
## Computer Procurement
For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computers which are used for cryptographic material management and operations are required.
@ -87,43 +124,6 @@ For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computer
1. Follow the [chain of custody procurement procedure](../../../../hardware-procurement-and-chain-of-custody.md)
1. Apply [vaccum sealing with filler](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) tamper proofing.
### Shardfile
There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony.
* Label: "Shardfile"
* This should be write-locked and stored in tamper proofing along with air-gapped machine
## Trusted Keys
### Procedure
This procedure requires 2 individuals in order to witness the process.
1. Get a freshly formatted SD card
1. Plug it into a computer
1. Navigate the the official Keychain repository of your organization
1. Select provisioner and approver keys from the Keychain repository
1. Export the keys using `gpg --armor --export <key_id> > <key_id:individual_name>.asc`
* Repeat step for all needed keys
1. Copy the `.asc` files to the SD card
1. Use the `sdtool` to lock the card
{{ #include ../../../../sdtool-instructions.md:steps }}
1. Label the card "Trusted Keys <date>"
## Air-gapped bundle
* Tamper proof together the following objects:
@ -134,6 +134,8 @@ This procedure requires 2 individuals in order to witness the process.
* [Trusted keys SD card](#trusted-keys)
* [Shardfile SD card](#shardfile)
### Procedure
{{ #include ../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing }}