From 4999b08e7e7c837b974da5fcbcdc0846b21a73d9 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Mon, 3 Feb 2025 00:08:17 -0500 Subject: [PATCH] doc clean up --- .../src/component-documents/inventory-repository.md | 4 ++++ .../component-documents/tamper-evidence-methods.md | 4 ++-- .../fixed-location/approver/approve-transaction.md | 2 -- .../operator/coins/sol/transfer-token.md | 4 ++-- .../operator/quorum-entropy-ceremony.md | 11 ++++++----- .../level-2/fixed-location/procurer/index.md | 6 ++++-- .../fixed-location/procurer/procure-sd-card-pack.md | 2 -- .../proposer/create-transaction-payload.md | 6 ++---- .../level-2/fixed-location/provisioner/index.md | 5 ++--- .../src/generated-documents/level-2/hardware.md | 2 ++ .../level-2/operator-requirements.md | 8 ++++---- 11 files changed, 28 insertions(+), 26 deletions(-) diff --git a/quorum-vault-system/src/component-documents/inventory-repository.md b/quorum-vault-system/src/component-documents/inventory-repository.md index 5053067..6b427e6 100644 --- a/quorum-vault-system/src/component-documents/inventory-repository.md +++ b/quorum-vault-system/src/component-documents/inventory-repository.md @@ -23,5 +23,9 @@ sd_cards/ ... ``` +## Procedure: Setting up Repository + +{{ #include ./git-repository-initialization.md:procedure}} + // ANCHOR_END: content /* ANCHOR_END: all */ \ No newline at end of file diff --git a/quorum-vault-system/src/component-documents/tamper-evidence-methods.md b/quorum-vault-system/src/component-documents/tamper-evidence-methods.md index f7b2204..2108ce4 100644 --- a/quorum-vault-system/src/component-documents/tamper-evidence-methods.md +++ b/quorum-vault-system/src/component-documents/tamper-evidence-methods.md @@ -124,7 +124,7 @@ Sealing bags of standard size objects which need to be protected can fit in. The 1. Date and sign the polaroid photographs and store them in a local lock box -1. Take the SD card to an online connected device, ensuring continued dual custody, and commit the photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit. +1. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit. // ANCHOR_END: vsbwf-procedure-sealing @@ -137,7 +137,7 @@ Sealing bags of standard size objects which need to be protected can fit in. The 1. Compare polaroid to printed photographs of digital record -1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an [incident response process (todo)](TODO). +1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process according to organization's policies. // ANCHOR_END: vsbwf-procedure-unsealing diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md index 0a15f32..7f71f10 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md @@ -16,8 +16,6 @@ The approver is responsible for verifying a transaction proposed by a [proposer] * The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the `vaults` repo -* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration) - * Clone the [Vaults Repository](../../../all-levels/create-vaults-repository.md) for your organization to the machine ## Procedure diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md index 2128208..378b270 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md @@ -2,14 +2,14 @@ ## Requirements +{{ #include ../../../../operator-requirements.md:requirements }} + * Online machine * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. * [Quorum PGP key pairs](../../key-types.md#quorum-pgp-keypair) -{{ #include ../../../../operator-requirements.md:requirements }} - * [Ceremony SD card](../../ceremony-sd-card-provisioning.md) ## Procedure diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md index 61edeaf..792b80a 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md @@ -6,11 +6,11 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key {{ #include ../../operator-requirements.md:requirements }} -* [SD Card Booster Pack](../provisioner/provision-sd-card.md) +* [SD Card Pack](../procurer/procure-sd-card-pack.md) * `N` Smart Cards in the chosen `M of N` quorum -* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. +* High Visibility Storage: plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. ## Procedure @@ -37,7 +37,6 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key * `keyfork wizard generate-shard-secret --threshold --max --keys-per-shard= --output shardfile.asc --cert-output keyring.asc --derive-openpgp-cert encryption_cert.asc,userid=` TODO: NOT IMPLEMENTED - 1. Unseal an SD card pack {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} @@ -62,9 +61,11 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key 1. Unplug the SD card and place it in High Visibility Storage - 1. Label the SD card "Shardfile [date]" + 1. Label the SD card "Ceremony [date]" -1. Upload the newly generated artifacts into the `vaults` repository +1. Power down the air-gapped machine + +1. Transfer the ceremony artifacts to an online machine using one of the SD cards and upload the newly generated artifacts into the `vaults` repository in the appropriate `` sub directory using an online machine 1. Gather all the original items that were in the air-gapped bundle: diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/index.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/index.md index 225d893..360807f 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/index.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/index.md @@ -8,9 +8,9 @@ The procurer is responsible for: * [Hardware](procure-hardware.md) (computers, sd cards, sd card adapters, smart cards, cameras etc.) -* Ensuring equipment is properly tamper proofed +* Creating and maintaining the [Inventory](create-inventory-repository.md) -* Ensuring inventory is updated properly +* Ensuring equipment is properly tamper proofed * Maintaining stock of supplies in the inventory @@ -22,6 +22,8 @@ The procurer is responsible for: 1. Procuring a [facility](./procure-facility.md) +1. Creating a [Inventory repository](create-inventory-repository.md) + 1. Procuring [tamper proofing equipment](./procure-tamper-proofing-equipment.md) 1. Procuring [hardware](./procure-hardware.md) diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md index 241e82a..fa74695 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md @@ -24,5 +24,3 @@ {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }} 1. Label the tamper proofed package "SD Card Pack [date]" - -1. Add an entry to the `inventory` repository, including tamper evidence photographs, and the name of the item \ No newline at end of file diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index 4a6fe0e..22b249f 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -30,11 +30,9 @@ The proposer must combine these values into a JSON file, such as: * The proposer should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the `vaults` repo -* [Online Machine](TODO) +* Online Machine -* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration) - -* Organization's Ceremonies repository git url +* Clone the [Vaults Repository](../../../all-levels/create-vaults-repository.md) for your organization to the machine ## Procedure diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/index.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/index.md index 9c55f0f..2e4779e 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/index.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/index.md @@ -4,13 +4,12 @@ The provisioner is responsible for: * Provisioning hardware -* Provisioning SD Cards (AirapOS, Keychain, Shardfiles etc.) +* Provisioning SD Cards (AirapOS, Ceremony etc.) -* Provisioning ceremony bundles +* Provisioning bundles (e.g Air-Gapped bundle) ## Procedures -* [Provision SD Card](./provision-sd-card.md) * [Provision AirgapOS](./provision-airgapos.md) * [Provision Computer](./procure-computer.md) * Requires tamper proofing equipment to be available diff --git a/quorum-vault-system/src/generated-documents/level-2/hardware.md b/quorum-vault-system/src/generated-documents/level-2/hardware.md index 395035f..bc0bc01 100644 --- a/quorum-vault-system/src/generated-documents/level-2/hardware.md +++ b/quorum-vault-system/src/generated-documents/level-2/hardware.md @@ -23,6 +23,8 @@ * Computers which are compatible which can be verified via [this guide](https://git.distrust.co/public/airgap#hardware-compatibility) +* Online Use: Chromebook or QubesOS laptop + // ANCHOR_END: computer-models ## Digital Camera diff --git a/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md b/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md index d07693d..896b1c4 100644 --- a/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md +++ b/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md @@ -4,6 +4,10 @@ ## For Quorum Based Operations // ANCHOR: requirements +* For ALL tamper proofed hardware used in the ceremony, both operators MUST print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object. + + * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo + * [Air-gapped bundle](/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md) * Minimum of 2 [Operators](/system-roles.md#operator) @@ -12,9 +16,5 @@ * Tamper-proofing equipment -* Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object. - - * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo - // ANCHOR_END: requirements /* ANCHOR_END: all */ \ No newline at end of file