public
/
docs
5
0
Fork 0
Code Issues 17 Pull Requests 1 Packages Projects Releases Wiki Activity

major refactor

This commit is contained in:
Anton Livaja 2025-01-06 13:17:30 -05:00
parent 8e914c55d5
commit 53202c6179
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
40 changed files with 223 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
quorum-key-management/README.md
View File

@ -1,6 +1,6 @@
# Quorum Key Management (QKM)
# Quorum Key Management (QVS)
Quorum Key Management (QKM) is an open source system of playbooks and tooling which
Quorum Key Management (QVS) is an open source system of playbooks and tooling which
facilitates the creation and maintenance of highly resilient Quorum-based Key
Management Systems based on a strict threat model which can be used for a
variety of different cryptographic algorithms.

41
quorum-key-management/src/SUMMARY.md
View File

@ -6,34 +6,7 @@
* [Software](software.md)
* [Hardware](hardware.md)
* [Glossary](glossary.md)
* [Preparations]()
* [Verifying Signatures](verifying-signatures.md)
* [Tamper Evidence Methods](tamper-evidence-methods.md)
* [Online Machine](online-machine-provisioning.md)
* [Fixed Location Reusable Laptop]()
* [Location](locations.md)
* [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
* [PureBoot]()
* [Flash PureBoot to Librem](flash-pureboot-firmware.md)
* [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
* [Change Smart Card PINs](setting-smart-card-pins.md)
* [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
* [PureBoot Boot Sequence](secure-boot-sequence.md)
* [AirgapOS Setup]()
* [AirgapOS Setup](repeat-use-airgapos.md)
* [`autorun.sh` Setup](autorun-sh-setup.md)
* [One Time Use / Portable Use]()
* [Location](one-time-use-locations.md)
* [Procure Hardware](hardware-procurement-and-chain-of-custody.md)
* [AirgapOS Setup](one-time-use-airgapos.md)
* [Repository Setup](one-time-repository-setup.md)
* [Selecting Locations](one-time-use-locations.md)
* [Post Ceremony]()
* [Online Artifact Storage](public-ceremony-artifact-storage.md)
* [Physical Artifact Storage](physical-artifact-storage.md)
* [Lifecycle Management]()
* [Destroying Hardware](hardware-destruction.md)
* [Storage Device Management](storage-device-management.md)
* [Location](locations.md)
* [Generated Documents]()
* [Root Entropy Generation]()
* [Ceremony Log Template](ceremony-log-template.md)
@ -60,6 +33,18 @@
* [Level 3]()
* [Level 4]()
* [Document Components]()
* [Ceremony Repository](./component-documents/ceremony-repository.md)
* [Keychain Repository](./component-documents/keychain-repository.md)
* [Git Commit Signing](./component-documents/git-commit-signing.md)
* [GUI Git Commit](./component-documents/gui-git-commit.md)
* [OpenPGP Setup](./component-documents/openpgp-setup.md)
* [Verifying Signatures](./component-documents/verifying-signatures.md)
* [Tamper Evidence Methods](./component-documents/tamper-evidence-methods.md)
* [Change Smart Card PINs](./component-documents/setting-smart-card-pins.md)
* [Online Machine Provisioning](online-machine-provisioning.md)
* [Destroying Hardware](./component-documents/hardware-destruction.md)
* [Storage Device Management](./component-documents/storage-device-management.md)
* [Procure Hardware](./component-documents/hardware-procurement-and-chain-of-custody.md)
* [Online Artifact Storage](./component-documents/public-ceremony-artifact-storage.md)
* [Physical Artifact Storage](./component-documents/physical-artifact-storage.md)
* [`autorun.sh` Setup](./component-documents/autorun-sh-setup.md)

0
quorum-key-management/src/autorun-sh-setup.md → quorum-key-management/src/component-documents/autorun-sh-setup.md
View File

2
quorum-key-management/src/hardware-destruction.md → quorum-key-management/src/component-documents/hardware-destruction.md
View File

@ -8,6 +8,8 @@ Destroying hardware should be done by using a combination of:
* Shredding
* Pulverizing
All three methods should be used because of the efficacy of using electron
microscopy to read data from storage drives which have not been completely
destroyed.

0
quorum-key-management/src/hardware-procurement-and-chain-of-custody.md → quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md
View File

6
quorum-key-management/src/one-time-use-airgapos.md → quorum-key-management/src/component-documents/one-time-use-airgapos.md
View File

@ -9,11 +9,11 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
// ANCHOR: steps
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
2. Verify the software according to [this](verifying-signatures.md) guide
2. Verify the software according to [this](./component-documents/verifying-signatures.md) guide
3. Flash `airgap.iso` to an SD Card:
* `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress oflag=direct`
* `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress conv=fsync`
4. Use the `sdtool` to lock the SD Card:
@ -29,7 +29,7 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
* Test that the card can't be written to:
* `dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress`
* `dd if=out/airgap.iso of=/dev/sdb bs=1M status=progress conv=fsync`
5. Label the SD card "AirgapOS - <version>"

29
quorum-key-management/src/component-documents/online-machine-provisioning.md Normal file
View File

@ -0,0 +1,29 @@
# Online Machine Provisioning
## QubesOS
QubesOS is a preferred operating system for use in high security assurance scenarios as it uses hardware based virtualization leveraging the Xen hypervisor, which gives strong isolation guarantees. This makes it trivial to create purpose specific environments, which have minimal software footprints, as well as restricted networking in order to limit ingress and egress.
* [Hardware Compability](https://www.qubes-os.org/hcl/)
* It is highly preferred to use a Purism machine due to additional hardware supply chain security features such as anti-interdiction
* Commonly used alternative makes include: ThinkPads, Framework and Dell
* [Installation](https://www.qubes-os.org/downloads/)
* MUST follow "verifying signatures" guide
## "Power-Washed" Chromebook with ChromeOS
In order to reduce surface area for attacks, we can reset a Chromebook to its factory settings, effectively wiping any malicious software that may have made its way onto the system during previous use.
### "Power-Washing"
1. Press and hold the Ctrl + Alt + Shift + R keys on your keyboard.
2. Select the Restart option.
3. A screen will appear asking you to confirm that you want to reset the device. Click Powerwash and Reset, then Continue.

8
quorum-key-management/src/component-documents/openpgp-setup.md
View File

@ -96,10 +96,10 @@ computer;
* `rm -rf *`
// ANCHOR_END: steps-keyfork
## Generating Keys on YubiKey
## Generating Keys on Smartcard
// ANCHOR: steps-on-key-gen
1. Insert the YubiKey into the USB port if it is not already plugged in.
1. Insert the smartcard into the USB port if it is not already plugged in.
1. Open Command Prompt (Windows) or Terminal (macOS / Linux).
@ -113,7 +113,7 @@ computer;
1. When prompted, specify if you want to make an off-card backup of your encryption key.
* Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore to a new YubiKey.
* Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore to a new smartcard.
1. Specify how long the key should be valid for (specify the number in days, weeks, months, or years).
@ -127,7 +127,7 @@ computer;
1. Review the name and email, and accept or make changes.
1. Enter the default admin PIN again. The green light on the YubiKey will flash while the keys are being written.
1. Enter the default admin PIN again. The green light on the smartcard will flash while the keys are being written.
1. Enter a Passphrase as the key will not allow you to pass without having a passphrase. If you do not enter a Passphrase generation will fail.
// ANCHOR_END: steps-on-key-gen

2
quorum-key-management/src/physical-artifact-storage.md → quorum-key-management/src/component-documents/physical-artifact-storage.md
View File

@ -1,6 +1,6 @@
# Physical Artifact Storage
QKM requires that some of the hardware containing cryptographic material be
QVS requires that some of the hardware containing cryptographic material be
securely stored in physical locations. The two primary cases where physical
storage is necessary are the storage of Location Key Smart Cards, and Operator
Key Smart Cards. These Smart Cards are necessary to successfully execute a

2
quorum-key-management/src/public-ceremony-artifact-storage.md → quorum-key-management/src/component-documents/public-ceremony-artifact-storage.md
View File

@ -1,7 +1,7 @@
# Redundant Storage of Ceremony Artifacts
Ceremony Artifacts consist of data which is not sensitive in nature, but
essential to ongoing operation of a QKM.
essential to ongoing operation of a QVS.
The primary artifacts which are produced during the ceremony are:

0
quorum-key-management/src/enable-pure-boot-restricted-boot.md → quorum-key-management/src/component-documents/pureboot/enable-pure-boot-restricted-boot.md
View File

0
quorum-key-management/src/flash-pureboot-firmware.md → quorum-key-management/src/component-documents/pureboot/flash-pureboot-firmware.md
View File

0
quorum-key-management/src/initialize-pureboot-smart-card.md → quorum-key-management/src/component-documents/pureboot/initialize-pureboot-smart-card.md
View File

0
quorum-key-management/src/secure-boot-sequence.md → quorum-key-management/src/component-documents/pureboot/secure-boot-sequence.md
View File

7
quorum-key-management/src/fixed-location-reusable-hardware-procurement.md → quorum-key-management/src/component-documents/purism-procurement-procedure.md
View File

@ -1,5 +1,4 @@
# Procure Hardware
- [ ] TODO update this doc so it listes a bunch of models that support pureboot, not just purism
# Purism Procurement Procedure (Anti-Interdiction)
1. Select a librem 14 laptop from https://puri.sm, and ensure:
@ -35,6 +34,6 @@
* The laptop will be sealed in a box using tamper proofing tape
3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact.
3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](./hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact.
4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](tamper-evidence-methods.md) should be applied to the laptop before it's stored.
4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](../tamper-evidence-methods.md) should be applied to the laptop before it's stored.

6
quorum-key-management/src/repeat-use-airgapos.md → quorum-key-management/src/component-documents/repeat-use-airgapos.md
View File

@ -1,5 +1,7 @@
/* ANCHOR: all */
# AirgapOS Setup
# PureBoot Hash Verifying .iso Setup
If the SD card with AirgapOS is stored as part of a tamper proofed bundle, then doing this secure boot sequence is only necessary the first time. Of course, it doesn't hurt to use this method as an additional precaution, reducing the risk that one of the operators can swap out the SD card for a different one during a ceremony.
This section can be completed on any machine.
@ -8,7 +10,7 @@ AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations
// ANCHOR: steps
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.Use the `make reproduce` command.
2. Verify the software according to [this guide](verifying-signatures.md)
2. Verify the software according to [this guide](./component-documents/verifying-signatures.md)
3. Place signed .iso on a storage device

42
quorum-key-management/src/component-documents/setting-smart-card-pins.md Normal file
View File

@ -0,0 +1,42 @@
# Setting Smart Card Pins
In order to protect unauthorized use of smart cards, PINs are leveraged.
There are two pins with different levels of authorization for making changes
to the smart card:
* User PIN
* Admin PIN
Both PINs support alphanumeric characters and typically need to be at least 6
characters long.
For Operator Keys it is recommended to use the default PINs, while for Location
Keys, PINs are generated by the `keyfork` utility and have high entropy.
**WARNING** Different smart cards have different failure thresholds, but typically after
entering the PIN incorrectly 3-10 times, the smart card is permanently locked
and can no longer be used.
## Guide
To set the smart card pins you may use the `gpg` utility. This guide should be
completed in a trusted environment, such as on a airgapped machine running
AirgapOS.
1. Plug the smart card into a computer which has the `gpg` utility intalled
2. Use the command `gpg --edit-card` to enter edit mode
3. gpg/card>
* Input `admin`, press Enter
4. Your selection?
* Input 1, press Enter
5. Please enter the PIN:
* Enter old PIN (default is 123456), press Enter
6. New PIN:
* Enter the new PIN, press Enter
7. Repeat this PIN:
* Enter the new PIN, press Enter
8. For the Admin PIN, the steps are the same, except in step 4, input "3", then
press Enter.

0
quorum-key-management/src/storage-device-management.md → quorum-key-management/src/component-documents/storage-device-management.md
View File

3
quorum-key-management/src/tamper-evidence-methods.md → quorum-key-management/src/component-documents/tamper-evidence-methods.md
View File

@ -42,7 +42,7 @@ This level of threat actors has a more extensive range of attacks which may incl
* MUST combine [glitter on screws](#glitter-on-screws), [pureboot/heads](#pureboot--heads), and [vacuum sealing with filler](#vacuum-sealed-bags-with-filler)
* MUST maintain 2 person [chain of custody](hardware-procurement-and-chain-of-custody.md)
* MUST maintain 2 person [chain of custody](./hardware-procurement-and-chain-of-custody.md)
#### Level 4
@ -76,6 +76,7 @@ Examples of filler:
* [B100B5LB 5 Lb Mixed Craft Bead Bonanza Case](https://www.thebeadery.com/product/b100b5lb-5-lb-mixed-craft-bead-bonanza-case/)
* [Plastic Beads - Multi Color & Size - 700ml](https://www.stockade.ca/Plastic-Beads--Multi-Colour-Size--700ml_p_8402.html)
// ANCHOR_END:vsbwf-filler
### Vacuum Sealers
Vacuum sealer needs to be able to seal bags of sufficient size to fit a 13" laptop

0
quorum-key-management/src/verifying-signatures.md → quorum-key-management/src/component-documents/verifying-signatures.md
View File

28
quorum-key-management/src/flashing-iso.md
View File

@ -1,21 +1,21 @@
4. Flash ISO Image to a Storage Device
# Flash ISO Image to a Storage Device
a. Select a new Storage Device which can be overwritten entirely
1. Select a new Storage Device which can be overwritten entirely
b. Find the name of the Storage Device using [this guide](storage-device-management.md#finding-a-storage-device-name)
1. Find the name of the Storage Device using [this guide](storage-device-management.md#finding-a-storage-device-name)
d. Use the `dd` utility in the Terminal to flash AirgapOS to it. You will need
to replace `<your_storage_device>` with the name of your device.
1. Use the `dd` utility in the Terminal to flash AirgapOS to it. You will need
to replace `<your_storage_device>` with the name of your device.
```bash
sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/<your_thumb_drive> status=progress
```
```bash
sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/<your_thumb_drive> status=progress
```
In the example, the name of the device is `sda` so the complete command would look like this:
In the example, the name of the device is `sda` so the complete command would look like this:
```bash
sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/sda status=progress
```
```bash
sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/sda status=progress
```
Once this step is complete, you have successfully set up a Storage Device
with AirgapOS.
Once this step is complete, you have successfully set up a Storage Device
with AirgapOS.

8
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md
View File

@ -26,21 +26,21 @@
- [ ] TODO guide on how to do this
1. Enter the designated location with the 3 operators and all required equipment
1. Enter the designated location with the 2 operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve sealed laptop and polaroid from locked storage
### Unsealing Tamper Proofing
{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
### Secure Boot Procedure
1. Plug PureBoot smart card into air-gapped machine
1. Plug in SD card labelled "AirgapOS"
{{ #include ../../../../../../secure-boot-sequence.md:prepared}}
TODO: add steps
1. Plug in SD card labelled "Keychain"
@ -112,5 +112,5 @@
#### Sealing
{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

50
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/provisioning-pgp-key.md Normal file
View File

@ -0,0 +1,50 @@
# NOT PRODUCTION READY
# Operator - Provisioning PGP Keypair
## Requirements
The initial set up requires the operators to do all of these in a continuous session ensuring dual custody:
1. procure hardware
2. gut hardware
3. set up airgap together, built from source
4. burn sd card
5. boot airgap
6. generate mnemonic 1
7. generate pgp key
8. seed card(s) using oct
9. tamper proof the laptop
10. submit pgp signed proof to previously set up ceremonies repo
## Procedure
1. Set up AirgapOS (can be done ahead of time)
- [ ] add guide
1. Procure hardware
* Dual custody
* Remove radio cards etc.
1. Enter the designated location with an operator and individual keys are being generated for and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Boot AirgapOS from verified SD card
1. Generate mnemonic using `keyfork` command:
* TODO add keyfork command
1. Derive PGP key using `keyfork` command:
* TODO add command
1. Use `oct` to seed smart card(s)
#### Creation of Initial Air-gapped Bundle
- [ ] TODO there is a reference to air gapped bundle in provisioner: procure-equipment... doc
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

16
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md
View File

@ -42,7 +42,7 @@ SD cards don't require special chain of custody, but ideally should be purchased
* Both microSD and regular SD cards should be available
* They should be formatted to `ext4` format
* They should be formatted to `fat32` format
* Usage of these SD cards:
@ -57,17 +57,17 @@ SD cards don't require special chain of custody, but ideally should be purchased
## Tamper Proofing Equipment
### Vacuum Sealer and roll
{{ #include ../../../../tamper-evidence-methods.md:vsbwf-equipment}}
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-equipment}}
### Colored beads
{{ #include ../../../../tamper-evidence-methods.md:vsbwf-filler}}
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-filler}}
### Digital camera
{{ #include ../../../../tamper-evidence-methods.md:digital-cameras}}
{{ #include ../../../../component-documents/tamper-evidence-methods.md:digital-cameras}}
### Polaroid camera
{{ #include ../../../../tamper-evidence-methods.md:polaroid-cameras}}
{{ #include ../../../../component-documents/tamper-evidence-methods.md:polaroid-cameras}}
## AirgapOS (SD Card)
@ -121,11 +121,11 @@ Sealable plastic bag is required for this procedure:
### Models
{{ #include ../../../../hardware-models.md:computer-models }}
{{ #include ../../hardware.md:computer-models }}
### Procedure
{{ #include ../../../../hardware-procurement-and-chain-of-custody.md:steps}}
{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}}
## Air-gapped bundle
@ -141,4 +141,4 @@ Sealable plastic bag is required for this procedure:
### Procedure
{{ #include ../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing }}
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}

23
quorum-key-management/src/generated-documents/level-2/hardware.md Normal file
View File

@ -0,0 +1,23 @@
/* ANCHOR: all */
# Hardware for Level 2 Threat Model
## Computers
* Computers for this use are are appropriate as long as they are compatible with AirgapOS. At this level, the essential aspect of hardware procurement is to ensure dual custody at all times. Outside of that any additional protections are welcome but not necessary.
* Laptops with chargers over ports which don't allow data transfer is preferred (non USB etc.)
// ANCHOR: computer-models
* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
* [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D)
* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
* Purism Librem 14
* Nova Custom (Untested)
// ANCHOR_END: computer-models
/* ANCHOR_END: all */

6
quorum-key-management/src/glossary.md
View File

@ -10,7 +10,7 @@ using an algorithm, called a cipher.
Entropy in cryptography refers to the measure of randomness or unpredictability
in data used for generating cryptographic keys and other security elements.
## Quorum Key Management (QKM)
## Quorum Key Management (QVS)
A set of highly specified processes and tooling used for setting up a highly
resilient quorum-based key management system.
@ -19,7 +19,7 @@ resilient quorum-based key management system.
An individual who manages an [Operator Key](#operator-key) which is used for
protecting the passphrase of a Location key and participates in different
aspects of the lifecycle management of the QKM system.
aspects of the lifecycle management of the QVS system.
## Operator Key
@ -116,7 +116,7 @@ the total number of shards that exist. The minimum recommended threshold is
## Organization
An organization which owns the QKM and is responsible for funding the setup and
An organization which owns the QVS and is responsible for funding the setup and
maintenance. The organization is also responsible for ensuring that the
[Warehouse](#warehouse) is properly maintained in order to ensure that the
ciphertext blobs associated with the system are redundantly stored and

4
quorum-key-management/src/hardware.md
View File

@ -8,7 +8,7 @@ kind of hardware supply chain compromise, has the same vulnerability present, or
has the same type of hardware failure issue.
Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
required to set up a [QKM](glossary.md#quroum-kms-QKM) will
required to set up a [QVS](glossary.md#quroum-kms-QVS) will
vary. In order to figure out what equipment is required, decide on a Quorum,
which is expressed as "N of M". Once you know your M, the required equipment list
is the following:
@ -68,7 +68,7 @@ security and verifiable software
## Air-Gapped Computer
[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle
management of cryptographic material that is part of QKM.
management of cryptographic material that is part of QVS.
The primary hardware recommendation for an Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)

2
quorum-key-management/src/hybrid-key-provisioning.md
View File

@ -1,7 +1,7 @@
# Hybrid Key Provisioning
This document contains instructions on how Operators collaborate to set up
QKM where the Operator Keys and Location Keys were generated before this
QVS where the Operator Keys and Location Keys were generated before this
ceremony and only the PGP Public Certificates of the Location keys are brought
to the ceremony which are used to shard the Root Entropy. This is useful
when conducting the ceremony in a lower trust environment, and where not all

2
quorum-key-management/src/local-key-provisioning.md
View File

@ -1,7 +1,7 @@
# Local Key Provisioning
This document contains instructions on how Operators collaborate to set up
QKM which requires an N-of-M quorum to be reconstituted. The encrypted shards
QVS which requires an N-of-M quorum to be reconstituted. The encrypted shards
which result from this ceremony are stored in separate physical
[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
to which shards are encrypted, and whose passphrases are protected using

2
quorum-key-management/src/location-key-provisioning.md
View File

@ -3,7 +3,7 @@
## Description
This ceremony is for generating Location Keys. Location Keys are typically
stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
Location Keys are keypairs to which the Root Entropy of a QKM is sharded. The
Location Keys are keypairs to which the Root Entropy of a QVS is sharded. The
keypairs are stored exclusively on Smart Cards, and the PINs which protect the
Smart Cards are encrypted to Operator Keys.

2
quorum-key-management/src/locations.md
View File

@ -82,7 +82,7 @@ This level of defenses is focused on insider threats and as such requires a cons
locations simultaneously
* SHOULD be facilities owned by different organizations to reduce the risk of
collusion unless the organization who owns the QKM system has their own facility such
collusion unless the organization who owns the QVS system has their own facility such
as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
## Level 4 (SCIF)

56
quorum-key-management/src/one-time-repository-setup.md
View File

@ -1,56 +0,0 @@
# Repository Setup
Before the one time ceremony, a git repository should be set up which contains
several items which will be relevant to the ceremony. Namely the following:
* PGP public certificates of the Location Keys which will be used for the
ceremony. The key ids of these certificates will be verified during the
ceremony.
* `ceremony.sh` a script which imports the PGP public certificates of the
location keys, and displays their ids so that Operators can verify that they are
the correct ones. This script will also execute the appropriate `keyfork`
command with a desired threshold:
```
#!/bin/sh
read -p "Generate hardware interrupt entropy by typing randomly on keyboard" entropy
mount
read -p "Provide the path to PGP certificates which will be used for the ceremony: " absolute_path
if [ ! -d "$absolute_path" ]; then
echo "Directory does not exist. Please enter a valid absolute path."
exit 1
fi
for file in "$absolute_path"/keys/*; do
if [ -f "$file" ]; then
echo "Processing file: $file"
gpg --import --import-options import-show $file
fi
done
read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation
if [ "$matches_expectation" != "y" ]; then
echo "Ceasing ceremony as PGP key IDs don't match"
exit 1
fi
keyfork wizard bottoms-up --threshold 2 --output-cert "$absolute_path"/cert --output-shardfile "$absolute_path"/shardfile --user-id "QKM Ceremony" "$absolute_path"/keys
```
* The `airgap.iso` which is to be used during the ceremony
* Each operator should produce Ceremony Notes which contain:
* `sha256sum` of `airgap.iso`
* The AirgapOS commit and date for the version that was used
* `sha256sum` of `ceremony.sh`
* Key ID of each PGP Public Certificate located in `public-certificates`
in the ceremony repository

19
quorum-key-management/src/one-time-use-locations.md
View File

@ -1,20 +1 @@
# Selecting Locations
* MUST be selected at random right before the ceremony
* MUST have physical access control to prevent inflow and outflow of personnel during ceremony
* SHOULD NOT have electronics in it as they can be used for side channel attacks
* SHOULD NOT have windows to prevent exfiltration of data via light or observation of screen
## Location Examples
* A hotel room although it is relatively common to find spying devices in them so they are not a great choice
* A moving vehicle such as car, bus, train, ferris wheel given that the operator is able to secure a space which can be locked and has no strangers in it
* Open space with nobody around such as a forest, desert, large parking lot etc.
Despite all these measures, the location may be compromised anyways, as a malicious actor may have done so with another target in mind, or a more broad campaign, for example in the case for three letter agencies may plant cameras and microphones in hotels for intel gathering. For this reason it is always highly preferred to perform cryptographic actions in a properly secured facility such as a SCIF.

30
quorum-key-management/src/online-machine-provisioning.md
View File

@ -1,29 +1 @@
# Online Machine Provisioning
## QubesOS
QubesOS is a preferred operating system for use in high security assurance scenarios as it uses hardware based virtualization leveraging the Xen hypervisor, which gives strong isolation guarantees. This makes it trivial to create purpose specific environments, which have minimal software footprints, as well as restricted networking in order to limit ingress and egress.
* [Hardware Compability](https://www.qubes-os.org/hcl/)
* It is highly preferred to use a Purism machine due to additional hardware supply chain security features such as anti-interdiction
* Commonly used alternative makes include: ThinkPads, Framework and Dell
* [Installation](https://www.qubes-os.org/downloads/)
* MUST follow "verifying signatures" guide
## "Power-Washed" Chromebook with ChromeOS
In order to reduce surface area for attacks, we can reset a Chromebook to its factory settings, effectively wiping any malicious software that may have made its way onto the system during previous use.
### "Power-Washing"
1. Press and hold the Ctrl + Alt + Shift + R keys on your keyboard.
2. Select the Restart option.
3. A screen will appear asking you to confirm that you want to reset the device. Click Powerwash and Reset, then Continue.
# Online Machine

2
quorum-key-management/src/portable-reusable-laptop-ceremony.md
View File

@ -24,7 +24,7 @@ To conform to [Level 2](threat-model.md#level-2) security properties a location
### Equipment
* Laptop procured according to [Hardware Procurement](hardware-procurement-and-chain-of-custody.md) guide
* Laptop procured according to [Hardware Procurement](./component-documents/hardware-procurement-and-chain-of-custody.md) guide
* Polaroid camera + pack of polaroid film
- [] TODO update tamper rpoofing doc with polaroid camera models and film

4
quorum-key-management/src/quorum-team.md
View File

@ -1,7 +1,7 @@
# Quorum Team
The Quorum Team is a team of individuals who are selected to perform different
roles related to a QKM. Some of the Quorum Team members have ongoing roles,
roles related to a QVS. Some of the Quorum Team members have ongoing roles,
while others may participate in a partial manner.
Depending on the type of actions performed, some or all of the members of the
@ -28,7 +28,7 @@ Controllers may be used to protect access to physical locations - according to
risk appetite.
## Witness
Witnesses are individuals who are familiar with the QKM specification, and can
Witnesses are individuals who are familiar with the QVS specification, and can
ensure that the different aspects of the system are set up correctly, and
processes carried out as they should be. The main objective of the witnesses is
to monitor and attest that processes such as the ceremonies are done according

2
quorum-key-management/src/selecting-quorum.md
View File

@ -1,6 +1,6 @@
# Selecting a Quorum
The backbone of QKM is a Quorum which is used to reconstitute or re-assemble
The backbone of QVS is a Quorum which is used to reconstitute or re-assemble
cryptographic material, and approve actions. Quorum is a general term referring
to a system which requires the collaboration of multiple individuals in order to
achieve something, and it is based on a Threshold which determines how many

43
quorum-key-management/src/setting-smart-card-pins.md
View File

@ -1,42 +1 @@
# Setting Smart Card Pins
In order to protect unauthorized use of smart cards, PINs are leveraged.
There are two pins with different levels of authorization for making changes
to the smart card:
* User PIN
* Admin PIN
Both PINs support alphanumeric characters and typically need to be at least 6
characters long.
For Operator Keys it is recommended to use the default PINs, while for Location
Keys, PINs are generated by the `keyfork` utility and have high entropy.
**WARNING** Different smart cards have different failure thresholds, but typically after
entering the PIN incorrectly 3-10 times, the smart card is permanently locked
and can no longer be used.
## Guide
To set the smart card pins you may use the `gpg` utility. This guide should be
completed in a trusted environment, such as on a airgapped machine running
AirgapOS.
1. Plug the smart card into a computer which has the `gpg` utility intalled
2. Use the command `gpg --edit-card` to enter edit mode
3. gpg/card>
* Input `admin`, press Enter
4. Your selection?
* Input 1, press Enter
5. Please enter the PIN:
* Enter old PIN (default is 123456), press Enter
6. New PIN:
* Enter the new PIN, press Enter
7. Repeat this PIN:
* Enter the new PIN, press Enter
8. For the Admin PIN, the steps are the same, except in step 4, input "3", then
press Enter.
# Change Smart Card PINs

4
quorum-key-management/src/software.md
View File

@ -1,5 +1,5 @@
# Software
This page outlines the software used for setting up QKM.
This page outlines the software used for setting up QVS.
## [[Stageˣ]](https://codeberg.org/stagex/stagex)
@ -39,7 +39,7 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032
seed, which is used for hierarchical deterministic key derivation.
This software is the backbone for all cryptographic actions performed as part
of QKM. It was developed by [Distrust](https://distrust.co) and is included
of QVS. It was developed by [Distrust](https://distrust.co) and is included
with AirgapOS and has been audited by two firms, NCC and Cure53 with no
significant vulnerabilities found.

2
quorum-key-management/src/threat-model.md
View File

@ -242,7 +242,7 @@ This level focuses on defending against insider threats.
* SHOULD be stored in a neutral location only the primary and backup shard holder can access
* Done in person on air-gapped laptop that has been in [dual witnessed custody](hardware-procurement-and-chain-of-custody.md) since procurement
* Done in person on air-gapped laptop that has been in [dual witnessed custody](./component-documents/hardware-procurement-and-chain-of-custody.md) since procurement
* Has hardware anchor that can make all parties confident the OS image it is running is expected (Heads, etc)