From 53202c61798f30afb81d8d3fb5170ac7001529cb Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Mon, 6 Jan 2025 13:17:30 -0500 Subject: [PATCH] major refactor --- quorum-key-management/README.md | 4 +- quorum-key-management/src/SUMMARY.md | 41 +++++--------- .../autorun-sh-setup.md | 0 .../hardware-destruction.md | 2 + ...rdware-procurement-and-chain-of-custody.md | 0 .../one-time-use-airgapos.md | 6 +- .../online-machine-provisioning.md | 29 ++++++++++ .../src/component-documents/openpgp-setup.md | 8 +-- .../physical-artifact-storage.md | 2 +- .../public-ceremony-artifact-storage.md | 2 +- .../enable-pure-boot-restricted-boot.md | 0 .../pureboot}/flash-pureboot-firmware.md | 0 .../initialize-pureboot-smart-card.md | 0 .../pureboot}/secure-boot-sequence.md | 0 .../purism-procurement-procedure.md} | 7 +-- .../repeat-use-airgapos.md | 6 +- .../setting-smart-card-pins.md | 42 ++++++++++++++ .../storage-device-management.md | 0 .../tamper-evidence-methods.md | 3 +- .../verifying-signatures.md | 0 quorum-key-management/src/flashing-iso.md | 28 +++++----- .../coins/pyth-spl/sign-transaction.md | 8 +-- .../operator/provisioning-pgp-key.md | 50 +++++++++++++++++ .../procure-equipment-and-location.md | 16 +++--- .../generated-documents/level-2/hardware.md | 23 ++++++++ quorum-key-management/src/glossary.md | 6 +- quorum-key-management/src/hardware.md | 4 +- .../src/hybrid-key-provisioning.md | 2 +- .../src/local-key-provisioning.md | 2 +- .../src/location-key-provisioning.md | 2 +- quorum-key-management/src/locations.md | 2 +- .../src/one-time-repository-setup.md | 56 ------------------- .../src/one-time-use-locations.md | 19 ------- .../src/online-machine-provisioning.md | 30 +--------- .../src/portable-reusable-laptop-ceremony.md | 2 +- quorum-key-management/src/quorum-team.md | 4 +- quorum-key-management/src/selecting-quorum.md | 2 +- .../src/setting-smart-card-pins.md | 43 +------------- quorum-key-management/src/software.md | 4 +- quorum-key-management/src/threat-model.md | 2 +- 40 files changed, 223 insertions(+), 234 deletions(-) rename quorum-key-management/src/{ => component-documents}/autorun-sh-setup.md (100%) rename quorum-key-management/src/{ => component-documents}/hardware-destruction.md (90%) rename quorum-key-management/src/{ => component-documents}/hardware-procurement-and-chain-of-custody.md (100%) rename quorum-key-management/src/{ => component-documents}/one-time-use-airgapos.md (83%) create mode 100644 quorum-key-management/src/component-documents/online-machine-provisioning.md rename quorum-key-management/src/{ => component-documents}/physical-artifact-storage.md (96%) rename quorum-key-management/src/{ => component-documents}/public-ceremony-artifact-storage.md (95%) rename quorum-key-management/src/{ => component-documents/pureboot}/enable-pure-boot-restricted-boot.md (100%) rename quorum-key-management/src/{ => component-documents/pureboot}/flash-pureboot-firmware.md (100%) rename quorum-key-management/src/{ => component-documents/pureboot}/initialize-pureboot-smart-card.md (100%) rename quorum-key-management/src/{ => component-documents/pureboot}/secure-boot-sequence.md (100%) rename quorum-key-management/src/{fixed-location-reusable-hardware-procurement.md => component-documents/purism-procurement-procedure.md} (76%) rename quorum-key-management/src/{ => component-documents}/repeat-use-airgapos.md (79%) create mode 100644 quorum-key-management/src/component-documents/setting-smart-card-pins.md rename quorum-key-management/src/{ => component-documents}/storage-device-management.md (100%) rename quorum-key-management/src/{ => component-documents}/tamper-evidence-methods.md (99%) rename quorum-key-management/src/{ => component-documents}/verifying-signatures.md (100%) create mode 100644 quorum-key-management/src/generated-documents/level-2/fixed-location/operator/provisioning-pgp-key.md create mode 100644 quorum-key-management/src/generated-documents/level-2/hardware.md delete mode 100644 quorum-key-management/src/one-time-repository-setup.md diff --git a/quorum-key-management/README.md b/quorum-key-management/README.md index 700b397..6ea57cf 100644 --- a/quorum-key-management/README.md +++ b/quorum-key-management/README.md @@ -1,6 +1,6 @@ -# Quorum Key Management (QKM) +# Quorum Key Management (QVS) -Quorum Key Management (QKM) is an open source system of playbooks and tooling which +Quorum Key Management (QVS) is an open source system of playbooks and tooling which facilitates the creation and maintenance of highly resilient Quorum-based Key Management Systems based on a strict threat model which can be used for a variety of different cryptographic algorithms. diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index 3a6f59c..e282351 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -6,34 +6,7 @@ * [Software](software.md) * [Hardware](hardware.md) * [Glossary](glossary.md) -* [Preparations]() - * [Verifying Signatures](verifying-signatures.md) - * [Tamper Evidence Methods](tamper-evidence-methods.md) - * [Online Machine](online-machine-provisioning.md) - * [Fixed Location Reusable Laptop]() - * [Location](locations.md) - * [Procure Hardware](fixed-location-reusable-hardware-procurement.md) - * [PureBoot]() - * [Flash PureBoot to Librem](flash-pureboot-firmware.md) - * [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md) - * [Change Smart Card PINs](setting-smart-card-pins.md) - * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md) - * [PureBoot Boot Sequence](secure-boot-sequence.md) - * [AirgapOS Setup]() - * [AirgapOS Setup](repeat-use-airgapos.md) - * [`autorun.sh` Setup](autorun-sh-setup.md) - * [One Time Use / Portable Use]() - * [Location](one-time-use-locations.md) - * [Procure Hardware](hardware-procurement-and-chain-of-custody.md) - * [AirgapOS Setup](one-time-use-airgapos.md) - * [Repository Setup](one-time-repository-setup.md) - * [Selecting Locations](one-time-use-locations.md) -* [Post Ceremony]() - * [Online Artifact Storage](public-ceremony-artifact-storage.md) - * [Physical Artifact Storage](physical-artifact-storage.md) -* [Lifecycle Management]() - * [Destroying Hardware](hardware-destruction.md) - * [Storage Device Management](storage-device-management.md) + * [Location](locations.md) * [Generated Documents]() * [Root Entropy Generation]() * [Ceremony Log Template](ceremony-log-template.md) @@ -60,6 +33,18 @@ * [Level 3]() * [Level 4]() * [Document Components]() + * [Ceremony Repository](./component-documents/ceremony-repository.md) + * [Keychain Repository](./component-documents/keychain-repository.md) * [Git Commit Signing](./component-documents/git-commit-signing.md) * [GUI Git Commit](./component-documents/gui-git-commit.md) * [OpenPGP Setup](./component-documents/openpgp-setup.md) + * [Verifying Signatures](./component-documents/verifying-signatures.md) + * [Tamper Evidence Methods](./component-documents/tamper-evidence-methods.md) + * [Change Smart Card PINs](./component-documents/setting-smart-card-pins.md) + * [Online Machine Provisioning](online-machine-provisioning.md) + * [Destroying Hardware](./component-documents/hardware-destruction.md) + * [Storage Device Management](./component-documents/storage-device-management.md) + * [Procure Hardware](./component-documents/hardware-procurement-and-chain-of-custody.md) + * [Online Artifact Storage](./component-documents/public-ceremony-artifact-storage.md) + * [Physical Artifact Storage](./component-documents/physical-artifact-storage.md) + * [`autorun.sh` Setup](./component-documents/autorun-sh-setup.md) \ No newline at end of file diff --git a/quorum-key-management/src/autorun-sh-setup.md b/quorum-key-management/src/component-documents/autorun-sh-setup.md similarity index 100% rename from quorum-key-management/src/autorun-sh-setup.md rename to quorum-key-management/src/component-documents/autorun-sh-setup.md diff --git a/quorum-key-management/src/hardware-destruction.md b/quorum-key-management/src/component-documents/hardware-destruction.md similarity index 90% rename from quorum-key-management/src/hardware-destruction.md rename to quorum-key-management/src/component-documents/hardware-destruction.md index 21d99f1..edab9f9 100644 --- a/quorum-key-management/src/hardware-destruction.md +++ b/quorum-key-management/src/component-documents/hardware-destruction.md @@ -8,6 +8,8 @@ Destroying hardware should be done by using a combination of: * Shredding +* Pulverizing + All three methods should be used because of the efficacy of using electron microscopy to read data from storage drives which have not been completely destroyed. diff --git a/quorum-key-management/src/hardware-procurement-and-chain-of-custody.md b/quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md similarity index 100% rename from quorum-key-management/src/hardware-procurement-and-chain-of-custody.md rename to quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md diff --git a/quorum-key-management/src/one-time-use-airgapos.md b/quorum-key-management/src/component-documents/one-time-use-airgapos.md similarity index 83% rename from quorum-key-management/src/one-time-use-airgapos.md rename to quorum-key-management/src/component-documents/one-time-use-airgapos.md index f06bdba..b196734 100644 --- a/quorum-key-management/src/one-time-use-airgapos.md +++ b/quorum-key-management/src/component-documents/one-time-use-airgapos.md @@ -9,11 +9,11 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using // ANCHOR: steps 1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command. -2. Verify the software according to [this](verifying-signatures.md) guide +2. Verify the software according to [this](./component-documents/verifying-signatures.md) guide 3. Flash `airgap.iso` to an SD Card: - * `dd if=out/airgap.iso of=/dev/ bs=4M status=progress oflag=direct` + * `dd if=out/airgap.iso of=/dev/ bs=4M status=progress conv=fsync` 4. Use the `sdtool` to lock the SD Card: @@ -29,7 +29,7 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using * Test that the card can't be written to: - * `dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress` + * `dd if=out/airgap.iso of=/dev/sdb bs=1M status=progress conv=fsync` 5. Label the SD card "AirgapOS - " diff --git a/quorum-key-management/src/component-documents/online-machine-provisioning.md b/quorum-key-management/src/component-documents/online-machine-provisioning.md new file mode 100644 index 0000000..58117c2 --- /dev/null +++ b/quorum-key-management/src/component-documents/online-machine-provisioning.md @@ -0,0 +1,29 @@ +# Online Machine Provisioning + +## QubesOS + +QubesOS is a preferred operating system for use in high security assurance scenarios as it uses hardware based virtualization leveraging the Xen hypervisor, which gives strong isolation guarantees. This makes it trivial to create purpose specific environments, which have minimal software footprints, as well as restricted networking in order to limit ingress and egress. + +* [Hardware Compability](https://www.qubes-os.org/hcl/) + + * It is highly preferred to use a Purism machine due to additional hardware supply chain security features such as anti-interdiction + + * Commonly used alternative makes include: ThinkPads, Framework and Dell + +* [Installation](https://www.qubes-os.org/downloads/) + + * MUST follow "verifying signatures" guide + +## "Power-Washed" Chromebook with ChromeOS + +In order to reduce surface area for attacks, we can reset a Chromebook to its factory settings, effectively wiping any malicious software that may have made its way onto the system during previous use. + +### "Power-Washing" + +1. Press and hold the Ctrl + Alt + Shift + R keys on your keyboard. + +2. Select the Restart option. + +3. A screen will appear asking you to confirm that you want to reset the device. Click Powerwash and Reset, then Continue. + + diff --git a/quorum-key-management/src/component-documents/openpgp-setup.md b/quorum-key-management/src/component-documents/openpgp-setup.md index 6c4a160..7381fbc 100644 --- a/quorum-key-management/src/component-documents/openpgp-setup.md +++ b/quorum-key-management/src/component-documents/openpgp-setup.md @@ -96,10 +96,10 @@ computer; * `rm -rf *` // ANCHOR_END: steps-keyfork -## Generating Keys on YubiKey +## Generating Keys on Smartcard // ANCHOR: steps-on-key-gen -1. Insert the YubiKey into the USB port if it is not already plugged in. +1. Insert the smartcard into the USB port if it is not already plugged in. 1. Open Command Prompt (Windows) or Terminal (macOS / Linux). @@ -113,7 +113,7 @@ computer; 1. When prompted, specify if you want to make an off-card backup of your encryption key. - * Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore to a new YubiKey. + * Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore to a new smartcard. 1. Specify how long the key should be valid for (specify the number in days, weeks, months, or years). @@ -127,7 +127,7 @@ computer; 1. Review the name and email, and accept or make changes. -1. Enter the default admin PIN again. The green light on the YubiKey will flash while the keys are being written. +1. Enter the default admin PIN again. The green light on the smartcard will flash while the keys are being written. 1. Enter a Passphrase as the key will not allow you to pass without having a passphrase. If you do not enter a Passphrase generation will fail. // ANCHOR_END: steps-on-key-gen diff --git a/quorum-key-management/src/physical-artifact-storage.md b/quorum-key-management/src/component-documents/physical-artifact-storage.md similarity index 96% rename from quorum-key-management/src/physical-artifact-storage.md rename to quorum-key-management/src/component-documents/physical-artifact-storage.md index 4936f03..a7ef1ae 100644 --- a/quorum-key-management/src/physical-artifact-storage.md +++ b/quorum-key-management/src/component-documents/physical-artifact-storage.md @@ -1,6 +1,6 @@ # Physical Artifact Storage -QKM requires that some of the hardware containing cryptographic material be +QVS requires that some of the hardware containing cryptographic material be securely stored in physical locations. The two primary cases where physical storage is necessary are the storage of Location Key Smart Cards, and Operator Key Smart Cards. These Smart Cards are necessary to successfully execute a diff --git a/quorum-key-management/src/public-ceremony-artifact-storage.md b/quorum-key-management/src/component-documents/public-ceremony-artifact-storage.md similarity index 95% rename from quorum-key-management/src/public-ceremony-artifact-storage.md rename to quorum-key-management/src/component-documents/public-ceremony-artifact-storage.md index 1f1542e..dc8da1e 100644 --- a/quorum-key-management/src/public-ceremony-artifact-storage.md +++ b/quorum-key-management/src/component-documents/public-ceremony-artifact-storage.md @@ -1,7 +1,7 @@ # Redundant Storage of Ceremony Artifacts Ceremony Artifacts consist of data which is not sensitive in nature, but -essential to ongoing operation of a QKM. +essential to ongoing operation of a QVS. The primary artifacts which are produced during the ceremony are: diff --git a/quorum-key-management/src/enable-pure-boot-restricted-boot.md b/quorum-key-management/src/component-documents/pureboot/enable-pure-boot-restricted-boot.md similarity index 100% rename from quorum-key-management/src/enable-pure-boot-restricted-boot.md rename to quorum-key-management/src/component-documents/pureboot/enable-pure-boot-restricted-boot.md diff --git a/quorum-key-management/src/flash-pureboot-firmware.md b/quorum-key-management/src/component-documents/pureboot/flash-pureboot-firmware.md similarity index 100% rename from quorum-key-management/src/flash-pureboot-firmware.md rename to quorum-key-management/src/component-documents/pureboot/flash-pureboot-firmware.md diff --git a/quorum-key-management/src/initialize-pureboot-smart-card.md b/quorum-key-management/src/component-documents/pureboot/initialize-pureboot-smart-card.md similarity index 100% rename from quorum-key-management/src/initialize-pureboot-smart-card.md rename to quorum-key-management/src/component-documents/pureboot/initialize-pureboot-smart-card.md diff --git a/quorum-key-management/src/secure-boot-sequence.md b/quorum-key-management/src/component-documents/pureboot/secure-boot-sequence.md similarity index 100% rename from quorum-key-management/src/secure-boot-sequence.md rename to quorum-key-management/src/component-documents/pureboot/secure-boot-sequence.md diff --git a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md b/quorum-key-management/src/component-documents/purism-procurement-procedure.md similarity index 76% rename from quorum-key-management/src/fixed-location-reusable-hardware-procurement.md rename to quorum-key-management/src/component-documents/purism-procurement-procedure.md index a060c61..c5b9bb6 100644 --- a/quorum-key-management/src/fixed-location-reusable-hardware-procurement.md +++ b/quorum-key-management/src/component-documents/purism-procurement-procedure.md @@ -1,5 +1,4 @@ -# Procure Hardware -- [ ] TODO update this doc so it listes a bunch of models that support pureboot, not just purism +# Purism Procurement Procedure (Anti-Interdiction) 1. Select a librem 14 laptop from https://puri.sm, and ensure: @@ -35,6 +34,6 @@ * The laptop will be sealed in a box using tamper proofing tape -3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact. +3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](./hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact. -4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](tamper-evidence-methods.md) should be applied to the laptop before it's stored. \ No newline at end of file +4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](../tamper-evidence-methods.md) should be applied to the laptop before it's stored. \ No newline at end of file diff --git a/quorum-key-management/src/repeat-use-airgapos.md b/quorum-key-management/src/component-documents/repeat-use-airgapos.md similarity index 79% rename from quorum-key-management/src/repeat-use-airgapos.md rename to quorum-key-management/src/component-documents/repeat-use-airgapos.md index eda198f..a015dc8 100644 --- a/quorum-key-management/src/repeat-use-airgapos.md +++ b/quorum-key-management/src/component-documents/repeat-use-airgapos.md @@ -1,5 +1,7 @@ /* ANCHOR: all */ -# AirgapOS Setup +# PureBoot Hash Verifying .iso Setup + +If the SD card with AirgapOS is stored as part of a tamper proofed bundle, then doing this secure boot sequence is only necessary the first time. Of course, it doesn't hurt to use this method as an additional precaution, reducing the risk that one of the operators can swap out the SD card for a different one during a ceremony. This section can be completed on any machine. @@ -8,7 +10,7 @@ AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations // ANCHOR: steps 1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.Use the `make reproduce` command. -2. Verify the software according to [this guide](verifying-signatures.md) +2. Verify the software according to [this guide](./component-documents/verifying-signatures.md) 3. Place signed .iso on a storage device diff --git a/quorum-key-management/src/component-documents/setting-smart-card-pins.md b/quorum-key-management/src/component-documents/setting-smart-card-pins.md new file mode 100644 index 0000000..1808d96 --- /dev/null +++ b/quorum-key-management/src/component-documents/setting-smart-card-pins.md @@ -0,0 +1,42 @@ +# Setting Smart Card Pins + +In order to protect unauthorized use of smart cards, PINs are leveraged. + +There are two pins with different levels of authorization for making changes +to the smart card: + +* User PIN + +* Admin PIN + +Both PINs support alphanumeric characters and typically need to be at least 6 +characters long. + +For Operator Keys it is recommended to use the default PINs, while for Location +Keys, PINs are generated by the `keyfork` utility and have high entropy. + +**WARNING** Different smart cards have different failure thresholds, but typically after +entering the PIN incorrectly 3-10 times, the smart card is permanently locked +and can no longer be used. + +## Guide + +To set the smart card pins you may use the `gpg` utility. This guide should be +completed in a trusted environment, such as on a airgapped machine running +AirgapOS. + +1. Plug the smart card into a computer which has the `gpg` utility intalled +2. Use the command `gpg --edit-card` to enter edit mode +3. gpg/card> + * Input `admin`, press Enter +4. Your selection? + * Input 1, press Enter +5. Please enter the PIN: + * Enter old PIN (default is 123456), press Enter +6. New PIN: + * Enter the new PIN, press Enter +7. Repeat this PIN: + * Enter the new PIN, press Enter + +8. For the Admin PIN, the steps are the same, except in step 4, input "3", then +press Enter. diff --git a/quorum-key-management/src/storage-device-management.md b/quorum-key-management/src/component-documents/storage-device-management.md similarity index 100% rename from quorum-key-management/src/storage-device-management.md rename to quorum-key-management/src/component-documents/storage-device-management.md diff --git a/quorum-key-management/src/tamper-evidence-methods.md b/quorum-key-management/src/component-documents/tamper-evidence-methods.md similarity index 99% rename from quorum-key-management/src/tamper-evidence-methods.md rename to quorum-key-management/src/component-documents/tamper-evidence-methods.md index 945f002..8ff3457 100644 --- a/quorum-key-management/src/tamper-evidence-methods.md +++ b/quorum-key-management/src/component-documents/tamper-evidence-methods.md @@ -42,7 +42,7 @@ This level of threat actors has a more extensive range of attacks which may incl * MUST combine [glitter on screws](#glitter-on-screws), [pureboot/heads](#pureboot--heads), and [vacuum sealing with filler](#vacuum-sealed-bags-with-filler) -* MUST maintain 2 person [chain of custody](hardware-procurement-and-chain-of-custody.md) +* MUST maintain 2 person [chain of custody](./hardware-procurement-and-chain-of-custody.md) #### Level 4 @@ -76,6 +76,7 @@ Examples of filler: * [B100B5LB – 5 Lb Mixed Craft Bead Bonanza Case](https://www.thebeadery.com/product/b100b5lb-5-lb-mixed-craft-bead-bonanza-case/) * [Plastic Beads - Multi Color & Size - 700ml](https://www.stockade.ca/Plastic-Beads--Multi-Colour-Size--700ml_p_8402.html) // ANCHOR_END:vsbwf-filler + ### Vacuum Sealers Vacuum sealer needs to be able to seal bags of sufficient size to fit a 13" laptop diff --git a/quorum-key-management/src/verifying-signatures.md b/quorum-key-management/src/component-documents/verifying-signatures.md similarity index 100% rename from quorum-key-management/src/verifying-signatures.md rename to quorum-key-management/src/component-documents/verifying-signatures.md diff --git a/quorum-key-management/src/flashing-iso.md b/quorum-key-management/src/flashing-iso.md index efdd7b1..d42faea 100644 --- a/quorum-key-management/src/flashing-iso.md +++ b/quorum-key-management/src/flashing-iso.md @@ -1,21 +1,21 @@ -4. Flash ISO Image to a Storage Device +# Flash ISO Image to a Storage Device - a. Select a new Storage Device which can be overwritten entirely +1. Select a new Storage Device which can be overwritten entirely - b. Find the name of the Storage Device using [this guide](storage-device-management.md#finding-a-storage-device-name) +1. Find the name of the Storage Device using [this guide](storage-device-management.md#finding-a-storage-device-name) - d. Use the `dd` utility in the Terminal to flash AirgapOS to it. You will need - to replace `` with the name of your device. +1. Use the `dd` utility in the Terminal to flash AirgapOS to it. You will need +to replace `` with the name of your device. - ```bash - sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/ status=progress - ``` +```bash +sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/ status=progress +``` - In the example, the name of the device is `sda` so the complete command would look like this: +In the example, the name of the device is `sda` so the complete command would look like this: - ```bash - sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/sda status=progress - ``` +```bash +sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/sda status=progress +``` - Once this step is complete, you have successfully set up a Storage Device - with AirgapOS. \ No newline at end of file +Once this step is complete, you have successfully set up a Storage Device +with AirgapOS. \ No newline at end of file diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md index a88c580..61add81 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md @@ -26,21 +26,21 @@ - [ ] TODO guide on how to do this -1. Enter the designated location with the 3 operators and all required equipment +1. Enter the designated location with the 2 operators and all required equipment 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony 1. Retrieve sealed laptop and polaroid from locked storage ### Unsealing Tamper Proofing -{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-unsealing}} +{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} ### Secure Boot Procedure 1. Plug PureBoot smart card into air-gapped machine 1. Plug in SD card labelled "AirgapOS" -{{ #include ../../../../../../secure-boot-sequence.md:prepared}} +TODO: add steps 1. Plug in SD card labelled "Keychain" @@ -112,5 +112,5 @@ #### Sealing -{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing}} +{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/provisioning-pgp-key.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/provisioning-pgp-key.md new file mode 100644 index 0000000..0daac3a --- /dev/null +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/provisioning-pgp-key.md @@ -0,0 +1,50 @@ +# NOT PRODUCTION READY + +# Operator - Provisioning PGP Keypair + +## Requirements + +The initial set up requires the operators to do all of these in a continuous session ensuring dual custody: + +1. procure hardware +2. gut hardware +3. set up airgap together, built from source +4. burn sd card +5. boot airgap +6. generate mnemonic 1 +7. generate pgp key +8. seed card(s) using oct +9. tamper proof the laptop +10. submit pgp signed proof to previously set up ceremonies repo + + +## Procedure + +1. Set up AirgapOS (can be done ahead of time) + - [ ] add guide + +1. Procure hardware + * Dual custody + * Remove radio cards etc. + +1. Enter the designated location with an operator and individual keys are being generated for and all required equipment + +1. Lock access to the location - there should be no inflow or outflow of people during the ceremony + +1. Boot AirgapOS from verified SD card + +1. Generate mnemonic using `keyfork` command: + + * TODO add keyfork command + +1. Derive PGP key using `keyfork` command: + + * TODO add command + +1. Use `oct` to seed smart card(s) + +#### Creation of Initial Air-gapped Bundle +- [ ] TODO there is a reference to air gapped bundle in provisioner: procure-equipment... doc + +{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} + diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md index 66dc539..39c496b 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md @@ -42,7 +42,7 @@ SD cards don't require special chain of custody, but ideally should be purchased * Both microSD and regular SD cards should be available - * They should be formatted to `ext4` format + * They should be formatted to `fat32` format * Usage of these SD cards: @@ -57,17 +57,17 @@ SD cards don't require special chain of custody, but ideally should be purchased ## Tamper Proofing Equipment ### Vacuum Sealer and roll -{{ #include ../../../../tamper-evidence-methods.md:vsbwf-equipment}} +{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-equipment}} ### Colored beads -{{ #include ../../../../tamper-evidence-methods.md:vsbwf-filler}} +{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-filler}} ### Digital camera -{{ #include ../../../../tamper-evidence-methods.md:digital-cameras}} +{{ #include ../../../../component-documents/tamper-evidence-methods.md:digital-cameras}} ### Polaroid camera -{{ #include ../../../../tamper-evidence-methods.md:polaroid-cameras}} +{{ #include ../../../../component-documents/tamper-evidence-methods.md:polaroid-cameras}} ## AirgapOS (SD Card) @@ -121,11 +121,11 @@ Sealable plastic bag is required for this procedure: ### Models -{{ #include ../../../../hardware-models.md:computer-models }} +{{ #include ../../hardware.md:computer-models }} ### Procedure -{{ #include ../../../../hardware-procurement-and-chain-of-custody.md:steps}} +{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}} ## Air-gapped bundle @@ -141,4 +141,4 @@ Sealable plastic bag is required for this procedure: ### Procedure -{{ #include ../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing }} +{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }} diff --git a/quorum-key-management/src/generated-documents/level-2/hardware.md b/quorum-key-management/src/generated-documents/level-2/hardware.md new file mode 100644 index 0000000..3a8cd04 --- /dev/null +++ b/quorum-key-management/src/generated-documents/level-2/hardware.md @@ -0,0 +1,23 @@ +/* ANCHOR: all */ +# Hardware for Level 2 Threat Model + +## Computers + +* Computers for this use are are appropriate as long as they are compatible with AirgapOS. At this level, the essential aspect of hardware procurement is to ensure dual custody at all times. Outside of that any additional protections are welcome but not necessary. + +* Laptops with chargers over ports which don't allow data transfer is preferred (non USB etc.) + +// ANCHOR: computer-models + +* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99 + * [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D) + +* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99 + +* Purism Librem 14 + +* Nova Custom (Untested) + +// ANCHOR_END: computer-models + +/* ANCHOR_END: all */ \ No newline at end of file diff --git a/quorum-key-management/src/glossary.md b/quorum-key-management/src/glossary.md index 993c53e..eeb71fa 100644 --- a/quorum-key-management/src/glossary.md +++ b/quorum-key-management/src/glossary.md @@ -10,7 +10,7 @@ using an algorithm, called a cipher. Entropy in cryptography refers to the measure of randomness or unpredictability in data used for generating cryptographic keys and other security elements. -## Quorum Key Management (QKM) +## Quorum Key Management (QVS) A set of highly specified processes and tooling used for setting up a highly resilient quorum-based key management system. @@ -19,7 +19,7 @@ resilient quorum-based key management system. An individual who manages an [Operator Key](#operator-key) which is used for protecting the passphrase of a Location key and participates in different -aspects of the lifecycle management of the QKM system. +aspects of the lifecycle management of the QVS system. ## Operator Key @@ -116,7 +116,7 @@ the total number of shards that exist. The minimum recommended threshold is ## Organization -An organization which owns the QKM and is responsible for funding the setup and +An organization which owns the QVS and is responsible for funding the setup and maintenance. The organization is also responsible for ensuring that the [Warehouse](#warehouse) is properly maintained in order to ensure that the ciphertext blobs associated with the system are redundantly stored and diff --git a/quorum-key-management/src/hardware.md b/quorum-key-management/src/hardware.md index 3049cb1..4ceb434 100644 --- a/quorum-key-management/src/hardware.md +++ b/quorum-key-management/src/hardware.md @@ -8,7 +8,7 @@ kind of hardware supply chain compromise, has the same vulnerability present, or has the same type of hardware failure issue. Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment -required to set up a [QKM](glossary.md#quroum-kms-QKM) will +required to set up a [QVS](glossary.md#quroum-kms-QVS) will vary. In order to figure out what equipment is required, decide on a Quorum, which is expressed as "N of M". Once you know your M, the required equipment list is the following: @@ -68,7 +68,7 @@ security and verifiable software ## Air-Gapped Computer [Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle -management of cryptographic material that is part of QKM. +management of cryptographic material that is part of QVS. The primary hardware recommendation for an Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html) diff --git a/quorum-key-management/src/hybrid-key-provisioning.md b/quorum-key-management/src/hybrid-key-provisioning.md index 1101a1c..7086a36 100644 --- a/quorum-key-management/src/hybrid-key-provisioning.md +++ b/quorum-key-management/src/hybrid-key-provisioning.md @@ -1,7 +1,7 @@ # Hybrid Key Provisioning This document contains instructions on how Operators collaborate to set up -QKM where the Operator Keys and Location Keys were generated before this +QVS where the Operator Keys and Location Keys were generated before this ceremony and only the PGP Public Certificates of the Location keys are brought to the ceremony which are used to shard the Root Entropy. This is useful when conducting the ceremony in a lower trust environment, and where not all diff --git a/quorum-key-management/src/local-key-provisioning.md b/quorum-key-management/src/local-key-provisioning.md index 9c531f2..b44f46e 100644 --- a/quorum-key-management/src/local-key-provisioning.md +++ b/quorum-key-management/src/local-key-provisioning.md @@ -1,7 +1,7 @@ # Local Key Provisioning This document contains instructions on how Operators collaborate to set up -QKM which requires an N-of-M quorum to be reconstituted. The encrypted shards +QVS which requires an N-of-M quorum to be reconstituted. The encrypted shards which result from this ceremony are stored in separate physical [Locations](locations.md) which contain [Location Keys](glossary.md#location-key) to which shards are encrypted, and whose passphrases are protected using diff --git a/quorum-key-management/src/location-key-provisioning.md b/quorum-key-management/src/location-key-provisioning.md index 3c5ec8c..a8c7a81 100644 --- a/quorum-key-management/src/location-key-provisioning.md +++ b/quorum-key-management/src/location-key-provisioning.md @@ -3,7 +3,7 @@ ## Description This ceremony is for generating Location Keys. Location Keys are typically stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md). -Location Keys are keypairs to which the Root Entropy of a QKM is sharded. The +Location Keys are keypairs to which the Root Entropy of a QVS is sharded. The keypairs are stored exclusively on Smart Cards, and the PINs which protect the Smart Cards are encrypted to Operator Keys. diff --git a/quorum-key-management/src/locations.md b/quorum-key-management/src/locations.md index 49cb6f6..dbf3f7f 100644 --- a/quorum-key-management/src/locations.md +++ b/quorum-key-management/src/locations.md @@ -82,7 +82,7 @@ This level of defenses is focused on insider threats and as such requires a cons locations simultaneously * SHOULD be facilities owned by different organizations to reduce the risk of -collusion unless the organization who owns the QKM system has their own facility such +collusion unless the organization who owns the QVS system has their own facility such as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif). ## Level 4 (SCIF) diff --git a/quorum-key-management/src/one-time-repository-setup.md b/quorum-key-management/src/one-time-repository-setup.md deleted file mode 100644 index 1e9b31d..0000000 --- a/quorum-key-management/src/one-time-repository-setup.md +++ /dev/null @@ -1,56 +0,0 @@ -# Repository Setup - -Before the one time ceremony, a git repository should be set up which contains -several items which will be relevant to the ceremony. Namely the following: - -* PGP public certificates of the Location Keys which will be used for the -ceremony. The key ids of these certificates will be verified during the -ceremony. - -* `ceremony.sh` a script which imports the PGP public certificates of the -location keys, and displays their ids so that Operators can verify that they are -the correct ones. This script will also execute the appropriate `keyfork` -command with a desired threshold: - ``` - #!/bin/sh - - read -p "Generate hardware interrupt entropy by typing randomly on keyboard" entropy - - mount - - read -p "Provide the path to PGP certificates which will be used for the ceremony: " absolute_path - - if [ ! -d "$absolute_path" ]; then - echo "Directory does not exist. Please enter a valid absolute path." - exit 1 - fi - - for file in "$absolute_path"/keys/*; do - if [ -f "$file" ]; then - echo "Processing file: $file" - gpg --import --import-options import-show $file - fi - done - - read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation - - if [ "$matches_expectation" != "y" ]; then - echo "Ceasing ceremony as PGP key IDs don't match" - exit 1 - fi - - keyfork wizard bottoms-up --threshold 2 --output-cert "$absolute_path"/cert --output-shardfile "$absolute_path"/shardfile --user-id "QKM Ceremony" "$absolute_path"/keys - ``` - -* The `airgap.iso` which is to be used during the ceremony - -* Each operator should produce Ceremony Notes which contain: - - * `sha256sum` of `airgap.iso` - - * The AirgapOS commit and date for the version that was used - - * `sha256sum` of `ceremony.sh` - - * Key ID of each PGP Public Certificate located in `public-certificates` - in the ceremony repository \ No newline at end of file diff --git a/quorum-key-management/src/one-time-use-locations.md b/quorum-key-management/src/one-time-use-locations.md index 27ac42d..e1609d7 100644 --- a/quorum-key-management/src/one-time-use-locations.md +++ b/quorum-key-management/src/one-time-use-locations.md @@ -1,20 +1 @@ # Selecting Locations - -* MUST be selected at random right before the ceremony - -* MUST have physical access control to prevent inflow and outflow of personnel during ceremony - -* SHOULD NOT have electronics in it as they can be used for side channel attacks - -* SHOULD NOT have windows to prevent exfiltration of data via light or observation of screen - -## Location Examples - -* A hotel room although it is relatively common to find spying devices in them so they are not a great choice - -* A moving vehicle such as car, bus, train, ferris wheel given that the operator is able to secure a space which can be locked and has no strangers in it - -* Open space with nobody around such as a forest, desert, large parking lot etc. - - -Despite all these measures, the location may be compromised anyways, as a malicious actor may have done so with another target in mind, or a more broad campaign, for example in the case for three letter agencies may plant cameras and microphones in hotels for intel gathering. For this reason it is always highly preferred to perform cryptographic actions in a properly secured facility such as a SCIF. \ No newline at end of file diff --git a/quorum-key-management/src/online-machine-provisioning.md b/quorum-key-management/src/online-machine-provisioning.md index 58117c2..8523eb9 100644 --- a/quorum-key-management/src/online-machine-provisioning.md +++ b/quorum-key-management/src/online-machine-provisioning.md @@ -1,29 +1 @@ -# Online Machine Provisioning - -## QubesOS - -QubesOS is a preferred operating system for use in high security assurance scenarios as it uses hardware based virtualization leveraging the Xen hypervisor, which gives strong isolation guarantees. This makes it trivial to create purpose specific environments, which have minimal software footprints, as well as restricted networking in order to limit ingress and egress. - -* [Hardware Compability](https://www.qubes-os.org/hcl/) - - * It is highly preferred to use a Purism machine due to additional hardware supply chain security features such as anti-interdiction - - * Commonly used alternative makes include: ThinkPads, Framework and Dell - -* [Installation](https://www.qubes-os.org/downloads/) - - * MUST follow "verifying signatures" guide - -## "Power-Washed" Chromebook with ChromeOS - -In order to reduce surface area for attacks, we can reset a Chromebook to its factory settings, effectively wiping any malicious software that may have made its way onto the system during previous use. - -### "Power-Washing" - -1. Press and hold the Ctrl + Alt + Shift + R keys on your keyboard. - -2. Select the Restart option. - -3. A screen will appear asking you to confirm that you want to reset the device. Click Powerwash and Reset, then Continue. - - +# Online Machine diff --git a/quorum-key-management/src/portable-reusable-laptop-ceremony.md b/quorum-key-management/src/portable-reusable-laptop-ceremony.md index 1773046..66ada04 100644 --- a/quorum-key-management/src/portable-reusable-laptop-ceremony.md +++ b/quorum-key-management/src/portable-reusable-laptop-ceremony.md @@ -24,7 +24,7 @@ To conform to [Level 2](threat-model.md#level-2) security properties a location ### Equipment -* Laptop procured according to [Hardware Procurement](hardware-procurement-and-chain-of-custody.md) guide +* Laptop procured according to [Hardware Procurement](./component-documents/hardware-procurement-and-chain-of-custody.md) guide * Polaroid camera + pack of polaroid film - [] TODO update tamper rpoofing doc with polaroid camera models and film diff --git a/quorum-key-management/src/quorum-team.md b/quorum-key-management/src/quorum-team.md index e903fa1..3981acd 100644 --- a/quorum-key-management/src/quorum-team.md +++ b/quorum-key-management/src/quorum-team.md @@ -1,7 +1,7 @@ # Quorum Team The Quorum Team is a team of individuals who are selected to perform different -roles related to a QKM. Some of the Quorum Team members have ongoing roles, +roles related to a QVS. Some of the Quorum Team members have ongoing roles, while others may participate in a partial manner. Depending on the type of actions performed, some or all of the members of the @@ -28,7 +28,7 @@ Controllers may be used to protect access to physical locations - according to risk appetite. ## Witness -Witnesses are individuals who are familiar with the QKM specification, and can +Witnesses are individuals who are familiar with the QVS specification, and can ensure that the different aspects of the system are set up correctly, and processes carried out as they should be. The main objective of the witnesses is to monitor and attest that processes such as the ceremonies are done according diff --git a/quorum-key-management/src/selecting-quorum.md b/quorum-key-management/src/selecting-quorum.md index 970208d..7b02838 100644 --- a/quorum-key-management/src/selecting-quorum.md +++ b/quorum-key-management/src/selecting-quorum.md @@ -1,6 +1,6 @@ # Selecting a Quorum -The backbone of QKM is a Quorum which is used to reconstitute or re-assemble +The backbone of QVS is a Quorum which is used to reconstitute or re-assemble cryptographic material, and approve actions. Quorum is a general term referring to a system which requires the collaboration of multiple individuals in order to achieve something, and it is based on a Threshold which determines how many diff --git a/quorum-key-management/src/setting-smart-card-pins.md b/quorum-key-management/src/setting-smart-card-pins.md index 1808d96..6733dd7 100644 --- a/quorum-key-management/src/setting-smart-card-pins.md +++ b/quorum-key-management/src/setting-smart-card-pins.md @@ -1,42 +1 @@ -# Setting Smart Card Pins - -In order to protect unauthorized use of smart cards, PINs are leveraged. - -There are two pins with different levels of authorization for making changes -to the smart card: - -* User PIN - -* Admin PIN - -Both PINs support alphanumeric characters and typically need to be at least 6 -characters long. - -For Operator Keys it is recommended to use the default PINs, while for Location -Keys, PINs are generated by the `keyfork` utility and have high entropy. - -**WARNING** Different smart cards have different failure thresholds, but typically after -entering the PIN incorrectly 3-10 times, the smart card is permanently locked -and can no longer be used. - -## Guide - -To set the smart card pins you may use the `gpg` utility. This guide should be -completed in a trusted environment, such as on a airgapped machine running -AirgapOS. - -1. Plug the smart card into a computer which has the `gpg` utility intalled -2. Use the command `gpg --edit-card` to enter edit mode -3. gpg/card> - * Input `admin`, press Enter -4. Your selection? - * Input 1, press Enter -5. Please enter the PIN: - * Enter old PIN (default is 123456), press Enter -6. New PIN: - * Enter the new PIN, press Enter -7. Repeat this PIN: - * Enter the new PIN, press Enter - -8. For the Admin PIN, the steps are the same, except in step 4, input "3", then -press Enter. +# Change Smart Card PINs diff --git a/quorum-key-management/src/software.md b/quorum-key-management/src/software.md index 5913d4c..921204d 100644 --- a/quorum-key-management/src/software.md +++ b/quorum-key-management/src/software.md @@ -1,5 +1,5 @@ # Software -This page outlines the software used for setting up QKM. +This page outlines the software used for setting up QVS. ## [[Stageˣ]](https://codeberg.org/stagex/stagex) @@ -39,7 +39,7 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032 seed, which is used for hierarchical deterministic key derivation. This software is the backbone for all cryptographic actions performed as part -of QKM. It was developed by [Distrust](https://distrust.co) and is included +of QVS. It was developed by [Distrust](https://distrust.co) and is included with AirgapOS and has been audited by two firms, NCC and Cure53 with no significant vulnerabilities found. diff --git a/quorum-key-management/src/threat-model.md b/quorum-key-management/src/threat-model.md index c54206d..962c6e0 100644 --- a/quorum-key-management/src/threat-model.md +++ b/quorum-key-management/src/threat-model.md @@ -242,7 +242,7 @@ This level focuses on defending against insider threats. * SHOULD be stored in a neutral location only the primary and backup shard holder can access -* Done in person on air-gapped laptop that has been in [dual witnessed custody](hardware-procurement-and-chain-of-custody.md) since procurement +* Done in person on air-gapped laptop that has been in [dual witnessed custody](./component-documents/hardware-procurement-and-chain-of-custody.md) since procurement * Has hardware anchor that can make all parties confident the OS image it is running is expected (Heads, etc)