From 593002160a95f2dc90249939bc17017406a0c4b5 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Tue, 6 May 2025 09:25:56 -0700 Subject: [PATCH] feat: clean up Level 1 --- trove/src/component-documents/airgapos.md | 14 +++++++++++ .../src/component-documents/openpgp-setup.md | 13 ++++++++++- .../component-documents/vaults-repository.md | 6 +++-- .../level-1/create-vaults-repository.md | 8 +++++++ .../level-1/provision-entropy-and-pgp.md | 7 ++++++ .../level-1/provision-laptop.md | 23 ++----------------- .../provisioner/create-vaults-repository.md | 1 + .../provision-ceremonies-repository.md | 3 --- trove/src/hardware.md | 3 ++- 9 files changed, 50 insertions(+), 28 deletions(-) delete mode 100644 trove/src/generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md diff --git a/trove/src/component-documents/airgapos.md b/trove/src/component-documents/airgapos.md index ed94c52..2b2aa69 100644 --- a/trove/src/component-documents/airgapos.md +++ b/trove/src/component-documents/airgapos.md @@ -24,6 +24,10 @@ 1. {{ #include finding-device-name.md:content }} +1. Hash the .iso file and make note of it (it will be required later) + + * `sha256sum out/airgap.iso` + 1. Flash `airgap.iso` to an SD Card: * `dd if=out/airgap.iso of=/dev/ bs=4M conv=fsync` @@ -48,6 +52,16 @@ * `echo "42" | dd of=/dev/` +1. Verify the contents on the SD card match the recorded hash + + * Build AirgapOS once more according to the [readme](https://git.distrust.co/public/airgap) in the repository. + + * Ensure it's the same version as in the previous step + + * `head -c $(stat -c '%s' out/airgap.iso) /dev/ | sha256sum` + + * Additionally, the user can refer to the [StageX](https://codeberg.org/stagex/stagex) hashes of AirgapOS for a given version + {{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing }} // ANCHOR_END: procedure /* ANCHOR_END: all */ diff --git a/trove/src/component-documents/openpgp-setup.md b/trove/src/component-documents/openpgp-setup.md index d543f75..b023538 100644 --- a/trove/src/component-documents/openpgp-setup.md +++ b/trove/src/component-documents/openpgp-setup.md @@ -19,7 +19,7 @@ $ export KEYFORK_OPENPGP_EXPIRE=2y ``` -1. Generate a mnemonic, encrypting to a newly-generated key: +1. Generate a mnemonic, and shard (encrypt) it to the newly-generated key: Ensure the User ID is your name and your email. @@ -33,6 +33,17 @@ Note: The PIN can't use sequential numbers, characters or repeated patterns. + --- + + Alternatively, if the user wants to see the mnemonic, and encrypt it in a + different manner, the `--encrypt-to-self encrypted.asc` portion of the + command can be ommited and the command piped into a file by appending + `> mnemonic.txt` to the end of the command. + + ``` + $ keyfork mnemonic generate --provision openpgp-card --derive='openpgp --public "Your Name "' > mnemonic.txt + ``` + // ANCHOR_END: steps-keyfork ## Generating Keys on Smartcard diff --git a/trove/src/component-documents/vaults-repository.md b/trove/src/component-documents/vaults-repository.md index 6816c5f..f311c99 100644 --- a/trove/src/component-documents/vaults-repository.md +++ b/trove/src/component-documents/vaults-repository.md @@ -1,7 +1,7 @@ /* ANCHOR: all */ # Vaults Repository -// ANCHOR: content +// ANCHOR: data This repository holds data pertaining to vaults. The primary data consists of: * Operation proposals @@ -18,8 +18,10 @@ This repository holds data pertaining to vaults. The primary data consists of: * Policies (such as spending rules) -* Ceremony logs +* Ceremony logs +// ANCHOR_END: data +// ANCHOR: content ## Directives * MUST be a private repository diff --git a/trove/src/generated-documents/level-1/create-vaults-repository.md b/trove/src/generated-documents/level-1/create-vaults-repository.md index e8270a7..8b816c7 100644 --- a/trove/src/generated-documents/level-1/create-vaults-repository.md +++ b/trove/src/generated-documents/level-1/create-vaults-repository.md @@ -1,3 +1,11 @@ # Provision Trove Git Repository +This repository is meant for storing data pertaining to vaults. The primary data consists of: + +* Shardfiles + +* Blockchain metadata (addresses, nonces etc.) + +* Ceremony logs + {{ #include ../../component-documents/vaults-repository.md:content }} diff --git a/trove/src/generated-documents/level-1/provision-entropy-and-pgp.md b/trove/src/generated-documents/level-1/provision-entropy-and-pgp.md index 6e00516..ab3b112 100644 --- a/trove/src/generated-documents/level-1/provision-entropy-and-pgp.md +++ b/trove/src/generated-documents/level-1/provision-entropy-and-pgp.md @@ -24,5 +24,12 @@ This step does two things: {{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}} +1. Plug in fresh SD card and save data you wish to store (encrypted.asc, +.asc, mnenmonic.txt.asc, mnemonic.txt etc.) + + * WARNING: If you store your mnemonic in plaintext, if someone gains access + to it, your Trove system will be fully compromised. + 1. Power down AirgapOS Laptop + diff --git a/trove/src/generated-documents/level-1/provision-laptop.md b/trove/src/generated-documents/level-1/provision-laptop.md index 542a59b..0f0bde6 100644 --- a/trove/src/generated-documents/level-1/provision-laptop.md +++ b/trove/src/generated-documents/level-1/provision-laptop.md @@ -4,28 +4,9 @@ If performing multiple provisioning steps, you may skip the tamper proofing step as long as you retain continued supervision of the hardware. 1. If tamper proofed, unseal tamper proofed equipment - -
- Vacuum sealing based tamper proofing - {{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }} -
- -
- Safe based tamper proofing - {{ #include ../../component-documents/tamper-evidence-methods.md:safe-unsealing }} -
+{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }} 1. Remove all radio cards, storage drive, speakers, and microphone using standard industry laptop repair tactics 1. Re-apply tamper proofing - -
- Vacuum sealing based tamper proofing - {{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }} -
- -
- Safe based tamper proofing - {{ #include ../../component-documents/tamper-evidence-methods.md:safe-sealing }} -
- +{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }} diff --git a/trove/src/generated-documents/level-2/fixed-location/provisioner/create-vaults-repository.md b/trove/src/generated-documents/level-2/fixed-location/provisioner/create-vaults-repository.md index cb555d9..8d41697 100644 --- a/trove/src/generated-documents/level-2/fixed-location/provisioner/create-vaults-repository.md +++ b/trove/src/generated-documents/level-2/fixed-location/provisioner/create-vaults-repository.md @@ -1,3 +1,4 @@ # Provision Trove Git Repository +{{ #include ../../../../component-documents/vaults-repository.md:data }} {{ #include ../../../../component-documents/vaults-repository.md:content }} diff --git a/trove/src/generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md b/trove/src/generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md deleted file mode 100644 index 4d5f1e9..0000000 --- a/trove/src/generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md +++ /dev/null @@ -1,3 +0,0 @@ -# Provision Ceremony Repository - -{{ #include ../../../../component-documents/vaults-repository.md:content }} diff --git a/trove/src/hardware.md b/trove/src/hardware.md index 773496c..22de559 100644 --- a/trove/src/hardware.md +++ b/trove/src/hardware.md @@ -65,7 +65,8 @@ To achieve the best level of randomness and difficulty of reproducing the arrang ### Safes // ANCHOR:safes -Select an appropriate safe, ideally with a high TL rating. +Select an appropriate safe, ideally with a high TL rating and a highest tamper +evident lock your budget supports (e.g FF-L-2740b). | Rating | Time (Minutes) | Tested Against | Tested Sides | |---------------|----------------|---------------------|--------------|