From 536eae449315c9b1b086bd8aa1fbf20527dd84e5 Mon Sep 17 00:00:00 2001
From: Anton Livaja <anton@livaja.me>
Date: Wed, 29 Jan 2025 05:38:31 -0500
Subject: [PATCH 1/4] add instructions for generating encryption keys

---
 .../fixed-location/operator/namespace-entropy-ceremony.md   | 6 +++++-
 .../fixed-location/operator/quorum-entropy-ceremony.md      | 4 +++-
 .../generated-documents/level-2/operator-requirements.md    | 1 -
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
index 7782035..13e02da 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
@@ -32,7 +32,9 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
 
-	* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile>`
+    * Replace the values: <path_to_input_shard>, <output_shardfile>, <output_pgp_cert_path>, <pgp_cert_id>
+
+	* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile> --output-cert <output_pgp_cert_path> --user-id <pgp_cert_id>`
 
 1. Unseal an SD card pack
 
@@ -46,6 +48,8 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
     1. `cp <shard_file_name> /media/<media_name>`
 
+    1. `cp <output_pgp_cert_path> /media/cert.asc`
+
     1. Each backup should be placed into High Visibility Storage after it's made
 
 <!--
diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
index caa3ba0..c746de1 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
@@ -32,7 +32,9 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
 1. Run the relevant keyfork wizard to perform the ceremony:
 
-	* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc`
+    * Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <output_pgp_cert_path>, <pgp_cert_id>
+
+	* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc --output-cert <output_pgp_cert_path> --user-id <pgp_cert_id>` 
 
 1. Unseal an SD card pack
 
diff --git a/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md b/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md
index 36685cb..d07693d 100644
--- a/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md
+++ b/quorum-vault-system/src/generated-documents/level-2/operator-requirements.md
@@ -4,7 +4,6 @@
 ## For Quorum Based Operations
 // ANCHOR: requirements
 
-
 * [Air-gapped bundle](/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
 
 * Minimum of 2 [Operators](/system-roles.md#operator)

From 807e300d152a239f5065f5617da15c6518f9805b Mon Sep 17 00:00:00 2001
From: Anton Livaja <anton@livaja.me>
Date: Wed, 29 Jan 2025 05:46:30 -0500
Subject: [PATCH 2/4] adjust pgp generate and back up names

---
 .../operator/namespace-entropy-ceremony.md           | 12 +++++++-----
 .../operator/quorum-entropy-ceremony.md              | 12 ++++++++----
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
index 13e02da..d1d99ae 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
@@ -32,9 +32,9 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
 
-    * Replace the values: <path_to_input_shard>, <output_shardfile>, <output_pgp_cert_path>, <pgp_cert_id>
+    * Replace the values: <path_to_input_shard>, <pgp_cert_id>
 
-	* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile> --output-cert <output_pgp_cert_path> --user-id <pgp_cert_id>`
+	* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=output_shardfile.asc --output-cert root_pgp_cert.asc --user-id <pgp_cert_id>`
 
 1. Unseal an SD card pack
 
@@ -42,13 +42,15 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Place all unsealed SD cards into High Visibility Storage
 
-1. Back up the `<output_shardfile>` to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
+1. Back up the `output_shardfile.asc` to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
 
     1. `lsblk` to find media name
 
-    1. `cp <shard_file_name> /media/<media_name>`
+    1. Back up the output shardfile: 
+        * `cp output_shardfile.asc /media/<media_name>/output_shardfile.asc`
 
-    1. `cp <output_pgp_cert_path> /media/cert.asc`
+    1. Back up the root PGP certificate:
+        * `cp root_pgp_cert.asc /media/root_pgp_cert.asc`
 
     1. Each backup should be placed into High Visibility Storage after it's made
 
diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
index c746de1..9d09950 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
@@ -32,9 +32,9 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
 1. Run the relevant keyfork wizard to perform the ceremony:
 
-    * Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <output_pgp_cert_path>, <pgp_cert_id>
+    * Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_cert_id>
 
-	* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc --output-cert <output_pgp_cert_path> --user-id <pgp_cert_id>` 
+	* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc --output-cert root_pgp_cert.asc --user-id <pgp_cert_id>` 
 
 1. Unseal an SD card pack
 
@@ -46,13 +46,17 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
     1. Find media name using `lsblk`
 
+    1. Back up the root OpenPGP certificate
+
+        * `cp root_pgp_cert.asc /media/<media_name>/root_pgp_cert.asc`
+
     1. Back up the `shardfile.asc`     
 
-        * `cp shardfile.asc /media/<media_name>` 
+        * `cp shardfile.asc /media/<media_name>/shardfile.asc` 
 
     1. Back up the `keyring.asc`
 
-        * `cp keyring.asc /media/<media_name>`
+        * `cp keyring.asc /media/<media_name>/keyring.asc`
 
 <!--
     1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:

From ed5a18a4f5448253ce3b6764a9769b13d909de33 Mon Sep 17 00:00:00 2001
From: Anton Livaja <anton@livaja.me>
Date: Wed, 29 Jan 2025 05:52:21 -0500
Subject: [PATCH 3/4] fix cp paths

---
 .../fixed-location/operator/namespace-entropy-ceremony.md   | 4 ++--
 .../fixed-location/operator/quorum-entropy-ceremony.md      | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
index d1d99ae..9cdbadb 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
@@ -47,10 +47,10 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
     1. `lsblk` to find media name
 
     1. Back up the output shardfile: 
-        * `cp output_shardfile.asc /media/<media_name>/output_shardfile.asc`
+        * `cp output_shardfile.asc /media/<media_name>/`
 
     1. Back up the root PGP certificate:
-        * `cp root_pgp_cert.asc /media/root_pgp_cert.asc`
+        * `cp root_pgp_cert.asc /media/<media_name>/`
 
     1. Each backup should be placed into High Visibility Storage after it's made
 
diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
index 9d09950..d8828b0 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
@@ -48,15 +48,15 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
     1. Back up the root OpenPGP certificate
 
-        * `cp root_pgp_cert.asc /media/<media_name>/root_pgp_cert.asc`
+        * `cp root_pgp_cert.asc /media/<media_name>/`
 
     1. Back up the `shardfile.asc`     
 
-        * `cp shardfile.asc /media/<media_name>/shardfile.asc` 
+        * `cp shardfile.asc /media/<media_name>/` 
 
     1. Back up the `keyring.asc`
 
-        * `cp keyring.asc /media/<media_name>/keyring.asc`
+        * `cp keyring.asc /media/<media_name>/`
 
 <!--
     1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:

From de872d6f7a9b5dfbd548dc2a2fe68f0c719d0589 Mon Sep 17 00:00:00 2001
From: Anton Livaja <anton@livaja.me>
Date: Thu, 30 Jan 2025 00:57:06 -0500
Subject: [PATCH 4/4] update keyfork commands for namespace and quorum entropy
 gen docs

---
 .../operator/namespace-entropy-ceremony.md    | 21 ++++++++++---------
 .../operator/quorum-entropy-ceremony.md       | 14 ++++++-------
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
index 9cdbadb..bd2e3bf 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
@@ -34,7 +34,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
     * Replace the values: <path_to_input_shard>, <pgp_cert_id>
 
-	* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=output_shardfile.asc --output-cert root_pgp_cert.asc --user-id <pgp_cert_id>`
+	* `keyfork wizard generate-shard-secret --shard-to shardfile.asc --output shardfile.new.asc --cert-output keyring.new.asc --derive-openpgp-cert encryption_cert.new.asc,userid=<user_id>` TODO: NOT IMPLEMENTED
 
 1. Unseal an SD card pack
 
@@ -42,27 +42,27 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Place all unsealed SD cards into High Visibility Storage
 
-1. Back up the `output_shardfile.asc` to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
+1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
 
     1. `lsblk` to find media name
 
     1. Back up the output shardfile: 
-        * `cp output_shardfile.asc /media/<media_name>/`
+        * `cp shardfile.new.asc /media/<media_name>/`
+
+    1. Back up the new keyring file:
+
+        * `cp keyring.new.asc /media/<media_name>/`
 
     1. Back up the root PGP certificate:
         * `cp root_pgp_cert.asc /media/<media_name>/`
 
     1. Each backup should be placed into High Visibility Storage after it's made
 
-<!--
-1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
+    1. Unplug the SD card and place it in High Visibility Storage
 
-    * `keyfork recover shard --daemon /media/external/<shard_file_name>`
--->
+    1. Label the SD card "Shardfile [date] [namespace]"
 
-1. Unplug the SD card and place it in High Visibility Storage
-
-1. Label the SD card "Shardfile \[date\] \[namespace\]"
+1. Upload the newly generated artifacts into the ceremonies repository
 
 1. Gather all the original items that were in the air-gapped bundle:
 
@@ -71,3 +71,4 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
     * AirgapOS SD card
 
 {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
+
diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
index d8828b0..889c66f 100644
--- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
+++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
@@ -34,7 +34,9 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
     * Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_cert_id>
 
-	* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc --output-cert root_pgp_cert.asc --user-id <pgp_cert_id>` 
+
+    * `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc --derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>` TODO: NOT IMPLEMENTED
+
 
 1. Unseal an SD card pack
 
@@ -48,7 +50,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
     1. Back up the root OpenPGP certificate
 
-        * `cp root_pgp_cert.asc /media/<media_name>/`
+        * `cp encryption_cert.asc /media/<media_name>/`
 
     1. Back up the `shardfile.asc`     
 
@@ -58,16 +60,12 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
         * `cp keyring.asc /media/<media_name>/`
 
-<!--
-    1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
-
-        * `echo -e '#!/bin/bash\nkeyfork recover shard --daemon' > /media/<media_name>/autorun.sh`
--->
-
     1. Unplug the SD card and place it in High Visibility Storage
 
     1. Label the SD card "Shardfile [date]"
 
+1. Upload the newly generated artifacts into the ceremonies repository
+
 1. Gather all the original items that were in the air-gapped bundle:
 
     * Air-gapped computer