public
/
docs
5
0
Fork 0
Code Issues 8 Pull Requests 1 Packages Projects Releases Wiki Activity

Merge branch 'feat/encryption-key-generation'

This commit is contained in:
Anton Livaja 2025-01-31 00:23:30 -05:00
parent 5191fe4e58 de872d6f7a
commit 759cd4339f
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
3 changed files with 30 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
View File

@ -32,7 +32,9 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile: 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile>` * Replace the values: <path_to_input_shard>, <pgp_cert_id>
* `keyfork wizard generate-shard-secret --shard-to shardfile.asc --output shardfile.new.asc --cert-output keyring.new.asc --derive-openpgp-cert encryption_cert.new.asc,userid=<user_id>` TODO: NOT IMPLEMENTED
1. Unseal an SD card pack 1. Unseal an SD card pack
@ -40,23 +42,27 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Place all unsealed SD cards into High Visibility Storage 1. Place all unsealed SD cards into High Visibility Storage
1. Back up the `<output_shardfile>` to any desired number of SD cards, and label each "Shardfile [unique_name] [date]" 1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
1. `lsblk` to find media name 1. `lsblk` to find media name
1. `cp <shard_file_name> /media/<media_name>` 1. Back up the output shardfile:
* `cp shardfile.new.asc /media/<media_name>/`
1. Back up the new keyring file:
* `cp keyring.new.asc /media/<media_name>/`
1. Back up the root PGP certificate:
* `cp root_pgp_cert.asc /media/<media_name>/`
1. Each backup should be placed into High Visibility Storage after it's made 1. Each backup should be placed into High Visibility Storage after it's made
<!-- 1. Unplug the SD card and place it in High Visibility Storage
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
* `keyfork recover shard --daemon /media/external/<shard_file_name>` 1. Label the SD card "Shardfile [date] [namespace]"
-->
1. Unplug the SD card and place it in High Visibility Storage 1. Upload the newly generated artifacts into the ceremonies repository
1. Label the SD card "Shardfile \[date\] \[namespace\]"
1. Gather all the original items that were in the air-gapped bundle: 1. Gather all the original items that were in the air-gapped bundle:
@ -65,3 +71,4 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
* AirgapOS SD card * AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

22
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
View File

@ -32,7 +32,11 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Run the relevant keyfork wizard to perform the ceremony: 1. Run the relevant keyfork wizard to perform the ceremony:
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc` * Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_cert_id>
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc --derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>` TODO: NOT IMPLEMENTED
1. Unseal an SD card pack 1. Unseal an SD card pack
@ -44,24 +48,24 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Find media name using `lsblk` 1. Find media name using `lsblk`
1. Back up the root OpenPGP certificate
* `cp encryption_cert.asc /media/<media_name>/`
1. Back up the `shardfile.asc` 1. Back up the `shardfile.asc`
* `cp shardfile.asc /media/<media_name>` * `cp shardfile.asc /media/<media_name>/`
1. Back up the `keyring.asc` 1. Back up the `keyring.asc`
* `cp keyring.asc /media/<media_name>` * `cp keyring.asc /media/<media_name>/`
<!--
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
* `echo -e '#!/bin/bash\nkeyfork recover shard --daemon' > /media/<media_name>/autorun.sh`
-->
1. Unplug the SD card and place it in High Visibility Storage 1. Unplug the SD card and place it in High Visibility Storage
1. Label the SD card "Shardfile [date]" 1. Label the SD card "Shardfile [date]"
1. Upload the newly generated artifacts into the ceremonies repository
1. Gather all the original items that were in the air-gapped bundle: 1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer * Air-gapped computer

1
quorum-vault-system/src/generated-documents/level-2/operator-requirements.md
View File

@ -4,7 +4,6 @@
## For Quorum Based Operations ## For Quorum Based Operations
// ANCHOR: requirements // ANCHOR: requirements
* [Air-gapped bundle](/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md) * [Air-gapped bundle](/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
* Minimum of 2 [Operators](/system-roles.md#operator) * Minimum of 2 [Operators](/system-roles.md#operator)