fix links
This commit is contained in:
parent
b1d4682001
commit
8ce53c2b7b
|
@ -3,7 +3,7 @@
|
||||||
* [Threat Model](threat-model.md)
|
* [Threat Model](threat-model.md)
|
||||||
* [Selecting a Quorum](selecting-quorum.md)
|
* [Selecting a Quorum](selecting-quorum.md)
|
||||||
* [Software](software.md)
|
* [Software](software.md)
|
||||||
* [Hardware](provisioning-hardware-and-firmware.md)
|
* [Hardware](hardware.md)
|
||||||
* [Glossary](glossary.md)
|
* [Glossary](glossary.md)
|
||||||
|
|
||||||
* [Preparations]()
|
* [Preparations]()
|
||||||
|
|
|
@ -75,7 +75,7 @@ carefully planned, and executed accordingly.
|
||||||
|
|
||||||
## Location Key
|
## Location Key
|
||||||
Is a asymmetric key pair which is used for encrypting shards which are used to
|
Is a asymmetric key pair which is used for encrypting shards which are used to
|
||||||
re-assemble the Root Entropy. Location Keys are stored in [Locations](location.md)
|
re-assemble the Root Entropy. Location Keys are stored in [Locations](locations.md)
|
||||||
which adhere to a strict set of criteria to maximize their security. The location
|
which adhere to a strict set of criteria to maximize their security. The location
|
||||||
smart card passphrase is encrypted to a Operator Key in order to secure access
|
smart card passphrase is encrypted to a Operator Key in order to secure access
|
||||||
to it.
|
to it.
|
||||||
|
|
|
@ -1,86 +0,0 @@
|
||||||
# Equipment
|
|
||||||
|
|
||||||
This page describes different equipment which is required, and makes opinionated
|
|
||||||
recommendations as well as alternatives. One may improve the overall security
|
|
||||||
of their system by using a variety of hardware in order to benefit from their
|
|
||||||
diversity, by reducing the likelihood that all hardware has suffered the same
|
|
||||||
kind of hardware supply chain compromise, has the same vulnerability present, or
|
|
||||||
has the same type of hardware failure issue.
|
|
||||||
|
|
||||||
Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
|
|
||||||
required to set up a [QKMS](glossary.md#quorum-key-management-system-qkms) will
|
|
||||||
vary. In order to figure out what equipment is required, decide on a Quorum,
|
|
||||||
which is expressed as "N of M". Once you know your M, the required equipment list
|
|
||||||
is the following:
|
|
||||||
|
|
||||||
* M x 4 Smart Cards
|
|
||||||
|
|
||||||
* It is recommended to use two Smart Cards for storing each key pair
|
|
||||||
|
|
||||||
* Ideally two different types of hardware are used in order to reduce the
|
|
||||||
risk of simultaneous failure
|
|
||||||
|
|
||||||
* At least 1 Smart Card is required for each Operator Key and 1 Smart Card
|
|
||||||
for each Location Key
|
|
||||||
|
|
||||||
* The number of Operator Keys is M, and the number of Location Keys is also
|
|
||||||
M, hence the minimum of 2 x M Smart Cards, with the recommendation of using
|
|
||||||
two smart cards for each, resulting in 4 x M Smart Cards
|
|
||||||
|
|
||||||
* 2 + X Storage Devices
|
|
||||||
|
|
||||||
* 1 Storage Device for [AirgapOS](repeat-use-airgapos.md)
|
|
||||||
|
|
||||||
* 1 Storage Device for storing [Public Ceremony Artifacts](public-ceremony-artifact-storage)
|
|
||||||
|
|
||||||
* X, or *any* number of additional Storage Devices to duplicate the data, a
|
|
||||||
good measure would be to have at least 3 Storage Devices for the ceremony
|
|
||||||
|
|
||||||
* Librem 14 Laptop
|
|
||||||
|
|
||||||
* Get as many laptops as desired to satisfy your operational needs
|
|
||||||
|
|
||||||
* For each Librem 14, get a Librem Smart Card used for [PureBoot](initialize-pureboot-smart-card.md)
|
|
||||||
|
|
||||||
## Smart Cards
|
|
||||||
Smart Cards are primarily used for storing OpenPGP cryptographic keys which are
|
|
||||||
used as a building block for security controls. These smart cards hold OpenPGP
|
|
||||||
keys which are derived in secure environments. FIPS 140-2 is required but the
|
|
||||||
end user may choose their manufacturer.
|
|
||||||
|
|
||||||
* NitroKey 3 - because of its open source approach which helps improve the
|
|
||||||
overall security of the products
|
|
||||||
* YubiKey 5 - because of the widespread use and battle-tested reliability
|
|
||||||
* Librem Key - because of the manufacturer's approach to hardware supply chain
|
|
||||||
security and verifiable software
|
|
||||||
|
|
||||||
## Air-Gapped Computer
|
|
||||||
[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle management
|
|
||||||
of cryptographic material that is part of the QKMS.
|
|
||||||
|
|
||||||
The primary hardware recommendation for a Air-Gapped Cmputer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
|
|
||||||
firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)
|
|
||||||
and as such is an excellent choice for hardware which high integrity assurance is
|
|
||||||
required for.
|
|
||||||
|
|
||||||
#### Alternative
|
|
||||||
|
|
||||||
An alternative approach is to use an off-the-shelf computer that is randomly
|
|
||||||
selected right before the ceremony, removing the radio cards from it, using it
|
|
||||||
to conduct a Ceremony, and then destroying the laptop using sufficiently
|
|
||||||
adequate method to ensure that no data forensics can be used to recover the data
|
|
||||||
from the drive, or memory. This can be achieved by using a combination of
|
|
||||||
incineration, degaussing, shredding and drilling. Special care should be taken
|
|
||||||
to completely destroy all components of the computer that are able to store data,
|
|
||||||
even if it's only in ephemeral form as some forensic methods all extraction of
|
|
||||||
data from components with "temporary memory".
|
|
||||||
|
|
||||||
Three letter agencies are known to collect and exploit physical destroyed drives,
|
|
||||||
as data can still be extracted from them using methods such as electron
|
|
||||||
microscopy, therefore a combination of degaussing, shredding and burning should
|
|
||||||
be used, and the remaining debris should be spread out across multiple disposal
|
|
||||||
locations.
|
|
||||||
|
|
||||||
## Storage Device
|
|
||||||
Can be an SD Card or USB Drive but should be procured from a vendor with
|
|
||||||
a good reputation, and ideally hardware of industrial grade should be prioritized.
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Provisioning Hardware and Firmware
|
# Hardware
|
||||||
|
|
||||||
This page describes different equipment which is required, and makes opinionated
|
This page describes different equipment which is required, and makes opinionated
|
||||||
recommendations as well as alternatives. One may improve the overall security
|
recommendations as well as alternatives. One may improve the overall security
|
||||||
|
@ -31,7 +31,7 @@ is the following:
|
||||||
|
|
||||||
* 1 Storage Device for [AirgapOS](repeat-use-airgapos.md)
|
* 1 Storage Device for [AirgapOS](repeat-use-airgapos.md)
|
||||||
|
|
||||||
* 1 Storage Device for storing [Public Ceremony Artifacts](public-ceremony-artifact-storage)
|
* 1 Storage Device for storing [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
|
||||||
|
|
||||||
* X, or *any* number of additional Storage Devices to duplicate the data, a
|
* X, or *any* number of additional Storage Devices to duplicate the data, a
|
||||||
good measure would be to have at least 3 Storage Devices for the ceremony
|
good measure would be to have at least 3 Storage Devices for the ceremony
|
|
@ -3,23 +3,23 @@
|
||||||
This document contains instructions on how Operators collaborate to set up
|
This document contains instructions on how Operators collaborate to set up
|
||||||
QKMS which requires an N-of-M quorum to be reconstituted. The encrypted shards
|
QKMS which requires an N-of-M quorum to be reconstituted. The encrypted shards
|
||||||
which result from this ceremony are stored in separate physical
|
which result from this ceremony are stored in separate physical
|
||||||
[Locations](location.md) which contain [Location Keys](glossary.md#location-key)
|
[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
|
||||||
to which shards are encrypted, and whose passphrases are protected using
|
to which shards are encrypted, and whose passphrases are protected using
|
||||||
[Operator Keys](glossary#operator-key).
|
[Operator Keys](glossary#operator-key).
|
||||||
|
|
||||||
|
|
||||||
### Requirements
|
### Requirements
|
||||||
|
|
||||||
* [Smart Card](hardware-procurement.md#smart-cards): whatever number of smart
|
* [Smart Card](hardware.md#smart-cards): whatever number of smart
|
||||||
cards you would like to have seeded for each Operator, usually 2 per Operator is
|
cards you would like to have seeded for each Operator, usually 2 per Operator is
|
||||||
recommended - one NitroKey 3 and 1 YubiKey Series 5.
|
recommended - one NitroKey 3 and 1 YubiKey Series 5.
|
||||||
|
|
||||||
* [Storage Devices](hardware-procurement.md#storage-device): as many storage
|
* [Storage Devices](hardware.md#storage-device): as many storage
|
||||||
devices as you would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
|
devices as you would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
|
||||||
|
|
||||||
* Storage Device loaded with
|
* Storage Device loaded with
|
||||||
* [airgap.iso](repeat-use-airgapos.md)
|
* [airgap.iso](repeat-use-airgapos.md)
|
||||||
* [airgap.iso.asc](airgap-setup.md)
|
* [airgap.iso.asc](repeat-use-airgapos.md)
|
||||||
* [autorun.sh](autorun-sh-setup.md)
|
* [autorun.sh](autorun-sh-setup.md)
|
||||||
|
|
||||||
* All participants need Ceremony Notes which contain a record of which they
|
* All participants need Ceremony Notes which contain a record of which they
|
||||||
|
@ -30,7 +30,7 @@ verified and wrote down themselves:
|
||||||
### Steps
|
### Steps
|
||||||
|
|
||||||
1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
|
1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
|
||||||
established [Location](location.md)
|
established [Location](locations.md)
|
||||||
|
|
||||||
2. Ensure that no participants have brought digital devices other than ones
|
2. Ensure that no participants have brought digital devices other than ones
|
||||||
necessary for the ceremony. A faraday bag may be used to hold any such devices
|
necessary for the ceremony. A faraday bag may be used to hold any such devices
|
||||||
|
|
|
@ -18,7 +18,7 @@ would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-s
|
||||||
## Steps
|
## Steps
|
||||||
|
|
||||||
1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
|
1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
|
||||||
established [Location](location.md)
|
established [Location](locations.md)
|
||||||
|
|
||||||
2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
|
2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
|
||||||
or the [One Time Use Airgap-OS](one-time-use-airgapos.md)
|
or the [One Time Use Airgap-OS](one-time-use-airgapos.md)
|
||||||
|
|
|
@ -12,7 +12,7 @@ the ceremony is a set of the following for each Operator:
|
||||||
for each Operator, usually 2 per Operator is recommended - one NitroKey 3 and
|
for each Operator, usually 2 per Operator is recommended - one NitroKey 3 and
|
||||||
1 YubiKey Series 5.
|
1 YubiKey Series 5.
|
||||||
|
|
||||||
* [Storage Devices](equipment.md#storage-device): as many storage devices as you
|
* [Storage Devices](hardware.md#storage-device): as many storage devices as you
|
||||||
would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
|
would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
|
||||||
|
|
||||||
## Playbook
|
## Playbook
|
||||||
|
@ -21,8 +21,8 @@ would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-s
|
||||||
This playbook allows the setup of any number of Operator Keys. For each Operator,
|
This playbook allows the setup of any number of Operator Keys. For each Operator,
|
||||||
the steps that follow need to be repeated.
|
the steps that follow need to be repeated.
|
||||||
|
|
||||||
1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
|
1. Bring the Ceremony Machine and [Quorum](selecting-quorum.md) team into the
|
||||||
established [Location](location.md)
|
established [Location](locations.md)
|
||||||
|
|
||||||
2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
|
2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ from Step 3 as desired.
|
||||||
7. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
|
7. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
|
||||||
for storage of the Operator Smart Cards and Location Smart Cards
|
for storage of the Operator Smart Cards and Location Smart Cards
|
||||||
|
|
||||||
8. Follow the [Public Ceremony Artifacts Storage](public-ceremony-artifact-storage.md)
|
8. Follow the [Online Artifacts Storage](public-ceremony-artifact-storage.md)
|
||||||
guide for all public artifacts produced during the ceremony
|
guide for all public artifacts produced during the ceremony
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,7 @@ private vaulting provider.
|
||||||
## Location Smart Cards
|
## Location Smart Cards
|
||||||
|
|
||||||
These cards should only be stored in secure vaults which meet the criteria
|
These cards should only be stored in secure vaults which meet the criteria
|
||||||
outliened for Storage Locations in the [Location](location.md) document.
|
outliened for Storage Locations in the [Location](locations.md) document.
|
||||||
|
|
||||||
|
|
||||||
## Additional Criteria
|
## Additional Criteria
|
||||||
|
|
Loading…
Reference in New Issue