public
/
docs
5
0
Fork 0
Code Issues 14 Pull Requests 1 Packages Projects Releases Wiki Activity

clean up main ceremony commands

This commit is contained in:
Anton Livaja 2025-01-26 06:28:18 -05:00
parent fd0907d07a
commit 997316f6b7
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
7 changed files with 21 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
quorum-key-management/src/SUMMARY.md
View File

@ -21,8 +21,6 @@
* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
* [Provision SD Card](generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md)
* [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
* [Provision Namespace Ceremony SD Card](generated-documents/level-2/fixed-location/provisioner/provision-namespace-ceremony-sd-card.md)
* [Provision Quorum Ceremony SD Card](generated-documents/level-2/fixed-location/provisioner/provision-quorum-ceremony-sd-card.md)
* [Provision Ceremony SD Card](generated-documents/level-2/fixed-location/provisioner/provision-ceremony-sd-card.md)
* [Copy Shardfile SD Card](generated-documents/level-2/fixed-location/provisioner/copy-shardfile-sd-card.md)
* [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)

56
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/ceremony-template.md
View File

@ -1,56 +0,0 @@
/* ANCHOR: all */
// ANCHOR: content
## Procedure
1. Enter the designated location with the 2 operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve Air-Gapped Bundle from locked storage
### Unsealing Tamper Proofing
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all materials except for the laptop into High Visibility Storage
### Generating Entropy
1. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop
1. Turn on the machine
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
1. Plug in the Ceremony SD card
1. Run `ceremony.sh` from the SD card
1. Button mash to ensure adequate entropy on the OS
1. Back up the `shardfile` to any desired number of SD cards, and label each "Shardfile [date]"
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
* `keyfork recover shard --daemon`
1. If an OpenPGP certificate was derived, store the public key on a SD card, separate from the shardfiles
### Finalizing Ceremony
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
* Shardfile SD card
* Ceremony SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
// ANCHOR_END: content
/* ANCHOR_END: all */

4
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md
View File

@ -10,6 +10,10 @@
{{ #include ../../../../operator-requirements.md:requirements }}
* Ceremony SD card
* Transaction SD card (with workflow payloads)
## Procedure
1. Verify all transactions for the ceremony in the `ceremonies` repository, ensuring that all the transactions are properly signed by the proposer and the approver using PGP keys which have been checked into ceremonies repository.

12
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
View File

@ -10,7 +10,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
* [SD Card Booster Pack](../provisioner/provision-sd-card.md)
* [Namespace Ceremony SD Card](../provisioner/provision-namespace-ceremony-sd-card.md)
* [Shardfile SD Card](../provisioner/copy-shardfile-sd-card.md)
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
@ -36,13 +36,15 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
1. Retrieve Namespace Ceremony SD card from High Visibility Storage and plug it into air-gapped laptop
1. Retrieve Shardfile SD card from High Visibility Storage and plug it into air-gapped laptop
1. Run `ceremony.sh` from the SD card
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
1. Button mash to ensure adequate entropy on the OS
* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,<output_shard>`
1. Back up the `shardfile` to any desired number of SD cards, and label each "Shardfile [date]"
* NOT IMPLEMENTED YET
1. Back up the `<output_shardfile>` to any desired number of SD cards, and label each "Shardfile [unique_id] [date]"
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:

16
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
View File

@ -10,7 +10,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
* `N` SD cards in the chosen `M of N` quorum
* [Quorum Entropy Ceremony SD Card](../provisioner/provision-quorum-ceremony-sd-card.md)
* [Shardfile SD Card](../provisioner/copy-shardfile-sd-card.md)
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
@ -36,19 +36,23 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
1. Retrieve Quorum Entropy Ceremony SD card from High Visibility Storage and plug it into air-gapped laptop
1. Retrieve Shardfile SD card from High Visibility Storage and plug it into air-gapped laptop
1. Run `ceremony.sh` from the SD card
1. Run the keyfork wizard to generate entropy, derive OpenPGP certs, load them into smart cards, and shard the secret to the generated OpenPGP keys
1. Button mash to ensure adequate entropy on the OS
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=2 --output shardfile.asc --cert-output keyring.asc`
1. Unplug the Quorum Entropy Ceremony SD card and place it into High Visibility Storage
* NOT IMPLEMENTED YET
1. Unplug the Shardfile SD card and place it into High Visibility Storage
1. Open the SD Card Booster Pack, and place all cards into High Visibility Storage
1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Back up the `shardfile`
1. Back up the `shardfile.asc`
1. Back up the `keyring.asc`
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:

62
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-namespace-ceremony-sd-card.md
View File

@ -1,62 +0,0 @@
# Provision Namespace Ceremony SD Card
## Requirements
* Personal PGP Keys
* SD Card Booster Pack
## Procedure
1. Plug in a fresh formatted SD card into the computer
1. Create a directory called `public_certificates` on the SD card
1. Copy the desired OpenPGP public certificates you wish to shard to during the ceremony into the `public_certificates` directory on the SD card. The number of public certificates in this directory corresponds to the `N` value in a `M of N` quorum.
1. Write the following script to a file called `ceremony.sh`
* `<threshold_value>` should be replaced with the desired `M` value in a `M of N` quorum
* If you would like to generate an OpenPGP public certificate, add `--output-cert /media/cert` and `--user-id <name>` to the command
```sh
#!/bin/sh
script_dir="$(dirname "$(realpath "$0")")"
read -p "Provide the path to PGP certificates which will be used for the ceremony: " relative_path
directory_path="$script_dir/$relative_path"
if [ ! -d "$directory_path" ]; then
echo "Directory does not exist. Please enter a valid directory path."
exit 1
fi
for file in "$directory_path"/*; do
if [ -f "$file" ]; then
echo "Processing file: $file"
gpg --import --import-options import-show $file
fi
done
read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation
if [ $matches_expectation != "y" ]; then
echo "Ceasing ceremony as PGP key IDs don't match"
exit 1
fi
keyfork bottoms-up --threshold <threshold_value> --output-shardfile /media/shardfile /media/public-certificates/
```
1. Write the `ceremony.sh` script to the SD card
1. Burn the SD card contents to the SD card using `sdtool`
{{ #include ../../../../sdtool-instructions.md:steps }}
1. Label the SD card "Namespace Ceremony [date]"
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}

33
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-quorum-ceremony-sd-card.md
View File

@ -1,33 +0,0 @@
# Provision Quorum Ceremony SD Card
## Requirements
* Personal PGP Keys
* SD Card Booster Pack
## Procedure
1. Plug in a fresh formatted SD card into the computer
1. Write the following script to a file called `ceremony.sh`
* `<threshold_value>` should be replaced with the desired `M` value in a `M of N` quorum
* If you would like to generate an OpenPGP public certificate, add `--output-cert /media/cert` and `--user-id <name>` to the command
```sh
#!/bin/sh
TODO: add keyfork command
```
1. Write the `ceremony.sh` script to the SD card
1. Burn the SD card contents to the SD card using `sdtool`
{{ #include ../../../../sdtool-instructions.md:steps }}
1. Label the SD card "Quorum Ceremony [date]"
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}