From a0129bb91bb9475b2b5e0ff3376f09adb89fcb7c Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Mon, 24 Mar 2025 11:40:19 -0700 Subject: [PATCH] feat: replace all occurences of all name with trove --- Makefile | 24 +++++++++---------- trove/README.md | 4 ++-- trove/book.toml | 2 +- .../physical-artifact-storage.md | 2 +- .../public-ceremony-artifact-storage.md | 2 +- trove/src/glossary.md | 6 ++--- trove/src/intro.md | 8 +++---- trove/src/local-key-provisioning.md | 2 +- trove/src/location-key-provisioning.md | 2 +- trove/src/locations.md | 6 ++--- trove/src/quorum-team.md | 4 ++-- trove/src/selecting-quorum.md | 2 +- trove/src/software.md | 4 ++-- trove/src/system-roles.md | 12 +++++----- trove/src/threat-model.md | 8 +++---- 15 files changed, 44 insertions(+), 44 deletions(-) diff --git a/Makefile b/Makefile index 20ce22a..75a7de8 100644 --- a/Makefile +++ b/Makefile @@ -1,24 +1,24 @@ PORT := 8080 .PHONY: default -default: build-qvs +default: build-trove out: mkdir -p out -.PHONY: build-qvs -build-qvs: out/qvs/index.json -out/qvs/index.json: out Containerfile.qvs $(shell find quorum-vault-system -type f) - mkdir -p out/qvs +.PHONY: build-trove +build-trove: out/trove/index.json +out/trove/index.json: out Containerfile.trove $(shell find quorum-vault-system -type f) + mkdir -p out/trove docker \ build \ - -f Containerfile.qvs \ - --output type=oci,rewrite-timestamp=true,force-compression=true,name=git.distrust.co/public/docs-qvs,tar=true,dest=- \ + -f Containerfile.trove \ + --output type=oci,rewrite-timestamp=true,force-compression=true,name=git.distrust.co/public/docs-trove,tar=true,dest=- \ . \ - | tar -C out/qvs -mx + | tar -C out/trove -mx -.PHONY: serve-qvs -serve-qvs: build-qvs - tar -C out/qvs -cf - . | docker load - docker run -p $(PORT):8080 git.distrust.co/public/docs-qvs +.PHONY: serve-trove +serve-trove: build-trove + tar -C out/trove -cf - . | docker load + docker run -p $(PORT):8080 git.distrust.co/public/docs-trove diff --git a/trove/README.md b/trove/README.md index 6ea57cf..8962275 100644 --- a/trove/README.md +++ b/trove/README.md @@ -1,6 +1,6 @@ -# Quorum Key Management (QVS) +# Trove -Quorum Key Management (QVS) is an open source system of playbooks and tooling which +Trove is an open source system of playbooks and tooling which facilitates the creation and maintenance of highly resilient Quorum-based Key Management Systems based on a strict threat model which can be used for a variety of different cryptographic algorithms. diff --git a/trove/book.toml b/trove/book.toml index 552fd4d..a218cdb 100644 --- a/trove/book.toml +++ b/trove/book.toml @@ -3,4 +3,4 @@ authors = ["Anton Livaja", "Lance R. Vick", "Ryan Heywood"] language = "en" multilingual = false src = "src" -title = "Quorum Vault System (QVS)" +title = "Trove" diff --git a/trove/src/component-documents/physical-artifact-storage.md b/trove/src/component-documents/physical-artifact-storage.md index a7ef1ae..b38af53 100644 --- a/trove/src/component-documents/physical-artifact-storage.md +++ b/trove/src/component-documents/physical-artifact-storage.md @@ -1,6 +1,6 @@ # Physical Artifact Storage -QVS requires that some of the hardware containing cryptographic material be +Trove requires that some of the hardware containing cryptographic material be securely stored in physical locations. The two primary cases where physical storage is necessary are the storage of Location Key Smart Cards, and Operator Key Smart Cards. These Smart Cards are necessary to successfully execute a diff --git a/trove/src/component-documents/public-ceremony-artifact-storage.md b/trove/src/component-documents/public-ceremony-artifact-storage.md index dc8da1e..4e5fd8e 100644 --- a/trove/src/component-documents/public-ceremony-artifact-storage.md +++ b/trove/src/component-documents/public-ceremony-artifact-storage.md @@ -1,7 +1,7 @@ # Redundant Storage of Ceremony Artifacts Ceremony Artifacts consist of data which is not sensitive in nature, but -essential to ongoing operation of a QVS. +essential to ongoing operation of a Trove. The primary artifacts which are produced during the ceremony are: diff --git a/trove/src/glossary.md b/trove/src/glossary.md index eeb71fa..0a984a6 100644 --- a/trove/src/glossary.md +++ b/trove/src/glossary.md @@ -10,7 +10,7 @@ using an algorithm, called a cipher. Entropy in cryptography refers to the measure of randomness or unpredictability in data used for generating cryptographic keys and other security elements. -## Quorum Key Management (QVS) +## Trove A set of highly specified processes and tooling used for setting up a highly resilient quorum-based key management system. @@ -19,7 +19,7 @@ resilient quorum-based key management system. An individual who manages an [Operator Key](#operator-key) which is used for protecting the passphrase of a Location key and participates in different -aspects of the lifecycle management of the QVS system. +aspects of the lifecycle management of the Trove system. ## Operator Key @@ -116,7 +116,7 @@ the total number of shards that exist. The minimum recommended threshold is ## Organization -An organization which owns the QVS and is responsible for funding the setup and +An organization which owns the Trove and is responsible for funding the setup and maintenance. The organization is also responsible for ensuring that the [Warehouse](#warehouse) is properly maintained in order to ensure that the ciphertext blobs associated with the system are redundantly stored and diff --git a/trove/src/intro.md b/trove/src/intro.md index 3ba80fb..146e507 100644 --- a/trove/src/intro.md +++ b/trove/src/intro.md @@ -1,13 +1,13 @@ # Introduction -Quorum Vaulting System (QVS) is an open source system of playbooks and +Trove is an open source system of playbooks and tooling which facilitates the creation and maintenance of highly resilient [quorum](glossary.md#quorum)-based key management systems based on a strict [threat model](threat-model.md) which can be used for a variety of different cryptographic algorithms. The system was designed and developed by [Distrust](https://distrust.co), with the generous support of sponsors. -The basic premise of QVS is that primary cryptographic material akin to a root +The basic premise of Trove is that primary cryptographic material akin to a root certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated during a secure key derivation ceremony, and then used to derive chosen cryptographic material via different algorithms such as PGP keys, digital asset @@ -23,7 +23,7 @@ access controls in order to reconstruct the secret material, namely the RE. ## Use Cases -QVS can be used for a wide range of use-cases which span but are not limited +Trove can be used for a wide range of use-cases which span but are not limited to: * Deriving a PGP key pair whose public key can be used as a "one-way deposit @@ -42,7 +42,7 @@ a cold signing setup. ## Playbooks -QVS can be set up by using a set of highly opinionated playbooks which outline +Trove can be set up by using a set of highly opinionated playbooks which outline the process. The base documentation should be read in its entirety by all participants of the ceremony in order to ensure that the system is well understood by all to ensure that the integrity of the process is preserved and diff --git a/trove/src/local-key-provisioning.md b/trove/src/local-key-provisioning.md index b44f46e..bc509b2 100644 --- a/trove/src/local-key-provisioning.md +++ b/trove/src/local-key-provisioning.md @@ -1,7 +1,7 @@ # Local Key Provisioning This document contains instructions on how Operators collaborate to set up -QVS which requires an N-of-M quorum to be reconstituted. The encrypted shards +Trove which requires an N-of-M quorum to be reconstituted. The encrypted shards which result from this ceremony are stored in separate physical [Locations](locations.md) which contain [Location Keys](glossary.md#location-key) to which shards are encrypted, and whose passphrases are protected using diff --git a/trove/src/location-key-provisioning.md b/trove/src/location-key-provisioning.md index 127f872..d3b356d 100644 --- a/trove/src/location-key-provisioning.md +++ b/trove/src/location-key-provisioning.md @@ -3,7 +3,7 @@ ## Description This ceremony is for generating Location Keys. Location Keys are typically stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md). -Location Keys are keypairs to which the Root Entropy of a QVS is sharded. The +Location Keys are keypairs to which the Root Entropy of a Trove is sharded. The keypairs are stored exclusively on Smart Cards, and the PINs which protect the Smart Cards are encrypted to Operator Keys. diff --git a/trove/src/locations.md b/trove/src/locations.md index dbf3f7f..84a7129 100644 --- a/trove/src/locations.md +++ b/trove/src/locations.md @@ -30,7 +30,7 @@ This level of defenses is largely focused on remote attacks, and as such does no * Co-working space -* Regular office (non specific to QVS) +* Regular office (non specific to Trove) ### Reference Design @@ -44,7 +44,7 @@ This level of defenses is focused on insider threats and as such requires a cons ### Examples -* Purpose specific facility for QVS +* Purpose specific facility for Trove * Short term rental @@ -82,7 +82,7 @@ This level of defenses is focused on insider threats and as such requires a cons locations simultaneously * SHOULD be facilities owned by different organizations to reduce the risk of -collusion unless the organization who owns the QVS system has their own facility such +collusion unless the organization who owns the Trove system has their own facility such as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif). ## Level 4 (SCIF) diff --git a/trove/src/quorum-team.md b/trove/src/quorum-team.md index 3981acd..b1e12c4 100644 --- a/trove/src/quorum-team.md +++ b/trove/src/quorum-team.md @@ -1,7 +1,7 @@ # Quorum Team The Quorum Team is a team of individuals who are selected to perform different -roles related to a QVS. Some of the Quorum Team members have ongoing roles, +roles related to a Trove. Some of the Quorum Team members have ongoing roles, while others may participate in a partial manner. Depending on the type of actions performed, some or all of the members of the @@ -28,7 +28,7 @@ Controllers may be used to protect access to physical locations - according to risk appetite. ## Witness -Witnesses are individuals who are familiar with the QVS specification, and can +Witnesses are individuals who are familiar with the Trove specification, and can ensure that the different aspects of the system are set up correctly, and processes carried out as they should be. The main objective of the witnesses is to monitor and attest that processes such as the ceremonies are done according diff --git a/trove/src/selecting-quorum.md b/trove/src/selecting-quorum.md index 7b02838..f971f5a 100644 --- a/trove/src/selecting-quorum.md +++ b/trove/src/selecting-quorum.md @@ -1,6 +1,6 @@ # Selecting a Quorum -The backbone of QVS is a Quorum which is used to reconstitute or re-assemble +The backbone of Trove is a Quorum which is used to reconstitute or re-assemble cryptographic material, and approve actions. Quorum is a general term referring to a system which requires the collaboration of multiple individuals in order to achieve something, and it is based on a Threshold which determines how many diff --git a/trove/src/software.md b/trove/src/software.md index 921204d..f094b8b 100644 --- a/trove/src/software.md +++ b/trove/src/software.md @@ -1,5 +1,5 @@ # Software -This page outlines the software used for setting up QVS. +This page outlines the software used for setting up Trove. ## [[Stageˣ]](https://codeberg.org/stagex/stagex) @@ -39,7 +39,7 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032 seed, which is used for hierarchical deterministic key derivation. This software is the backbone for all cryptographic actions performed as part -of QVS. It was developed by [Distrust](https://distrust.co) and is included +of Trove. It was developed by [Distrust](https://distrust.co) and is included with AirgapOS and has been audited by two firms, NCC and Cure53 with no significant vulnerabilities found. diff --git a/trove/src/system-roles.md b/trove/src/system-roles.md index eef6dbb..33e8897 100644 --- a/trove/src/system-roles.md +++ b/trove/src/system-roles.md @@ -1,6 +1,6 @@ # System Roles -There are several roles which are required to properly operate the QVS system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QVS. At least 2 individuals are required for [level 2](threat-model.md#adversary-1). +There are several roles which are required to properly operate the Trove system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to Trove. At least 2 individuals are required for [level 2](threat-model.md#adversary-1). To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum. @@ -28,16 +28,16 @@ This is an individual who is a business owner or stakeholder, or a financial con ## Approver -This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QVS system but related decision making may be under the purview of an Approver. While there is 1 proposer per transaction, there may be an arbitrary number of Approvers, and they are required to sign proposed transactions according to a [policy](todo) which should be well defined. +This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the Trove system but related decision making may be under the purview of an Approver. While there is 1 proposer per transaction, there may be an arbitrary number of Approvers, and they are required to sign proposed transactions according to a [policy](todo) which should be well defined. ## Operator -Trained on how the QVS system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system. +Trained on how the Trove system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system. -Operators conduct ceremonies and ensure that the controls around QVS are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QVS system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more. +Operators conduct ceremonies and ensure that the controls around Trove are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the Trove system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more. -As a QVS grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns. +As a Trove grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns. ## Witness -QVS relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QVS system allows them to detect any deviation from the security-critical processes. While it is not required that a Witness be a trained Operator, it is highly preferred. +Trove relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the Trove system allows them to detect any deviation from the security-critical processes. While it is not required that a Witness be a trained Operator, it is highly preferred. diff --git a/trove/src/threat-model.md b/trove/src/threat-model.md index 2fd27b1..aef0aee 100644 --- a/trove/src/threat-model.md +++ b/trove/src/threat-model.md @@ -1,10 +1,10 @@ # Threat Model -QVS is designed according to a high-assurance threat model which ers on the +Trove is designed according to a high-assurance threat model which ers on the side of making exaggerated, rather than conservative assumptions in order to build a resilient system. -The assumption is made that attackers who target QVS are extremely +The assumption is made that attackers who target Trove are extremely sophisticated, well funded and patient attackers, and as such, the full arsenal of attacks is on the table. This means that the attacker can purchase and weaponize multiple 0day vulnerabilities, execute physical attacks or deploy @@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's used, or the individuals or locations that hold secret material which is the backbone of the system. -To achieve this, the QVS focuses on reducing the risk by: +To achieve this, the Trove focuses on reducing the risk by: * Only using fully open source software and firmware to allow full verification of their security properties @@ -64,7 +64,7 @@ Some additional assumptions are made to help contextualize the threat model: ## Threat Model Levels -Different threat model levels allow an organization to start benefiting from the security properties of the QVS system immediately, with a clear path to upgrading over time as resources and time become available. +Different threat model levels allow an organization to start benefiting from the security properties of the Trove system immediately, with a clear path to upgrading over time as resources and time become available. Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein.