public
/
docs
5
0
Fork 0
Code Issues 18 Pull Requests 1 Packages Projects Releases Wiki Activity

clean up bootstrap document

This commit is contained in:
Anton Livaja 2025-01-09 12:19:04 -05:00
parent 8f483fedf3
commit b95bdfcfc3
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
6 changed files with 49 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
quorum-key-management/src/SUMMARY.md
View File

@ -10,7 +10,7 @@
* [Level 2]() * [Level 2]()
* [Fixed-Location]() * [Fixed-Location]()
* [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md) * [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
* [PGP Key Bootstrapping](generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md) * [Bootstrapping PGP Keys + Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md)
* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md) * [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
* [Provision Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md) * [Provision Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md)
* [Provision SD Card](generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md) * [Provision SD Card](generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md)

10
quorum-key-management/src/component-documents/openpgp-setup.md
View File

@ -72,11 +72,15 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS.
sub rsa4096 2022-03-26 [A] [expires: 2026-03-27] sub rsa4096 2022-03-26 [A] [expires: 2026-03-27]
``` ```
1. Export the public key:
* `gpg --export --armor <key_id> > <key_id>.asc`
1. Bundle all data and encrypt it 1. Bundle all data and encrypt it
* `mkdir backup_bundle/` * `mkdir backup_bundle/`
* `mv pub.asc priv.asc smart-card-pin.txt backup_bundle/` * `mv <key_id>.asc priv.asc smart-card-pin.txt backup_bundle/`
* `tar -cvf backup_bundle.tar backup_bundle/` * `tar -cvf backup_bundle.tar backup_bundle/`
@ -90,10 +94,6 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS.
* `cp backup_bundle.tar.gpg /media` * `cp backup_bundle.tar.gpg /media`
1. For posterity, delete all the generated assets before shutting down
computer;
* `rm -rf *`
// ANCHOR_END: steps-keyfork // ANCHOR_END: steps-keyfork
## Generating Keys on Smartcard ## Generating Keys on Smartcard

2
quorum-key-management/src/component-documents/repeat-use-airgapos.md
View File

@ -1,7 +1,7 @@
/* ANCHOR: all */ /* ANCHOR: all */
# PureBoot Hash Verifying .iso Setup # PureBoot Hash Verifying .iso Setup
If the SD card with AirgapOS is stored as part of a tamper proofed bundle, then doing this secure boot sequence is only necessary the first time. Of course, it doesn't hurt to use this method as an additional precaution, reducing the risk that one of the operators can swap out the SD card for a different one during a ceremony. If the SD card with AirgapOS is stored as part of a Air-Gapped bundle, then doing this secure boot sequence is only necessary the first time. Of course, it doesn't hurt to use this method as an additional precaution, reducing the risk that one of the operators can swap out the SD card for a different one during a ceremony.
This section can be completed on any machine. This section can be completed on any machine.

2
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/pgp-key-provisioning.md
View File

@ -16,6 +16,6 @@
1. Lock access to the facility for the duration of the ceremony 1. Lock access to the facility for the duration of the ceremony
1. Unseal the tamper proofed bundle consisting of a air-gapped laptop, "AirgapOS" SD card and "Keychain" SD card 1. Unseal the Air-Gapped bundle consisting of a air-gapped laptop, "AirgapOS" SD card and "Keychain" SD card
{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}} {{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}}

44
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md
View File

@ -1,9 +1,9 @@
# Operator - Provisioning PGP Keypair # Operator - Provisioning PGP Keypair
## Requirements
The initial set up requires the provisioner and operator to do all of these in a continuous session ensuring dual custody. Ensure that all participants are familiar with the sub-processes so that the ceremony can be completed in one working day. The initial set up requires the provisioner and operator to do all of these in a continuous session ensuring dual custody. Ensure that all participants are familiar with the sub-processes so that the ceremony can be completed in one working day.
## Requirements
* 3 individuals in order to have the flexibility for washroom breaks, fetching food and drinks etc. * 3 individuals in order to have the flexibility for washroom breaks, fetching food and drinks etc.
* [AirgapOS SD Card](./provision-airgapos.md) * [AirgapOS SD Card](./provision-airgapos.md)
@ -18,13 +18,23 @@ The initial set up requires the provisioner and operator to do all of these in a
* 3 per PGP keypair (for backups) * 3 per PGP keypair (for backups)
* + 2 SD cards for Keychain SD cards
* Designated [facility](./provision-facility.md) * Designated [facility](./provision-facility.md)
* Sealable plastic bag: {{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }} * Sealable plastic bag: {{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }}
* For hardware procurement
## Procedure ## Procedure
### Procure Hardware ### Procure Computer (AirgapOS Compatible)
#### Compatible Hardware
{{ #include ../../hardware.md:computer-models }}
#### Procedure
{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps }} {{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps }}
@ -42,20 +52,40 @@ The initial set up requires the provisioner and operator to do all of these in a
### Generating PGP Keys and Seeding Cards ### Generating PGP Keys and Seeding Cards
Repeat these steps for each keypair:
{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}} {{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}}
### Tamper Proofed Bundle 1. Do not turn off the computer as you will need to use the keys that are loaded for signing in the following section
### Signing Keys
Once the keys are generated, cross-sign all keys, for example:
```
gpg --clearsign --default-key=<key_id_2> <key_id_1>.asc
gpg --clearsign --default-key=<key_id_1> <key_id_2>.asc
```
1. Store both public keys and both signatures on an SD card and repeat the process so that there are 2 backup SD cards.
* Label both cards "Keychain <date>"
1. Upload these keys and signatures to the ceremonies repository after the airgapped machine is shut down.
### Air-Gapped Bundle
The following objects should be in the bundle: The following objects should be in the bundle:
* AirgapOS SD Cards * AirgapOS SD Card
* Airgapped computer * Air-gapped computer
* Keychain SD Card
#### Procedure #### Procedure
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
1. Create tamper proofed bundle (airgapos, laptop) 1. Create Air-Gapped bundle (airgapos, laptop)
1. Submit evidence to ceremonies repo 1. Submit evidence to ceremonies repo

6
quorum-key-management/src/generated-documents/level-2/hardware.md
View File

@ -14,9 +14,11 @@
* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99 * Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
* Purism Librem 14 * [Purism Librem 14](https://puri.sm/products/librem-14/)
* Nova Custom (Untested) * [Nova Custom](https://novacustom.com/de/) (Untested)
* [NitroPad](https://shop.nitrokey.com/shop?&search=nitropad) (Untested)
* Computers which are compatible which can be verified via [this guide](https://git.distrust.co/public/airgap#hardware-compatibility) * Computers which are compatible which can be verified via [this guide](https://git.distrust.co/public/airgap#hardware-compatibility)