diff --git a/quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md b/quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md index 377de37..0a6dd14 100644 --- a/quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md +++ b/quorum-key-management/src/component-documents/hardware-procurement-and-chain-of-custody.md @@ -20,7 +20,7 @@ The following steps must all be completed under the continued supervision and wi 1. Within the store, identify available adequate device -1. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which is ideally just a access controlled space. +1. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which SHOULD be an access controlled space. * The bag MUST be a sealable see-through tamper evident bag. It may be necessary to remove the device from it's original packaging to fit it into the sealable bag. 1. If the equipment does not have to be tamper proofed, simply deliver it to its storage location, and update the inventory repository with the serial number of the device. diff --git a/quorum-key-management/src/component-documents/openpgp-setup.md b/quorum-key-management/src/component-documents/openpgp-setup.md index da44d03..826613b 100644 --- a/quorum-key-management/src/component-documents/openpgp-setup.md +++ b/quorum-key-management/src/component-documents/openpgp-setup.md @@ -23,6 +23,8 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS. * `bg` + * Burn the piece of paper which has the mnemonic written on it + 1. Derive PGP keypair: * `keyfork derive openpgp "full_name (alias) " > priv.asc` @@ -41,17 +43,17 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS. * Set the admin and user PINs for the card - * Use the following command to generate the two PINs (they should be different): + * You can come up with your own alpha numeric PIN or use the following command to generate the two PINs (they should be different): - * `keyfork mnemonic generate --size 256 | awk '{ print $1, $2, $3, $4, $5 }' > smart-card-pin.txt` + * `keyfork mnemonic generate --size 256 | awk '{ print $1, $2, $3, $4, $5, $6 }' > smart-card-pin.txt` * `oct pin --card set-user` - * Enter the + * Enter the `` * `oct pin --card set-admin` - * Enter the + * Enter the `` 1. Import PGP key into keyring @@ -72,19 +74,23 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS. sub rsa4096 2022-03-26 [A] [expires: 2026-03-27] ``` +1. Rename the private key file to contain the `key_id`: + + * `mv priv.asc key_id.priv` + 1. Export the public key: - * `gpg --export --armor > .asc` + * `gpg --export --armor > .pub` 1. Bundle all data and encrypt it * `mkdir backup_bundle/` - * `mv .asc priv.asc smart-card-pin.txt backup_bundle/` + * `mv .pub .priv smart-card-pin.txt backup_bundle/` * `tar -cvf backup_bundle.tar backup_bundle/` - * `gpg --armor -er backup_bundle.tar` + * `gpg --armor -er backup_bundle.tar` 1. Copy the encrypted bundle, `backup_bundle.tar.gpg` to an SD card. Repeat the process as many times as desired. Minimum of 3 SD Card backups is recommended. @@ -99,12 +105,14 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS. ## Generating Keys on Smartcard // ANCHOR: steps-on-key-gen -1. Insert the smartcard into the USB port if it is not already plugged in. +1. Insert the smart card into the USB port if it is not already plugged in. 1. Open Command Prompt (Windows) or Terminal (macOS / Linux). -1. Enter the GPG command: gpg --card-edit - +1. Enter the GPG command: + + * `gpg --card-edit` + 1. At the gpg/card> prompt, enter the command: admin 1. If you want to use keys larger than 2048 bits, run: key-attr @@ -113,7 +121,7 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS. 1. When prompted, specify if you want to make an off-card backup of your encryption key. - * Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore to a new smartcard. + * Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore the key. 1. Specify how long the key should be valid for (specify the number in days, weeks, months, or years). @@ -127,9 +135,10 @@ Setting up a PGP key pair is necessary for a number of different aspects of QVS. 1. Review the name and email, and accept or make changes. -1. Enter the default admin PIN again. The green light on the smartcard will flash while the keys are being written. +1. Enter the default admin PIN again. The green light on the smart card will flash while the keys are being written. 1. Enter a Passphrase as the key will not allow you to pass without having a passphrase. If you do not enter a Passphrase generation will fail. + // ANCHOR_END: steps-on-key-gen /* ANCHOR_END: all */ \ No newline at end of file diff --git a/quorum-key-management/src/component-documents/tamper-evidence-methods.md b/quorum-key-management/src/component-documents/tamper-evidence-methods.md index 38230c2..77c1e43 100644 --- a/quorum-key-management/src/component-documents/tamper-evidence-methods.md +++ b/quorum-key-management/src/component-documents/tamper-evidence-methods.md @@ -123,7 +123,7 @@ Sealing bags of standard size objects which need to be protected can fit in. The 1. Date and sign the polaroid photographs and store them in a local lock box -1. Take the SD card to an online connected device and commit the photographs to a repository, ensuring the commit is signed +1. Take the SD card to an online connected device, ensuring continued dual custody, and commit the photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit. // ANCHOR_END: vsbwf-procedure-sealing @@ -165,7 +165,7 @@ Glitter can be used as an additional control to provide tamper evidence on speci 1. Take a photograph of the laptop, preferably using the [tamper proofing station](tamper-evidence-methods#tamper-proofing-station) -1. Ensure the SD card is in dual custody until it's uploaded to a repository, and signed by both parties (one creates a PR, the other creates a signed merge using the `git` CLI) +1. Ensure the SD card is in dual custody until its contents are uploaded to a repository, and signed by both parties (one creates a PR, the other creates a signed merge using the `git` CLI) #### Verification diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/index.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/index.md index 82abded..ce476a6 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/index.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/index.md @@ -2,6 +2,8 @@ The provisioner is responsible for: +* Facilitating bootstrapping the system + * Procuring equipment * Setting up the facility @@ -33,6 +35,6 @@ The first task is to bootstrap the operator keys as they are an essential part o * [Procure Computer](./procure-computer.md) * Requires tamper proofing equipment to be available * [Provision Air Gapped Bundle](./provision-air-gapped-bundle.md) - * Requires operators to have PGP smart cards, tamper proofing equipment, AirgapOS SD card + * Requires operators to have smart cards with PGP keys, tamper proofing equipment, AirgapOS SD card * [Copy Shardfile SD Card](./copy-shardfile-sd-card.md) * Requires Root Entropy ceremony to be completed in order to have "Shardfile" SD cards available for copying diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md index 84dd302..07c13be 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/pgp-key-bootstrapping.md @@ -1,56 +1,68 @@ # Operator - Provisioning PGP Keypair -The initial set up requires the provisioner and operator to do all of these in a continuous session ensuring dual custody. Ensure that all participants are familiar with the sub-processes so that the ceremony can be completed in one working day. +The initial setup requires the provisioner and operator to do all of these in a continuous session ensuring dual custody. Ensure that all participants are familiar with the sub-processes so that the ceremony can be completed in one working day. ## Requirements * 3 individuals in order to have the flexibility for washroom breaks, fetching food and drinks etc. + * 1 Operator + + * 1 Provisioner + + * 1 person to witness, but should be familiar with the process + * [AirgapOS SD Card](./provision-airgapos.md) * [Tamper Proofing Equipment](./provision-tamper-proofing-equipment.md) * [Smart Cards](../../../../component-documents/hardware-models.md#smart-cards) - * 2 per PGP keypair + * 2 per PGP keypair (more than 2 smart cards can be provisioned per keypair if desired, for redundancy) * SD Cards: [Provisioning Guide](./provision-sd-card.md) * 3 per PGP keypair (for backups) - * + 2 SD cards for Keychain SD cards + * 2 additional SD cards for Keychain SD cards * Designated [facility](./provision-facility.md) * Sealable plastic bag: {{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }} * For hardware procurement +* Tin can + lighter + + * This is used for burning materials produced during the ceremony which contain sensitive information + ## Procedure ### Procure Computer (AirgapOS Compatible) #### Compatible Hardware - {{ #include ../../hardware.md:computer-models }} #### Procedure {{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps }} + * In this case, wait until later steps where further instructions on how to tamper proof the computer + ### Ceremony -1. Enter the designated facility with an operator and individual keys are being generated for and all required equipment +1. Enter the designated facility with all participants and required equipment -1. Lock access to the facility - there should be no inflow or outflow of people during the ceremony if avoidable. During a long ceremony as this one this may be unavoidable. +1. Lock access to the facility - there should be no inflow of new people during the ceremony if avoidable. -1. Gut the laptop before using it: radio cards, speakers, microphones, storage drive +1. Remove all unnecessary parts from the laptop before using it to reduce side-channel and data remnance attack risk: radio cards, speakers, microphones, storage drive. + * While this is not required for Level 2 security, it MAY be done in order to improve security of the system. 1. Boot AirgapOS from verified SD card 1. Check AirgapOS hashes when it's booted -### Generating PGP Keys and Seeding Cards +#### Generating PGP Keys and Seeding Cards Repeat these steps for each keypair: @@ -85,7 +97,3 @@ The following objects should be in the bundle: #### Procedure {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} - -1. Create Air-Gapped bundle (airgapos, laptop) - -1. Submit evidence to ceremonies repo