clean up git backup flows

This commit is contained in:
Anton Livaja 2025-02-11 03:11:15 -05:00
parent 6537012e9e
commit cdd51780be
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
4 changed files with 64 additions and 38 deletions

View File

@ -6,7 +6,13 @@
1. Copy files into designated location in a repository:
* e.g `cp /dev/<your_device> ~/<repository_name>/<path_to_location>`
* e.g `cp -r /media/vaults ~/vaults/`
* If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
1. Change directory to `vaults`
* `cd ~/vaults`
1. Add all files to git stage:

View File

@ -133,9 +133,11 @@ Sealing bags of standard size objects which need to be protected can fit in. The
1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object
1. Compare polaroid and printed photographs of digital record to the current state of the sealed object
1. Compare printed photographs of object to the sealed object
1. Compare polaroid to printed photographs of digital record
1. (IF polaroid photographs are available): Compare polaroid to the current state of the sealed object
1. (IF polaroid photographs are available): Compare polaroid to printed photographs
1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process according to organization's policies.

View File

@ -32,32 +32,41 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Place all unsealed SD cards into High Visibility Storage
1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
1. Plug in the Ceremony SD card
1. Back up the `shardfile.asc`
* `cp shardfile.asc /media/vaults/<namespace>/`
1. Back up the `keyring.asc`
* `cp keyring.asc /media/vaults/<namespace>/`
1. TODO - NOT IMPLEMENTED:
* Back up the root OpenPGP certificate
* `cp encryption_cert.asc /media/vaults/<namespace>/`
1. Copy the contents of Ceremony SD card to machine
* `cp -r /media/vaults /root/`
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Plug in fresh SD card
1. If the namespace doesn't exist:
1. `cp -r /root/vaults /media/`
`mkdir -p /media/vaults/<namespace>`
1. Unplug the SD card
1. Back up the output shardfile:
* `cp shardfile.new.asc /media/vaults/<namespace/shardfile.asc`
1. Label the SD card "Ceremony [date]"
1. Back up the new keyring file:
1. Place the SD caard in High Visibility Storage
* `cp keyring.new.asc /media/vaults/<namespace>/keyring.asc`
1. Power down the air-gapped machine
1. TODO: NOT IMPLEMENTED
* Back up the root PGP certificate:
* `cp encryption_cert.new.asc /media/vaults/<namespace>/`
1. Each backup should be placed into High Visibility Storage after it's made
1. Unplug the SD card and place it in High Visibility Storage
1. Label the SD card "Shardfile [date] [namespace]"
1. Upload the newly generated artifacts into the `vaults` repository
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
{{ #include ../../../../component-documents/git-basics.md:content }}

View File

@ -6,6 +6,8 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
{{ #include ../../operator-requirements.md:requirements }}
* [Ceremony SD Card](./ceremony-sd-card-provisioning.md)
* [SD Card Pack](../procurer/procure-sd-card-pack.md)
* `N` Smart Cards in the chosen `M of N` quorum
@ -18,31 +20,20 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Run the relevant keyfork wizard to perform the ceremony:
* Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_cert_id>
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_cert_id> with appropriate values
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc`
* TODO - NOT IMPLEMENTED:
`--derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>`
1. Unseal an SD card pack
1. Unseal an SD card pack by following tamper proofing steps:
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all unsealed SD cards into High Visibility Storage
1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Plug in fresh SD card
1. If the namepsace doesn't exist:
* `mkdir -p /media/vaults/<namespace>`
1. Back up the root OpenPGP certificate
* `cp encryption_cert.asc /media/vaults/<namespace>/`
1. Plug in the Ceremony SD card
1. Back up the `shardfile.asc`
@ -50,15 +41,33 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Back up the `keyring.asc`
* `cp keyring.asc /media/vaults/<namespace>`
* `cp keyring.asc /media/vaults/<namespace>/`
1. Unplug the SD card and place it in High Visibility Storage
1. TODO - NOT IMPLEMENTED:
* Back up the root OpenPGP certificate
* `cp encryption_cert.asc /media/vaults/<namespace>/`
1. Copy the contents of Ceremony SD card to machine
* `cp -r /media/vaults /root/`
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Plug in fresh SD card
1. `cp -r /root/vaults /media/`
1. Unplug the SD card
1. Label the SD card "Ceremony [date]"
1. Place the SD card in High Visibility Storage
1. Power down the air-gapped machine
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and upload the newly generated artifacts into the `vaults` repository in the appropriate `<namespace>` sub directory using an online machine
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
{{ #include ../../../../component-documents/git-basics.md:content }}