clean up git backup flows
This commit is contained in:
parent
6537012e9e
commit
cdd51780be
|
@ -6,7 +6,13 @@
|
|||
|
||||
1. Copy files into designated location in a repository:
|
||||
|
||||
* e.g `cp /dev/<your_device> ~/<repository_name>/<path_to_location>`
|
||||
* e.g `cp -r /media/vaults ~/vaults/`
|
||||
|
||||
* If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
|
||||
|
||||
1. Change directory to `vaults`
|
||||
|
||||
* `cd ~/vaults`
|
||||
|
||||
1. Add all files to git stage:
|
||||
|
||||
|
|
|
@ -133,9 +133,11 @@ Sealing bags of standard size objects which need to be protected can fit in. The
|
|||
|
||||
1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object
|
||||
|
||||
1. Compare polaroid and printed photographs of digital record to the current state of the sealed object
|
||||
1. Compare printed photographs of object to the sealed object
|
||||
|
||||
1. Compare polaroid to printed photographs of digital record
|
||||
1. (IF polaroid photographs are available): Compare polaroid to the current state of the sealed object
|
||||
|
||||
1. (IF polaroid photographs are available): Compare polaroid to printed photographs
|
||||
|
||||
1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process according to organization's policies.
|
||||
|
||||
|
|
|
@ -32,32 +32,41 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
|
|||
|
||||
1. Place all unsealed SD cards into High Visibility Storage
|
||||
|
||||
1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
1. Back up the `shardfile.asc`
|
||||
|
||||
* `cp shardfile.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Back up the `keyring.asc`
|
||||
|
||||
* `cp keyring.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. TODO - NOT IMPLEMENTED:
|
||||
|
||||
* Back up the root OpenPGP certificate
|
||||
|
||||
* `cp encryption_cert.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Copy the contents of Ceremony SD card to machine
|
||||
|
||||
* `cp -r /media/vaults /root/`
|
||||
|
||||
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
|
||||
|
||||
1. Plug in fresh SD card
|
||||
|
||||
1. If the namespace doesn't exist:
|
||||
1. `cp -r /root/vaults /media/`
|
||||
|
||||
`mkdir -p /media/vaults/<namespace>`
|
||||
1. Unplug the SD card
|
||||
|
||||
1. Back up the output shardfile:
|
||||
* `cp shardfile.new.asc /media/vaults/<namespace/shardfile.asc`
|
||||
1. Label the SD card "Ceremony [date]"
|
||||
|
||||
1. Back up the new keyring file:
|
||||
1. Place the SD caard in High Visibility Storage
|
||||
|
||||
* `cp keyring.new.asc /media/vaults/<namespace>/keyring.asc`
|
||||
1. Power down the air-gapped machine
|
||||
|
||||
1. TODO: NOT IMPLEMENTED
|
||||
* Back up the root PGP certificate:
|
||||
* `cp encryption_cert.new.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Each backup should be placed into High Visibility Storage after it's made
|
||||
|
||||
1. Unplug the SD card and place it in High Visibility Storage
|
||||
|
||||
1. Label the SD card "Shardfile [date] [namespace]"
|
||||
|
||||
1. Upload the newly generated artifacts into the `vaults` repository
|
||||
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
|
||||
|
||||
{{ #include ../../../../component-documents/git-basics.md:content }}
|
||||
|
||||
|
|
|
@ -6,6 +6,8 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
{{ #include ../../operator-requirements.md:requirements }}
|
||||
|
||||
* [Ceremony SD Card](./ceremony-sd-card-provisioning.md)
|
||||
|
||||
* [SD Card Pack](../procurer/procure-sd-card-pack.md)
|
||||
|
||||
* `N` Smart Cards in the chosen `M of N` quorum
|
||||
|
@ -18,31 +20,20 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
1. Run the relevant keyfork wizard to perform the ceremony:
|
||||
|
||||
* Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_cert_id>
|
||||
|
||||
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_cert_id> with appropriate values
|
||||
|
||||
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc`
|
||||
|
||||
* TODO - NOT IMPLEMENTED:
|
||||
`--derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>`
|
||||
|
||||
1. Unseal an SD card pack
|
||||
1. Unseal an SD card pack by following tamper proofing steps:
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
||||
1. Place all unsealed SD cards into High Visibility Storage
|
||||
|
||||
1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts
|
||||
|
||||
1. Plug in fresh SD card
|
||||
|
||||
1. If the namepsace doesn't exist:
|
||||
|
||||
* `mkdir -p /media/vaults/<namespace>`
|
||||
|
||||
1. Back up the root OpenPGP certificate
|
||||
|
||||
* `cp encryption_cert.asc /media/vaults/<namespace>/`
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
1. Back up the `shardfile.asc`
|
||||
|
||||
|
@ -50,15 +41,33 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
1. Back up the `keyring.asc`
|
||||
|
||||
* `cp keyring.asc /media/vaults/<namespace>`
|
||||
* `cp keyring.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Unplug the SD card and place it in High Visibility Storage
|
||||
1. TODO - NOT IMPLEMENTED:
|
||||
|
||||
* Back up the root OpenPGP certificate
|
||||
|
||||
* `cp encryption_cert.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Copy the contents of Ceremony SD card to machine
|
||||
|
||||
* `cp -r /media/vaults /root/`
|
||||
|
||||
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
|
||||
|
||||
1. Plug in fresh SD card
|
||||
|
||||
1. `cp -r /root/vaults /media/`
|
||||
|
||||
1. Unplug the SD card
|
||||
|
||||
1. Label the SD card "Ceremony [date]"
|
||||
|
||||
1. Place the SD card in High Visibility Storage
|
||||
|
||||
1. Power down the air-gapped machine
|
||||
|
||||
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and upload the newly generated artifacts into the `vaults` repository in the appropriate `<namespace>` sub directory using an online machine
|
||||
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
|
||||
|
||||
{{ #include ../../../../component-documents/git-basics.md:content }}
|
||||
|
||||
|
|
Loading…
Reference in New Issue