public
/
docs
5
0
Fork 0
Code Issues 8 Pull Requests 1 Packages Projects Releases Wiki Activity

cleanup based on ryan's feedback

This commit is contained in:
Anton Livaja 2025-02-11 00:59:54 -05:00
parent 37e3cd416a
commit d3a4ae7bf4
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
12 changed files with 40 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
quorum-vault-system/src/component-documents/finding-device-name.md
View File

@ -1,6 +1,6 @@
/* ANCHOR: all */ /* ANCHOR: all */
// ANCHOR: content // ANCHOR: content
Look for your SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`) Look for your SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
* You may mount the device using: `sudo mount /dev/<your_device> media/` * You may mount the device using: `sudo mount /dev/<your_device> /media`
// ANCHOR_END: content // ANCHOR_END: content
/* ANCHOR_END: all */ /* ANCHOR_END: all */

6
quorum-vault-system/src/component-documents/openpgp-setup.md
View File

@ -25,6 +25,8 @@ as such need to be set up in a manner that minimizes exposure risks.
* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"` * `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"`
* The PIN can't use sequential numbers, characters or repeated patterns.
1. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic: 1. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic:
* `gpg --import cert.asc` * `gpg --import cert.asc`
@ -39,9 +41,7 @@ as such need to be set up in a manner that minimizes exposure risks.
1. Insert an SD card to contain the public certificate and the encrypted mnemonic. 1. Insert an SD card to contain the public certificate and the encrypted mnemonic.
* {{ #include finding-device-name.md:content}} * `cp cert.asc encrypted-mnemonic.asc /media`
* `cp cert.asc encrypted-mnemonic.asc /media/<device_name>/`
// ANCHOR_END: steps-keyfork // ANCHOR_END: steps-keyfork

2
quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md
View File

@ -31,6 +31,8 @@
## Adding a OpenPGP Public Certificate to the Ceremony Repository ## Adding a OpenPGP Public Certificate to the Ceremony Repository
1. Switch to online machine
1. Ensure you are on the correct branch: 1. Ensure you are on the correct branch:
* `git checkout main` * `git checkout main`

12
quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md
View File

@ -46,25 +46,25 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
1. {{ #include ../../../../component-documents/finding-device-name.md:content }} 1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Plug in the Operator smart card
1. Copy the git repo locally from the Ceremony SD card 1. Copy the git repo locally from the Ceremony SD card
* `cp -r /media/<device_name>/vaults /root/vaults` * `cp -r /media/vaults /root/vaults`
1. Change directory to vaults 1. Change directory to vaults
* `cd /root/vaults` * `cd /root/vaults`
1. Plug in the Operator smart card
1. Verify the existing signatures and add your own signature: 1. Verify the existing signatures and add your own signature:
* `icepick workflow --add-signature-to-file <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc` * `icepick workflow --add-signature-to-quorum <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc`
1. {{ #include ../../../../component-documents/finding-device-name.md:content }} 1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Copy the updated vaults repo to the SD card 1. Copy the updated vaults repo to the SD card
* `cp -r /root/vaults /media/<device_name>/vaults` * `cp -r /root/vaults /media`
1. Unplug the SD card from the air-gapped machine 1. Unplug the SD card from the air-gapped machine
@ -74,7 +74,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
1. Copy the updated repository locally: 1. Copy the updated repository locally:
* `cp -r /media/<device_name>/vaults ~/` * `cp -r /media/vaults ~/`
1. Change into locally copied directory 1. Change into locally copied directory

2
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md
View File

@ -24,7 +24,7 @@
1. Write the ceremony repo data to the SD card: 1. Write the ceremony repo data to the SD card:
`cp -r vaults/ /media/<device_name>/` `cp -r vaults/ /media`
1. Unplug the SD card 1. Unplug the SD card

6
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md
View File

@ -52,15 +52,15 @@
1. Start Keyfork using the relevant Shardfile: 1. Start Keyfork using the relevant Shardfile:
* `keyfork recover shard --daemon /media/external/shard.asc` * `keyfork recover shard --daemon /media/vaults/<namespace>/shardfile.asc`
* The Shardfile may be named something else. Use `find /media/external -type f -name '*shard*.asc'` to list all files. * The Shardfile may be named something else. Use `find /media/vaults -type f -name '*shardfile*.asc'` to list all files.
1. Follow on screen prompts 1. Follow on screen prompts
1. Run the `icepick` command with the transaction payload 1. Run the `icepick` command with the transaction payload
* `icepick workflow --run-quorum <payload>.json --shardfile /media/external/shard.asc` * `icepick workflow --run-quorum <payload>.json --shardfile /media/vaults/<namespace>/shardfile.asc`
* Follow on screen prompts * Follow on screen prompts

6
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md
View File

@ -16,11 +16,7 @@
1. Copy the Ceremony SD Card contents to machine 1. Copy the Ceremony SD Card contents to machine
* {{ #include ../../../../component-documents/finding-device-name.md:content }} * `cp -r /media/vaults /root/`
* Copy the contents of the card to machine:
* `cp -r /media/<device_name>/vaults /root/`
1. Start `keyfork` using the relevant Shardfile: 1. Start `keyfork` using the relevant Shardfile:

4
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md
View File

@ -34,9 +34,7 @@
1. Recover the mnemonic from an existing shardfile 1. Recover the mnemonic from an existing shardfile
* {{ #include ../../../../component-documents/finding-device-name.md:content }} * `keyfork shard combine /media/vaults/<namespace>/shardfile.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
* `keyfork shard combine /media/<device_name>/shard.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
1. Follow on screen prompts 1. Follow on screen prompts

12
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
View File

@ -32,17 +32,21 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]" 1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
1. {{ #include ../../../../component-documents/finding-device-name.md:content }} 1. Plug in fresh SD card
1. If the namespace doesn't exist:
`mkdir -p /media/vaults/<namespace>`
1. Back up the output shardfile: 1. Back up the output shardfile:
* `cp shardfile.new.asc /media/<device_name>/` * `cp shardfile.new.asc /media/vaults/<namespace/shardfile.asc`
1. Back up the new keyring file: 1. Back up the new keyring file:
* `cp keyring.new.asc /media/<device_name>/` * `cp keyring.new.asc /media/vaults/<namespace>/keyring.asc`
1. Back up the root PGP certificate: 1. Back up the root PGP certificate:
* `cp root_pgp_cert.asc /media/<device_name>/` * `cp root_pgp_cert.asc /media/vaults/<namespace>/`
1. Each backup should be placed into High Visibility Storage after it's made 1. Each backup should be placed into High Visibility Storage after it's made

12
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
View File

@ -31,19 +31,23 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts 1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. {{ #include ../../../../component-documents/finding-device-name.md:content }} 1. Plug in fresh SD card
1. If the namepsace doesn't exist:
* `mkdir -p /media/vaults/<namespace>`
1. Back up the root OpenPGP certificate 1. Back up the root OpenPGP certificate
* `cp encryption_cert.asc /media/<device_name>/` * `cp encryption_cert.asc /media/vaults/<namespace>/`
1. Back up the `shardfile.asc` 1. Back up the `shardfile.asc`
* `cp shardfile.asc /media/<device_name>/` * `cp shardfile.asc /media/vaults/<namespace>/`
1. Back up the `keyring.asc` 1. Back up the `keyring.asc`
* `cp keyring.asc /media/<device_name>/` * `cp keyring.asc /media/vaults/<namespace>`
1. Unplug the SD card and place it in High Visibility Storage 1. Unplug the SD card and place it in High Visibility Storage

15
quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md
View File

@ -56,7 +56,7 @@ The proposer must combine these values into a JSON file, such as:
1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card 1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card
* `cp -r ~/vaults/ /media/<device_name>/` * `cp -r ~/vaults/ /media`
1. Unplug the Ceremony SD card 1. Unplug the Ceremony SD card
@ -70,13 +70,10 @@ The proposer must combine these values into a JSON file, such as:
1. Plug in the Ceremony SD card 1. Plug in the Ceremony SD card
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Plug in the Operator smart card
1. Copy the git repo locally from the Ceremony SD card 1. Copy the git repo locally from the Ceremony SD card
* `cp -r /media/<device_name>/vaults /root/vaults` * `cp -r /media/vaults /root`
1. Change into the vaults directory: 1. Change into the vaults directory:
@ -90,17 +87,17 @@ The proposer must combine these values into a JSON file, such as:
1. Use `icepick workflow --help` to list the available workflows and options 1. Use `icepick workflow --help` to list the available workflows and options
1. Plug in the Operator smart card
1. Use icepick to generate and sign the payload: 1. Use icepick to generate and sign the payload:
* `icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file>` * `icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file>`
* e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json` * e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json`
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Copy the updated ceremonies repo to the SD card 1. Copy the updated ceremonies repo to the SD card
* `cp -r /root/vaults /media/<device_name>/vaults` * `cp -r /root/vaults /media`
1. Unplug the SD card from the air-gapped machine 1. Unplug the SD card from the air-gapped machine
@ -110,7 +107,7 @@ The proposer must combine these values into a JSON file, such as:
1. Copy the updated repository locally: 1. Copy the updated repository locally:
* `cp -r /media/<device_name>/vaults ~/` * `cp -r /media/vaults ~/`
1. Change into locally copied directory 1. Change into locally copied directory

2
quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md
View File

@ -42,8 +42,6 @@
1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`: 1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`:
* {{ #include ../../../../component-documents/finding-device-name.md:content }}
* Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num> * Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>
1. `./sdtool /dev/<device_name> permlock` 1. `./sdtool /dev/<device_name> permlock`