public
/
docs
5
0
Fork 0
Code Issues 8 Pull Requests 1 Packages Projects Releases Wiki Activity

cleanup based on ryan's feedback

This commit is contained in:
Anton Livaja 2025-02-11 00:59:54 -05:00
parent 37e3cd416a
commit d3a4ae7bf4
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
12 changed files with 40 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
quorum-vault-system/src/component-documents/finding-device-name.md
View File

@ -1,6 +1,6 @@
/* ANCHOR: all */
// ANCHOR: content
Look for your SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
* You may mount the device using: `sudo mount /dev/<your_device> media/`
* You may mount the device using: `sudo mount /dev/<your_device> /media`
// ANCHOR_END: content
/* ANCHOR_END: all */

6
quorum-vault-system/src/component-documents/openpgp-setup.md
View File

@ -25,6 +25,8 @@ as such need to be set up in a manner that minimizes exposure risks.
* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"`
* The PIN can't use sequential numbers, characters or repeated patterns.
1. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic:
* `gpg --import cert.asc`
@ -39,9 +41,7 @@ as such need to be set up in a manner that minimizes exposure risks.
1. Insert an SD card to contain the public certificate and the encrypted mnemonic.
* {{ #include finding-device-name.md:content}}
* `cp cert.asc encrypted-mnemonic.asc /media/<device_name>/`
* `cp cert.asc encrypted-mnemonic.asc /media`
// ANCHOR_END: steps-keyfork

2
quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md
View File

@ -31,6 +31,8 @@
## Adding a OpenPGP Public Certificate to the Ceremony Repository
1. Switch to online machine
1. Ensure you are on the correct branch:
* `git checkout main`

12
quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md
View File

@ -46,25 +46,25 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Plug in the Operator smart card
1. Copy the git repo locally from the Ceremony SD card
* `cp -r /media/<device_name>/vaults /root/vaults`
* `cp -r /media/vaults /root/vaults`
1. Change directory to vaults
* `cd /root/vaults`
1. Plug in the Operator smart card
1. Verify the existing signatures and add your own signature:
* `icepick workflow --add-signature-to-file <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc`
* `icepick workflow --add-signature-to-quorum <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc`
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Copy the updated vaults repo to the SD card
* `cp -r /root/vaults /media/<device_name>/vaults`
* `cp -r /root/vaults /media`
1. Unplug the SD card from the air-gapped machine
@ -74,7 +74,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
1. Copy the updated repository locally:
* `cp -r /media/<device_name>/vaults ~/`
* `cp -r /media/vaults ~/`
1. Change into locally copied directory

2
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md
View File

@ -24,7 +24,7 @@
1. Write the ceremony repo data to the SD card:
`cp -r vaults/ /media/<device_name>/`
`cp -r vaults/ /media`
1. Unplug the SD card

6
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md
View File

@ -52,15 +52,15 @@
1. Start Keyfork using the relevant Shardfile:
* `keyfork recover shard --daemon /media/external/shard.asc`
* `keyfork recover shard --daemon /media/vaults/<namespace>/shardfile.asc`
* The Shardfile may be named something else. Use `find /media/external -type f -name '*shard*.asc'` to list all files.
* The Shardfile may be named something else. Use `find /media/vaults -type f -name '*shardfile*.asc'` to list all files.
1. Follow on screen prompts
1. Run the `icepick` command with the transaction payload
* `icepick workflow --run-quorum <payload>.json --shardfile /media/external/shard.asc`
* `icepick workflow --run-quorum <payload>.json --shardfile /media/vaults/<namespace>/shardfile.asc`
* Follow on screen prompts

6
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md
View File

@ -16,11 +16,7 @@
1. Copy the Ceremony SD Card contents to machine
* {{ #include ../../../../component-documents/finding-device-name.md:content }}
* Copy the contents of the card to machine:
* `cp -r /media/<device_name>/vaults /root/`
* `cp -r /media/vaults /root/`
1. Start `keyfork` using the relevant Shardfile:

4
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md
View File

@ -34,9 +34,7 @@
1. Recover the mnemonic from an existing shardfile
* {{ #include ../../../../component-documents/finding-device-name.md:content }}
* `keyfork shard combine /media/<device_name>/shard.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
* `keyfork shard combine /media/vaults/<namespace>/shardfile.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
1. Follow on screen prompts

12
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
View File

@ -32,17 +32,21 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Plug in fresh SD card
1. If the namespace doesn't exist:
`mkdir -p /media/vaults/<namespace>`
1. Back up the output shardfile:
* `cp shardfile.new.asc /media/<device_name>/`
* `cp shardfile.new.asc /media/vaults/<namespace/shardfile.asc`
1. Back up the new keyring file:
* `cp keyring.new.asc /media/<device_name>/`
* `cp keyring.new.asc /media/vaults/<namespace>/keyring.asc`
1. Back up the root PGP certificate:
* `cp root_pgp_cert.asc /media/<device_name>/`
* `cp root_pgp_cert.asc /media/vaults/<namespace>/`
1. Each backup should be placed into High Visibility Storage after it's made

12
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
View File

@ -31,19 +31,23 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Plug in fresh SD card
1. If the namepsace doesn't exist:
* `mkdir -p /media/vaults/<namespace>`
1. Back up the root OpenPGP certificate
* `cp encryption_cert.asc /media/<device_name>/`
* `cp encryption_cert.asc /media/vaults/<namespace>/`
1. Back up the `shardfile.asc`
* `cp shardfile.asc /media/<device_name>/`
* `cp shardfile.asc /media/vaults/<namespace>/`
1. Back up the `keyring.asc`
* `cp keyring.asc /media/<device_name>/`
* `cp keyring.asc /media/vaults/<namespace>`
1. Unplug the SD card and place it in High Visibility Storage

15
quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md
View File

@ -56,7 +56,7 @@ The proposer must combine these values into a JSON file, such as:
1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card
* `cp -r ~/vaults/ /media/<device_name>/`
* `cp -r ~/vaults/ /media`
1. Unplug the Ceremony SD card
@ -70,13 +70,10 @@ The proposer must combine these values into a JSON file, such as:
1. Plug in the Ceremony SD card
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Plug in the Operator smart card
1. Copy the git repo locally from the Ceremony SD card
* `cp -r /media/<device_name>/vaults /root/vaults`
* `cp -r /media/vaults /root`
1. Change into the vaults directory:
@ -90,17 +87,17 @@ The proposer must combine these values into a JSON file, such as:
1. Use `icepick workflow --help` to list the available workflows and options
1. Plug in the Operator smart card
1. Use icepick to generate and sign the payload:
* `icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file>`
* e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json`
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Copy the updated ceremonies repo to the SD card
* `cp -r /root/vaults /media/<device_name>/vaults`
* `cp -r /root/vaults /media`
1. Unplug the SD card from the air-gapped machine
@ -110,7 +107,7 @@ The proposer must combine these values into a JSON file, such as:
1. Copy the updated repository locally:
* `cp -r /media/<device_name>/vaults ~/`
* `cp -r /media/vaults ~/`
1. Change into locally copied directory

2
quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md
View File

@ -42,8 +42,6 @@
1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`:
* {{ #include ../../../../component-documents/finding-device-name.md:content }}
* Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>
1. `./sdtool /dev/<device_name> permlock`