public
/
docs
5
0
Fork 0
Code Issues 17 Pull Requests 1 Packages Projects Releases Wiki Activity

more refactoring and updating pgp generation and provisioner docs for 

level 2
This commit is contained in:
Anton Livaja 2025-01-06 19:02:45 -05:00
parent 53202c6179
commit db19a45bff
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
22 changed files with 256 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
quorum-key-management/src/SUMMARY.md
View File

@ -4,31 +4,28 @@
* [Selecting a Quorum](selecting-quorum.md)
* [System Roles](system-roles.md)
* [Software](software.md)
* [Hardware](hardware.md)
* [Glossary](glossary.md)
* [Location](locations.md)
* [Generated Documents]()
* [Root Entropy Generation]()
* [Ceremony Log Template](ceremony-log-template.md)
* [Root Entropy Ceremonies](root-entropy-ceremonies.md)
* [Local Key Provisioning](local-key-provisioning.md)
* [Hybrid Key Provisioning](hybrid-key-provisioning.md)
* [Remote Key Provisioning](remote-key-provisioning.md)
* [Additional Key Ceremonies]()
* [Operator Key Provisioning](operator-key-provisioning.md)
* [Location Key Provisioning](location-key-provisioning.md)
* [Level 1]()
* [Level 2]()
* [Fixed-Location]()
* [Provisioner](system-roles.md)
* [Procure Equipment & Location](generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md)
* [Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.md)
* [Keychain Repository](generated-documents/level-2/fixed-location/provisioner/keychain-repository.md)
* [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
* [Provision Equipment](generated-documents/level-2/fixed-location/provisioner/procure-equipment.md)
* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/procure-computer.md)
* [Provision Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md)
* [Provision Keychain Repository](generated-documents/level-2/fixed-location/provisioner/provision-keychain-repository.md)
* [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
* [Provision Facility](generated-documents/level-2/fixed-location/provisioner/provision-facility.md)
* [Proposer](system-roles.md)
* [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md)
* [Approver](system-roles.md)
* [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
* [Operator](system-roles.md)
* [Location](TODO)
* [PGP Key Bootstrapping](generated-documents/level-2/fixed-location/operator/pgp-key-bootstrapping.md)
* [PGP Key Provisioning](generated-documents/level-2/fixed-location/operator/pgp-key-provisioning.md)
* [Root Entropy Provisioning](generated-documents/level-2/fixed-location/operator/hybrid-key-provisioning.md)
* [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md)
* [Level 3]()
* [Level 4]()
@ -42,9 +39,9 @@
* [Tamper Evidence Methods](./component-documents/tamper-evidence-methods.md)
* [Change Smart Card PINs](./component-documents/setting-smart-card-pins.md)
* [Online Machine Provisioning](online-machine-provisioning.md)
* [Destroying Hardware](./component-documents/hardware-destruction.md)
* [Hardware Destruction](./component-documents/hardware-destruction.md)
* [Storage Device Management](./component-documents/storage-device-management.md)
* [Procure Hardware](./component-documents/hardware-procurement-and-chain-of-custody.md)
* [Procurement & Chain of Custody](./component-documents/hardware-procurement-and-chain-of-custody.md)
* [Online Artifact Storage](./component-documents/public-ceremony-artifact-storage.md)
* [Physical Artifact Storage](./component-documents/physical-artifact-storage.md)
* [`autorun.sh` Setup](./component-documents/autorun-sh-setup.md)

46
quorum-key-management/src/ceremony-log-template.md
View File

@ -1,45 +1 @@
## Ceremony Log Template
```yml
usage: Location Key
officiant: Anton Livaja
location: Private Home (Address Redacted)
witnesses: N/A
hardware: Dell XPS 13 9630
firmware: BIOS 2.13.0
laptop_modifications:
- Removed WLAN Card
- Removed speakers
- Removed microphone
- Removed all drives
boot_media: Kingston Type 2 SD Card 1GB
backup_media: TeamGroup High Endurance Micro SDXC 128GB
smart_cards: Yubikey 5 NFC
software:
- name: Airgap OS
repo: https://git.distrust.co/public/airgap
ref: main
hash: 485fc58bfb1b4dc75a81138d93948385cc5bf600
playbooks:
- name: some/path/to/location_key_generation.md
repo: https://git.distrust.co/public/docs
ref: some-git-ref-here
notes: used once for each Location Key
- name: some/path/to/hybrid_quroum_key_generation.md
repo: https://git.distrust.co/public/docs
ref: some-git-ref-here
notes: used once to generate Root Entropy and Disaster Recovery Key
outputs:
- cert: ./cert
- shardfile: ./shardfile
Location (Test) Public Key Fingerprints:
- 0609D5C2634DB5D75226AD9A7A8A6F24873977E4
- 5F827701822425E8BB0D2EAB43EC881D8C80DE41
- 6E18E082945BC43411C3B490E43B49017440605D
Cold Quorum Key (Test) Fingerprint:
- 8BA0304345D05775C303E292D9BDBC00D3E85E87
log:
- 2024-08-05:1723: Selected a room in residence which has no electronics in it
and closed window and window blinds.
general_notes: N/A
```
# Ceremony Log Template

45
quorum-key-management/src/component-documents/ceremony-log-template.md Normal file
View File

@ -0,0 +1,45 @@
## Ceremony Log Template
```yml
usage: Location Key
officiant: Anton Livaja
location: Private Home (Address Redacted)
witnesses: N/A
hardware: Dell XPS 13 9630
firmware: BIOS 2.13.0
laptop_modifications:
- Removed WLAN Card
- Removed speakers
- Removed microphone
- Removed all drives
boot_media: Kingston Type 2 SD Card 1GB
backup_media: TeamGroup High Endurance Micro SDXC 128GB
smart_cards: Yubikey 5 NFC
software:
- name: Airgap OS
repo: https://git.distrust.co/public/airgap
ref: main
hash: 485fc58bfb1b4dc75a81138d93948385cc5bf600
playbooks:
- name: some/path/to/location_key_generation.md
repo: https://git.distrust.co/public/docs
ref: some-git-ref-here
notes: used once for each Location Key
- name: some/path/to/hybrid_quroum_key_generation.md
repo: https://git.distrust.co/public/docs
ref: some-git-ref-here
notes: used once to generate Root Entropy and Disaster Recovery Key
outputs:
- cert: ./cert
- shardfile: ./shardfile
Location (Test) Public Key Fingerprints:
- 0609D5C2634DB5D75226AD9A7A8A6F24873977E4
- 5F827701822425E8BB0D2EAB43EC881D8C80DE41
- 6E18E082945BC43411C3B490E43B49017440605D
Cold Quorum Key (Test) Fingerprint:
- 8BA0304345D05775C303E292D9BDBC00D3E85E87
log:
- 2024-08-05:1723: Selected a room in residence which has no electronics in it
and closed window and window blinds.
general_notes: N/A
```

0
quorum-key-management/src/sd-formatting.md → quorum-key-management/src/component-documents/sd-formatting.md
View File

79
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/hybrid-key-provisioning.md Normal file
View File

@ -0,0 +1,79 @@
# Hybrid Key Provisioning
This document contains instructions on how Operators collaborate to set up
QVS where the Operator Keys and Location Keys were generated before this
ceremony and only the PGP Public Certificates of the Location keys are brought
to the ceremony which are used to shard the Root Entropy. This is useful
when conducting the ceremony in a lower trust environment, and where not all
aspects of the ceremony can be controlled to the desired degree.
## Requirements
* Each member needs to bring their:
* Ceremony Notes
* Ceremony SD Card
* Airgap SD Card (only 1 member needs to bring this - set up according to
[One Time Use / AirgapOS Setup](TODO)).
* Operator Keys
* Ceremonies repository
## Steps
1. Ensure there are additional witnesses for the ceremony, outside of the
operators to assist in monitoring and verifying the integrity of the process.
* Designate at least 1 individual to keep notes on the ceremony based
on the [Ceremony Log Template](ceremony-log-template.md)
1. Ensure that no participants have brought digital devices other than ones
necessary for the ceremony. A faraday bag may be used to hold any such devices
for the duration of the ceremony.
1. Procure a laptop and SD cards (3) from a randomly selected store and
ensure at least 2 people are in line of sight of all the hardware until the
ceremony is executed. It may be worthwhile to try booting from the SD card at
the store. Dell laptops tend to support booting from SD cards while Lenovo
don't. More notes on selecting hardware can be found [here](one-time-use-hardware-procurement.md)
1. Secure a [Location](one-time-use-locations.md)
1. Verify the SD card by either:
* Booting a separate AirgapOS to the machine used for the ceremony in order
to verify the SD card is not writeable and the hash matches using the steps
from the [One Time Use/ AirgapOS Setup](TODO) guide.
OR
* Mounting the SD card to a separate machine and verifying it's not
writeable and verify the hash matches using steps from the [One Time Use/AirgapOS Setup](TODO) guide.
* NOTE: It is essential that the SD card remain in line of sight from the
moment it is verified to the moment is is used.
1. Plug in and boot from Airgap SD card:
* Boot from internal SD card reader or USB device reader
* Verify the `sha256sum ceremony.sh` hash matches each of the Operator's
"Ceremony Notes"
1. Button mash to ensure adequate entropy on the OS
1. Set the system time as it has to be after the PGP
public certificates were created, and before they expire:
* `date -s "YYYY-MM-DD HH:MM:SS"`
1. Run `ceremony.sh`
1. Back up the `shardfile`, and `pub.asc` to 3 separate SD cards,
one for each operator
1. Destroy the computer according to [Hardware Destruction](hardware-destruction.md)
guide.

12
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/provisioning-pgp-key.md → quorum-key-management/src/generated-documents/level-2/fixed-location/operator/pgp-key-bootstrapping.md
View File

@ -33,17 +33,9 @@ The initial set up requires the operators to do all of these in a continuous ses
1. Boot AirgapOS from verified SD card
1. Generate mnemonic using `keyfork` command:
{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}}
* TODO add keyfork command
1. Derive PGP key using `keyfork` command:
* TODO add command
1. Use `oct` to seed smart card(s)
#### Creation of Initial Air-gapped Bundle
#### Creation of Initial Air-Gapped Bundle
- [ ] TODO there is a reference to air gapped bundle in provisioner: procure-equipment... doc
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

23
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/pgp-key-provisioning.md Normal file
View File

@ -0,0 +1,23 @@
# PGP Key Provisioning
## Requirements
* For each new key to be provisioned:
* New smart card
* 2 new SD cards
* Tamper proofing evidence
* TODO define the evidence as an importable anchor
## Procedure
1. Enter the facility with all personnel and required equipment
1. Lock access to the facility for the duration of the ceremony
1. Unseal the tamper proofed bundle consisting of a air-gapped laptop, "AirgapOS" SD card and "Keychain" SD card
{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}}

2
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/index.md Normal file
View File

@ -0,0 +1,2 @@
# Provisioner

4
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/keychain-repository.md
View File

@ -1,3 +1 @@
# Keychain Repository
{{ #include ../../../../component-documents/keychain-repository.md:content }}
# Provision AirgapOS

15
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-computer.md Normal file
View File

@ -0,0 +1,15 @@
## Procure Computer
For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computers which are used for cryptographic material management and operations are required.
Sealable plastic bag is required for this procedure:
{{ #include ../../../../hardware-models.md:sealable-plastic-bags }}
### Models
{{ #include ../../hardware.md:computer-models }}
### Procedure
{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}}

50
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md → quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-equipment.md
View File

@ -16,16 +16,6 @@ The provisioner is responsible for:
The different procedures are ordered in chronological preference, to improve the efficiency of setting up the system.
## Facility
1. Identify a location which is suitable for Level 2 ceremonies:
* SHOULD be lockable to prevent inflow and outflow of persons during ceremonies
1. Procure an enclosure for locking equipment. A simple lockbox or a safe can be used. It should be at least large enough to fit several laptops, with some extra room.
1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this
## Preparing SD Cards
SD cards don't require special chain of custody, but ideally should be purchased from a reputable supplier.
@ -36,7 +26,7 @@ SD cards don't require special chain of custody, but ideally should be purchased
### Notes
* The location should always be well stocked with freshly formatted SD cards
* The facility should always be well stocked with freshly formatted SD cards
* There should be at least 20 microSD and 20 SD cards available for use
@ -50,13 +40,14 @@ SD cards don't require special chain of custody, but ideally should be purchased
* Storing tamper proofing evidence produced at the end of the ceremony
### Procedure: formatting SD Card to `ext4`
### Procedure: formatting SD Card to `fat32`
{{ #include ../../../../sd-formatting.md:steps }}
{{ #include ../../../../component-documents/sd-formatting.md:steps }}
## Tamper Proofing Equipment
### Vacuum Sealer and roll
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-equipment}}
### Colored beads
@ -64,19 +55,13 @@ SD cards don't require special chain of custody, but ideally should be purchased
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-filler}}
### Digital camera
{{ #include ../../../../component-documents/tamper-evidence-methods.md:digital-cameras}}
### Polaroid camera
{{ #include ../../../../component-documents/tamper-evidence-methods.md:polaroid-cameras}}
## AirgapOS (SD Card)
An SD card with AirgapOS written to it will be required to run ceremonies.
The AirgapOS SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
{{ #include ../../../../one-time-use-airgapos.md:steps }}
### Shardfile (SD Card)
There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony.
@ -85,11 +70,11 @@ The Shardfile SD Card once provisioned will be used in creating the [tamper proo
* Label: "Shardfile"
## Trusted Keys (SD Card)
## Keychain (SD Card)
This procedure requires 2 individuals in order to witness the process and verify that the data being burned to the card is correct.
The Trusted Keys SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
The Keychain SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
### Procedure
@ -109,23 +94,8 @@ The Trusted Keys SD Card once provisioned will be used in creating the [tamper p
{{ #include ../../../../sdtool-instructions.md:steps }}
1. Label the card "Trusted Keys <date>"
1. Label the card "Keychain <date>"
## Computer Procurement
For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computers which are used for cryptographic material management and operations are required.
Sealable plastic bag is required for this procedure:
{{ #include ../../../../hardware-models.md:sealable-plastic-bags }}
### Models
{{ #include ../../hardware.md:computer-models }}
### Procedure
{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}}
## Air-gapped bundle
@ -135,7 +105,7 @@ Sealable plastic bag is required for this procedure:
* [AirgapOS SD card](#airgapos)
* [Trusted keys SD card](#trusted-keys)
* [Keychain SD card](#trusted-keys)
* [Shardfile SD card](#shardfile)

7
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md Normal file
View File

@ -0,0 +1,7 @@
## AirgapOS (SD Card)
An SD card with AirgapOS written to it will be required to run ceremonies.
The AirgapOS SD Card once provisioned will be used in creating the [tamper proofed airgap bundle](#air-gapped-bundle)
{{ #include ../../../../component-documents/one-time-use-airgapos.md:steps }}

3
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md Normal file
View File

@ -0,0 +1,3 @@
# Provision Ceremony Repository
{{ #include ../../../../component-documents/ceremony-repository.md:content }}

9
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-facility.md Normal file
View File

@ -0,0 +1,9 @@
# Provision Facility
1. Identify a location which is suitable for Level 2 ceremonies:
* SHOULD be lockable to prevent inflow and outflow of persons during ceremonies
1. Procure an enclosure for locking equipment. A simple lockbox or a safe can be used. It should be at least large enough to fit several laptops, with some extra room.
1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this

3
quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/provision-keychain-repository.md Normal file
View File

@ -0,0 +1,3 @@
# Keychain Repository
{{ #include ../../../../component-documents/keychain-repository.md:content }}

35
quorum-key-management/src/hardware-models.md
View File

@ -36,6 +36,41 @@
// ANCHOR_END: sd-models
## Smart Cards
Smart Cards are primarily used for storing OpenPGP cryptographic keys which are
used as a building block for security controls. These smart cards hold OpenPGP
keys which are derived in secure environments.
There are three primary requirements for smart cards:
* FIPS 140-2
* Support for Ed25519 OpenPGP
* Touch for enacting operations
### Notes
* Librem smartcards are not recommended because they don't have touch capabilities
* NitroKey and SoloKey are favored due to their fully open nature and therefore verifiability
* YubiKey has the advantage of being the most battle tested but is not verifiable and has had issues in the past (Infineon bug)
Some options include:
// ANCHOR: smart-cards
* NitroKey 3
* Solo Key
* YubiKey 5
* Librem Key
// ANCHOR_END: smart-cards
## Tamper Proofing
// ANCHOR: sealable-plastic-bags

101
quorum-key-management/src/hardware.md
View File

@ -1,101 +0,0 @@
# Hardware
This page describes different equipment which is required, and makes opinionated
recommendations as well as alternatives. One may improve the overall security
of their system by using a variety of hardware in order to benefit from their
diversity, by reducing the likelihood that all hardware has suffered the same
kind of hardware supply chain compromise, has the same vulnerability present, or
has the same type of hardware failure issue.
Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
required to set up a [QVS](glossary.md#quroum-kms-QVS) will
vary. In order to figure out what equipment is required, decide on a Quorum,
which is expressed as "N of M". Once you know your M, the required equipment list
is the following:
* M x 4 Smart Cards
* It is recommended to use two Smart Cards for storing each key pair
* Ideally two different types of hardware are used in order to reduce the
risk of simultaneous failure
* At least 1 Smart Card is required for each Operator Key and 1 Smart Card
for each Location Key
* The number of Operator Keys is M, and the number of Location Keys is also
M, hence the minimum of 2 x M Smart Cards, with the recommendation of using
two smart cards for each, resulting in 4 x M Smart Cards
* 2 + X Storage Devices
* 1 Storage Device for [AirgapOS](repeat-use-airgapos.md)
* 1 Storage Device for storing [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
* X, or *any* number of additional Storage Devices to duplicate the data, a
good measure would be to have at least 3 Storage Devices for the ceremony
* Librem 14 Laptop
* Get as many laptops as desired to satisfy your operational needs
* For each Librem 14, get a Librem Smart Card used for [PureBoot](initialize-pureboot-smart-card.md)
## Smart Cards
Smart Cards are primarily used for storing OpenPGP cryptographic keys which are
used as a building block for security controls. These smart cards hold OpenPGP
keys which are derived in secure environments.
There are three primary requirements for smart cards:
* FIPS 140-2
* Support for Ed25519 OpenPGP
* Touch for enacting operations
Some options include:
* NitroKey 3 - because of its open source approach which allows for verification
* YubiKey 5 - because of the widespread use and battle-tested reliability
* Librem Key - because of the manufacturer's approach to hardware supply chain
security and verifiable software
## Air-Gapped Computer
[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle
management of cryptographic material that is part of QVS.
The primary hardware recommendation for an Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)
and as such is an excellent choice for hardware which high integrity assurance is
required for.
#### Alternative
An alternative approach is to use an off-the-shelf computer that is randomly
selected right before the ceremony, removing the storage drive(s), radio cards,
microphone(s) and speakers from it to reduce side channel attack risks, using it
to conduct a Ceremony, and then destroying the laptop using sufficiently
adequate method to ensure that no data forensics can be used to recover the data
from the drive, or memory. This can be achieved by using a combination of
incineration, degaussing, shredding, smashing and drilling. Special care should
be taken to completely destroy all components of the computer that are able to
store data, even if it's only in ephemeral form as some forensic methods all
extraction of data from components with "temporary memory".
Three letter agencies are known to collect and exploit physical destroyed drives,
as data can still be extracted from them using methods such as electron
microscopy, therefore a combination of degaussing, shredding and burning should
be used, and the remaining debris should be spread out across multiple disposal
locations.
## Storage Device
Can be an SD Card (preferred due to smaller attack surface) or USB Drive but
should be procured from a vendor with a good reputation, and ideally hardware of
industrial grade should be prioritized for durability.

78
quorum-key-management/src/hybrid-key-provisioning.md
View File

@ -1,77 +1 @@
# Hybrid Key Provisioning
This document contains instructions on how Operators collaborate to set up
QVS where the Operator Keys and Location Keys were generated before this
ceremony and only the PGP Public Certificates of the Location keys are brought
to the ceremony which are used to shard the Root Entropy. This is useful
when conducting the ceremony in a lower trust environment, and where not all
aspects of the ceremony can be controlled to the desired degree.
## Steps
1. Prior to the ceremony, set up a git repository with relevant artifacts in it,
and create Ceremony Notes according to [this](one-time-repository-setup.md)
guide.
2. Ensure there are additional witnesses for the ceremony, outside of the
operators to assist in monitoring and verifying the integrity of the process.
* Designate at least 1 individual to keep notes on the ceremony based
on the [Ceremony Log Template](ceremony-log-template.md)
3. Ensure that no participants have brought digital devices other than ones
necessary for the ceremony. A faraday bag may be used to hold any such devices
for the duration of the ceremony.
4. Procure a laptop and SD cards (3) from a randomly selected store and
ensure at least 2 people are in line of sight of all the hardware until the
ceremony is executed. It may be worthwhile to try booting from the SD card at
the store. Dell laptops tend to support booting from SD cards while Lenovo
don't. More notes on selecting hardware can be found [here](one-time-use-hardware-procurement.md)
5. Secure a [Location](one-time-use-locations.md)
6. Each member needs to bring their:
* Ceremony Notes
* Ceremony SD Card
* Airgap SD Card (only 1 member needs to bring this - set up according to
[One Time Use / AirgapOS Setup](one-time-use-airgapos.md)).
7. Verify the SD card by either:
* Booting a separate AirgapOS to the machine used for the ceremony in order
to verify the SD card is not writeable and the hash matches using the steps
from the [One Time Use/ AirgapOS Setup](one-time-use-airgapos.md) guide.
OR
* Mounting the SD card to a separate machine and verifying it's not
writeable and verify the hash matches using steps from the [One Time Use/AirgapOS Setup](one-time-use-airgapos.md) guide.
* NOTE: It is essential that the SD card remain in line of sight from the
moment it is verified to the moment is is used.
8. Plug in and boot from Airgap SD card:
* Boot from internal SD card reader or USB device reader
* Verify the `sha256sum ceremony.sh` hash matches each of the Operator's
"Ceremony Notes"
9. Button mash to ensure adequate entropy on the OS
10. Set the system time as it has to be after the PGP
public certificates were created, and before they expire:
* `date -s "YYYY-MM-DD HH:MM:SS"`
10. Run `ceremony.sh`
11. Back up the `shardfile`, and `pub.asc` to 3 separate SD cards,
one for each operator
12. Destroy the computer according to [Hardware Destruction](hardware-destruction.md)
guide.
# Root Entropy Provisioning

2
quorum-key-management/src/location-key-provisioning.md
View File

@ -21,7 +21,7 @@ would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-s
established [Location](locations.md)
2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
or the [One Time Use Airgap-OS](one-time-use-airgapos.md)
or the [One Time Use Airgap-OS](TODO)
3. Provision new key in the selected secure environment

72
quorum-key-management/src/portable-reusable-laptop-ceremony.md
View File

@ -1,72 +0,0 @@
# Portable Reusable Laptop Ceremony
## Security Level
This process offers a Level 2 security mitigation, focusing on defending against remote adversaries and insider threats.
## Requirements
### Roles
This setup does require the support of all [system roles](system-roles.md).
* MUST use at least 1 [Proposer](system-roles.md#proposer)
* MUST use at least 1 [Approver](system-roles.md#approver) different from Proposer
* MUST have at least 2 [Witnesses](system-roles.md#witness)
* MUST have at least 1 [Operator](system-roles.md#operator)
### Location
To conform to [Level 2](threat-model.md#level-2) security properties a location must be used according to the [Locations](locations.md) specification.
### Equipment
* Laptop procured according to [Hardware Procurement](./component-documents/hardware-procurement-and-chain-of-custody.md) guide
* Polaroid camera + pack of polaroid film
- [] TODO update tamper rpoofing doc with polaroid camera models and film
* Digital camera
- [ ] TODO add recommendations
* 10 SD cards
- [ ] TODO add which
* [Vacuum sealer](tamper-evidence-methods.md#vacuum-sealers)
* [Vacuum sealer roll](tamper-evidence-methods.md#vacuum-sealers)
* Tamper evidence photographs:
* Printed digital photos
* Polaroid photos
## Procedure
1. The laptop and all hardware used SHOULD be kept on the person at all times
* MAY leave the laptop in a safe
* MAY (but not recommended) leave the laptop with full time supervision (such as bellhop)
2. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony.
3. Before starting the ceremony ensure that at least 1 Operator and 1 Witness are present
4. Verify that the request from the Proposer is properly approved by an Approver
### Unsealing
{{ #include tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
### Perform Operations
Follow a [playbook](TODO)
### Sealing
{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing}}

3
quorum-key-management/src/remote-key-provisioning.md
View File

@ -1,3 +0,0 @@
# Remote Key Provisioning
TODO

6
quorum-key-management/src/threat-model.md
View File

@ -70,6 +70,12 @@ Different threat model levels allow an organization to start benefiting from the
Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein.
* [Level 1](#level-1)
* [Level 2](#level-2)
* [Level 3](#level-3)
* [Level 4](#level-4)
## Level 1
### Threat Model