Compare commits
	
		
			No commits in common. "759cd4339f7d641c334380db340fcaf1077c2367" and "bd3cc8c11818c5d6dd5e87790f2fe1a7a3718661" have entirely different histories.
		
	
	
		
			759cd4339f
			...
			bd3cc8c118
		
	
		|  | @ -31,8 +31,3 @@ | |||
|                 * [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md) | ||||
|                 * [Ceremony SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md) | ||||
|                 * [SOL - Transfer Token](generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md) | ||||
| <<<<<<< HEAD | ||||
|                 * [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md) | ||||
| ======= | ||||
|                 * [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md) | ||||
| >>>>>>> feat/encrypt-wallet-to-namespace | ||||
|  |  | |||
|  | @ -1,53 +0,0 @@ | |||
| # Decrypt Namespace Secret | ||||
| 
 | ||||
| ## Requirements | ||||
| 
 | ||||
| {{ #include ../../operator-requirements.md:requirements }} | ||||
| 
 | ||||
| * [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)  | ||||
| 
 | ||||
| * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. | ||||
| 
 | ||||
| ## Procedure | ||||
| 
 | ||||
| 1. Enter the designated location with required personnel and equipment | ||||
| 
 | ||||
| 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony | ||||
| 
 | ||||
| 1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage | ||||
| 
 | ||||
| {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} | ||||
| 
 | ||||
| 1. Place all materials except for the laptop into High Visibility Storage | ||||
| 
 | ||||
| 1. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop  | ||||
| 
 | ||||
| 1. Turn on the machine | ||||
| 
 | ||||
| 1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage | ||||
| 
 | ||||
| 1. Retrieve Ceremony SD Card from High Visibility Storage and plug it into the machine | ||||
| 
 | ||||
| 1. Copy the Ceremony SD Card contents to machine | ||||
| 
 | ||||
|     * Find device name using `lsblk` | ||||
| 
 | ||||
|     * Copy the contents of the card to machine: | ||||
| 
 | ||||
|         * `cp -r /media/<device_name>/* ~` | ||||
| 
 | ||||
| 1. Start `keyfork` using the relevant Shardfile: | ||||
| 
 | ||||
| 	* `keyfork recover shard --daemon /media/<media_name>/path/to/shardfile.asc` | ||||
| 
 | ||||
|     * Follow on screen prompts | ||||
| 
 | ||||
| 1. Derive the OpenPGP root certificate: | ||||
| 
 | ||||
|     * `keyfork derive openpgp > secret_key.asc` | ||||
| 
 | ||||
| 1. Decrypt the secret material: | ||||
| 
 | ||||
|     * `sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted` | ||||
| 
 | ||||
| 1. Proceed to transfer the secret (`decrypted`) to desired location such as hardware wallet, power washed chromebook (via SD card) etc.  | ||||
|  | @ -1,24 +0,0 @@ | |||
| # Encrypt Wallet to Namespace Key | ||||
| 
 | ||||
| Procedure for importing an arbitrary secret (raw key, mnemonic, state secrets) into a Namespace. | ||||
| 
 | ||||
| ## Requirements | ||||
| 
 | ||||
| * [Namespace OpenPGP Certificate]()  | ||||
| 
 | ||||
|     * It can be on an SD card or accessed online | ||||
| 
 | ||||
| ## Procedure | ||||
| 
 | ||||
| 1. Access machine which has the secret that should be encrypted available | ||||
| 
 | ||||
|     * If not on a computer, but a hardware wallet or otherwise, perform the steps on a air-gapped machine | ||||
| 
 | ||||
| 1. Load the OpenPGP certificate: | ||||
| 
 | ||||
| 1. Encrypt the secret to certificate: | ||||
| 
 | ||||
|     * `sq encrypt --for-file <certificate> <file_to_encrypt> --output encrypted.asc` TODO: sq needs to be added to airgapOS | ||||
| 
 | ||||
| 1. Once encrypted, name the file appropriately and add it to an `artifacts/` directory in the appropriate namespace subdirectory in the ceremonies repository | ||||
| 
 | ||||
|  | @ -32,9 +32,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor | |||
| 
 | ||||
| 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile: | ||||
| 
 | ||||
|     * Replace the values: <path_to_input_shard>, <pgp_cert_id> | ||||
| 
 | ||||
| 	* `keyfork wizard generate-shard-secret --shard-to shardfile.asc --output shardfile.new.asc --cert-output keyring.new.asc --derive-openpgp-cert encryption_cert.new.asc,userid=<user_id>` TODO: NOT IMPLEMENTED | ||||
| 	* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile>` | ||||
| 
 | ||||
| 1. Unseal an SD card pack | ||||
| 
 | ||||
|  | @ -42,27 +40,23 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor | |||
| 
 | ||||
| 1. Place all unsealed SD cards into High Visibility Storage | ||||
| 
 | ||||
| 1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]" | ||||
| 1. Back up the `<output_shardfile>` to any desired number of SD cards, and label each "Shardfile [unique_name] [date]" | ||||
| 
 | ||||
|     1. `lsblk` to find media name | ||||
| 
 | ||||
|     1. Back up the output shardfile:  | ||||
|         * `cp shardfile.new.asc /media/<media_name>/` | ||||
| 
 | ||||
|     1. Back up the new keyring file: | ||||
| 
 | ||||
|         * `cp keyring.new.asc /media/<media_name>/` | ||||
| 
 | ||||
|     1. Back up the root PGP certificate: | ||||
|         * `cp root_pgp_cert.asc /media/<media_name>/` | ||||
|     1. `cp <shard_file_name> /media/<media_name>` | ||||
| 
 | ||||
|     1. Each backup should be placed into High Visibility Storage after it's made | ||||
| 
 | ||||
|     1. Unplug the SD card and place it in High Visibility Storage | ||||
| <!-- | ||||
| 1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command: | ||||
| 
 | ||||
|     1. Label the SD card "Shardfile [date] [namespace]" | ||||
|     * `keyfork recover shard --daemon /media/external/<shard_file_name>` | ||||
| --> | ||||
| 
 | ||||
| 1. Upload the newly generated artifacts into the ceremonies repository | ||||
| 1. Unplug the SD card and place it in High Visibility Storage | ||||
| 
 | ||||
| 1. Label the SD card "Shardfile \[date\] \[namespace\]" | ||||
| 
 | ||||
| 1. Gather all the original items that were in the air-gapped bundle: | ||||
| 
 | ||||
|  | @ -71,4 +65,3 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor | |||
|     * AirgapOS SD card | ||||
| 
 | ||||
| {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} | ||||
| 
 | ||||
|  |  | |||
|  | @ -32,11 +32,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key | |||
| 
 | ||||
| 1. Run the relevant keyfork wizard to perform the ceremony: | ||||
| 
 | ||||
|     * Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_cert_id> | ||||
| 
 | ||||
| 
 | ||||
|     * `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc --derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>` TODO: NOT IMPLEMENTED | ||||
| 
 | ||||
| 	* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc` | ||||
| 
 | ||||
| 1. Unseal an SD card pack | ||||
| 
 | ||||
|  | @ -48,24 +44,24 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key | |||
| 
 | ||||
|     1. Find media name using `lsblk` | ||||
| 
 | ||||
|     1. Back up the root OpenPGP certificate | ||||
| 
 | ||||
|         * `cp encryption_cert.asc /media/<media_name>/` | ||||
| 
 | ||||
|     1. Back up the `shardfile.asc`      | ||||
| 
 | ||||
|         * `cp shardfile.asc /media/<media_name>/`  | ||||
|         * `cp shardfile.asc /media/<media_name>`  | ||||
| 
 | ||||
|     1. Back up the `keyring.asc` | ||||
| 
 | ||||
|         * `cp keyring.asc /media/<media_name>/` | ||||
|         * `cp keyring.asc /media/<media_name>` | ||||
| 
 | ||||
| <!-- | ||||
|     1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command: | ||||
| 
 | ||||
|         * `echo -e '#!/bin/bash\nkeyfork recover shard --daemon' > /media/<media_name>/autorun.sh` | ||||
| --> | ||||
| 
 | ||||
|     1. Unplug the SD card and place it in High Visibility Storage | ||||
| 
 | ||||
|     1. Label the SD card "Shardfile [date]" | ||||
| 
 | ||||
| 1. Upload the newly generated artifacts into the ceremonies repository | ||||
| 
 | ||||
| 1. Gather all the original items that were in the air-gapped bundle: | ||||
| 
 | ||||
|     * Air-gapped computer | ||||
|  |  | |||
|  | @ -4,6 +4,7 @@ | |||
| ## For Quorum Based Operations | ||||
| // ANCHOR: requirements | ||||
| 
 | ||||
| 
 | ||||
| * [Air-gapped bundle](/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md) | ||||
| 
 | ||||
| * Minimum of 2 [Operators](/system-roles.md#operator) | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue