Compare commits
3 Commits
anton/add-
...
main
| Author | SHA1 | Date |
|---|---|---|
 Anton Livaja
|
98c7efef54
|
|
 Ryan Heywood
|
950a078f4e
|
|
|
Ryan Heywood
|
f317310d4c
|
|
|
@ -10,8 +10,8 @@ indent_style = tab
|
|||
indent_size = 2
|
||||
|
||||
[*.md]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
indent_style = tab
|
||||
indent_size = 4
|
||||
|
||||
[*]
|
||||
end_of_line = lf
|
||||
|
|
|
|||
|
|
@ -29,10 +29,12 @@
|
|||
* [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
|
||||
* [Operator](generated-documents/level-2/fixed-location/operator/index.md)
|
||||
* [Quorum Entropy Ceremony](generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md)
|
||||
* [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
|
||||
* [Ceremony SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md)
|
||||
* [SOL - Transfer Token](generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md)
|
||||
* [SOL - Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
|
||||
* [Namespace Operations]()
|
||||
* [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
|
||||
* [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md)
|
||||
* [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)
|
||||
* [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md)
|
||||
* [Coins - SOL]()
|
||||
* [SOL - Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
|
||||
* [SOL - Transfer Token](generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md)
|
||||
|
|
|
|||
|
|
@ -4,30 +4,15 @@
|
|||
|
||||
1. {{ #include finding-device-name.md:content }}
|
||||
|
||||
1. Copy files into designated location in a repository:
|
||||
1. If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
|
||||
|
||||
* e.g `cp -r /media/vaults ~/vaults/`
|
||||
|
||||
* If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
|
||||
|
||||
1. Change directory to `vaults`
|
||||
|
||||
* `cd ~/vaults`
|
||||
|
||||
1. Add all files to git stage:
|
||||
|
||||
* `git add .`
|
||||
|
||||
1. Review what files are staged:
|
||||
|
||||
* `git status`
|
||||
|
||||
1. Create a signed commit:
|
||||
|
||||
* `git commit -m -S "<message>"`
|
||||
|
||||
1. Push the changes to the branch you are on:
|
||||
|
||||
* `git push origin HEAD`
|
||||
1. Copy the repository with updated files to an online machine, sign, commit and push to the `vaults` repository:
|
||||
```
|
||||
$ cp -r /media/vaults ~/vaults/
|
||||
$ cd ~/vaults
|
||||
$ git add .
|
||||
$ git commit -m -S "<message>"
|
||||
$ git push origin HEAD
|
||||
```
|
||||
// ANCHOR_END: content
|
||||
/* ANCHOR_END: all */
|
||||
|
|
@ -11,12 +11,6 @@ Git is used because it permits cryptographic singing of commits using PGP, as we
|
|||
|
||||
1. Set appropriate permissions to limit who can write to the repository.
|
||||
|
||||
* `main` branch should be write protected so that merges to that branch can only be done if at least 2 approvals are present
|
||||
|
||||
* The organization may choose to require more approvals based on risk tolerance and operational capacity
|
||||
|
||||
* The merges should be done via CLI signed commits
|
||||
|
||||
* Require that all commits are signed using well known PGP keys
|
||||
|
||||
1. Optionally set up a chron job that periodically pulls the data from the repository as a backup.
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Setting up a personal PGP key pair is necessary for a number of different
|
|||
aspects while bootstrapping QVS. The keys are a fundamental building block, and
|
||||
as such need to be set up in a manner that minimizes exposure risks.
|
||||
|
||||
## Generating Keys using `keyfork` and `oct`
|
||||
## Generating Keys using `keyfork`
|
||||
// ANCHOR: steps-keyfork
|
||||
|
||||
1. Insert an SD card into the system
|
||||
|
|
@ -15,26 +15,7 @@ as such need to be set up in a manner that minimizes exposure risks.
|
|||
$ cd /media/TRANSFER
|
||||
```
|
||||
|
||||
1. Insert a smartcard into the system, and get its ID:
|
||||
|
||||
a. Set variable with card ID
|
||||
```
|
||||
$ card_id="$(oct list -i | head -1)"`
|
||||
```
|
||||
b. Test the variable was set correctly
|
||||
```
|
||||
$ echo $card_id
|
||||
```
|
||||
|
||||
1. Set the smart card to require touch for all operations
|
||||
|
||||
```
|
||||
$ oct admin --card $card_id touch --key SIG --policy On
|
||||
$ oct admin --card $card_id touch --key DEC --policy On
|
||||
$ oct admin --card $card_id touch --key AUT --policy On
|
||||
$ oct admin --card $card_id touch --key ATT --policy On
|
||||
```
|
||||
Note: default admin PIN is 12345678
|
||||
1. Insert all smartcards to be provisioned into the system.
|
||||
|
||||
1. Set expiry time via environment variable - you can update 2y to desired value:
|
||||
|
||||
|
|
@ -44,30 +25,18 @@ as such need to be set up in a manner that minimizes exposure risks.
|
|||
|
||||
1. Generate a mnemonic, encrypting to a newly-generated key:
|
||||
|
||||
Ensure the User ID is your name and your email.
|
||||
|
||||
```
|
||||
$ keyfork mnemonic generate --encrypt-to-self public.asc,output=encrypted.asc --provision openpgp-card,identifier="$card_id"
|
||||
$ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name <your@email.co>"
|
||||
```
|
||||
|
||||
The `count=` variable can be provided to `provision` to ensure the correct
|
||||
amount of smartcards is provisioned - the program will error if the amount
|
||||
of smartcards available is not equal to the count requested.
|
||||
|
||||
Note: The PIN can't use sequential numbers, characters or repeated patterns.
|
||||
|
||||
1. Rename output to use key fingerprint:
|
||||
|
||||
```
|
||||
$ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"
|
||||
$ mv public.asc "${fingerprint}.pub.asc"
|
||||
$ mv encrypted.asc "${fingerprint}.enc.asc"
|
||||
```
|
||||
|
||||
1. Optional: Create duplicate smartcards.
|
||||
|
||||
You can insert new smartcards and perform the following steps as needed:
|
||||
|
||||
```
|
||||
$ gpg --import *.pub.asc
|
||||
$ gpg --decrypt $fingerprint.enc.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
|
||||
$ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0
|
||||
```
|
||||
|
||||
// ANCHOR_END: steps-keyfork
|
||||
|
||||
## Generating Keys on Smartcard
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ Sealing bags of standard size objects which need to be protected can fit in. The
|
|||
|
||||
1. Insert object(s) into plastic bag
|
||||
|
||||
1. Fill bag with enough plastic beads that all of the object is surrounded
|
||||
1. Fill bag with enough plastic beads that most of the object is surrounded
|
||||
|
||||
1. Use vacuum sealer to remove air from the bag until the beads are no longer able to move
|
||||
|
||||
|
|
|
|||
|
|
@ -46,14 +46,11 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
|||
|
||||
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
1. Copy the git repo locally from the Ceremony SD card
|
||||
|
||||
* `cp -r /media/vaults /root/vaults`
|
||||
|
||||
1. Change directory to vaults
|
||||
|
||||
* `cd /root/vaults`
|
||||
|
||||
1. Copy the git repo locally from the Ceremony SD card and change into it
|
||||
```
|
||||
$ cp -r /media/vaults /root/vaults
|
||||
$ cd /root/vaults
|
||||
```
|
||||
1. Plug in the Operator smart card
|
||||
|
||||
1. Verify the existing signatures and add your own signature:
|
||||
|
|
@ -72,26 +69,17 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
|||
|
||||
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
1. Copy the updated repository locally:
|
||||
|
||||
* `cp -r /media/vaults ~/`
|
||||
|
||||
1. Change into locally copied directory
|
||||
|
||||
* `cd ~/vaults`
|
||||
|
||||
1. Stage the modified file:
|
||||
|
||||
* `git add <namespace>/ceremonies/<date>/payloads/*`
|
||||
|
||||
1. Create a signed git commit:
|
||||
|
||||
* `git commit -S -m "add payload signature for payload_<num>.json"`
|
||||
|
||||
1. Push the latest commit to the repository
|
||||
|
||||
* `git push origin main`
|
||||
|
||||
1. Copy the updated repository locally and change into it:
|
||||
```
|
||||
$ cp -r /media/vaults ~/
|
||||
$ cd ~/vaults
|
||||
```
|
||||
1. Stage, sign, commit and push changes to the ceremonies repository:
|
||||
```
|
||||
$ git add <namespace>/ceremonies/<date>/payloads/*
|
||||
$ git commit -S -m "add payload signature for payload_<num>.json"
|
||||
$ git push origin main
|
||||
```
|
||||
1. Tamper proof the AirgapOS and Air-gapped laptop
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
|
||||
|
|
|
|||
|
|
@ -36,13 +36,11 @@
|
|||
|
||||
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
|
||||
|
||||
1. Copy the `vaults` repository to the machine
|
||||
|
||||
* `cp -r /media/vaults /root/`
|
||||
|
||||
1. Change directory to `vaults`:
|
||||
|
||||
* `cd /root/vaults`
|
||||
1. Copy the `vaults` repository to the machine and switch to it
|
||||
```
|
||||
$ cp -r /media/vaults /root/
|
||||
$ cd /root/vaults
|
||||
```
|
||||
|
||||
1. Start Keyfork using the relevant Shardfile:
|
||||
|
||||
|
|
@ -158,22 +156,12 @@
|
|||
|
||||
* Once the airdrop is done, nonce account will be created
|
||||
|
||||
1. Add all files to git stage:
|
||||
|
||||
* `git add .`
|
||||
|
||||
1. Review what files are staged:
|
||||
|
||||
* `git status`
|
||||
|
||||
1. Create a signed commit:
|
||||
|
||||
* `git commit -m -S "<message>"`
|
||||
|
||||
1. Push the changes to the branch you are on:
|
||||
|
||||
* `git push origin HEAD`
|
||||
|
||||
1. Stage, commit, sign and push the changes:
|
||||
```
|
||||
$ git add .
|
||||
$ git commit -m -S "<message>"
|
||||
$ git push origin HEAD
|
||||
```
|
||||
### Sealing
|
||||
|
||||
1. Gather all the original items that were in the air-gapped bundle:
|
||||
|
|
|
|||
|
|
@ -32,20 +32,12 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
|
|||
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
1. Back up the `shardfile.asc`
|
||||
|
||||
* `cp shardfile.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. TODO - NOT IMPLEMENTED:
|
||||
|
||||
* Back up the root OpenPGP certificate
|
||||
|
||||
* `cp encryption_certificate.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Copy the contents of Ceremony SD card to machine
|
||||
|
||||
* `cp -r /media/vaults /root/`
|
||||
|
||||
1. Back up the files
|
||||
```
|
||||
$ cp shardfile.asc /media/vaults/<namespace>/
|
||||
TODO (NOT IMPLEMENTED): $ cp encryption_certificate.asc /media/vaults/<namespace>/
|
||||
$ cp -r /media/vaults /root/
|
||||
```
|
||||
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
|
||||
|
||||
1. Plug in fresh SD card
|
||||
|
|
|
|||
|
|
@ -35,23 +35,13 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
1. Back up the `shardfile.asc`
|
||||
|
||||
* `cp shardfile.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Back up the `keyring.asc`
|
||||
|
||||
* `cp keyring.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. TODO - NOT IMPLEMENTED:
|
||||
|
||||
* Back up the root OpenPGP certificate
|
||||
|
||||
* `cp encryption_cert.asc /media/vaults/<namespace>/`
|
||||
|
||||
1. Copy the contents of Ceremony SD card to machine
|
||||
|
||||
* `cp -r /media/vaults /root/`
|
||||
1. Back up the files
|
||||
```
|
||||
$ cp shardfile.asc /media/vaults/<namespace>/
|
||||
$ cp keyring.asc /media/vaults/<namespace>/
|
||||
TODO (NOT IMPLEMENTED): $ cp encryption_cert.asc /media/vaults/<namespace>/
|
||||
$ cp -r /media/vaults /root/
|
||||
```
|
||||
|
||||
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
|
||||
|
||||
|
|
|
|||
|
|
@ -12,8 +12,6 @@ The procurer is responsible for:
|
|||
|
||||
* Ensuring equipment is properly tamper proofed
|
||||
|
||||
* Maintaining stock of supplies in the inventory
|
||||
|
||||
* Minimizing hardware supply chain security risks
|
||||
|
||||
## Order of Operations
|
||||
|
|
@ -28,4 +26,10 @@ The procurer is responsible for:
|
|||
|
||||
1. Procuring [hardware](./procure-hardware.md)
|
||||
|
||||
1. Procuring [SD cards](./procure-sd-card-pack.md)
|
||||
* Laptops
|
||||
|
||||
* SD cards
|
||||
|
||||
* SD card USB adapters
|
||||
|
||||
* Smart cards
|
||||
|
|
|
|||
|
|
@ -7,13 +7,3 @@
|
|||
1. Procure an enclosure for locking equipment. A simple lockbox or a safe can be used. It should be at least large enough to fit several laptops, with some extra room.
|
||||
|
||||
1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this
|
||||
|
||||
## Maintenance
|
||||
|
||||
* The facility should always be well stocked with SD cards
|
||||
|
||||
* Usage of these SD cards:
|
||||
|
||||
* Transferring transaction data from online to air-gapped machine
|
||||
|
||||
* Storing tamper proofing evidence produced at the end of the ceremony
|
||||
|
|
@ -14,6 +14,10 @@
|
|||
|
||||
## Procedure: Online Procurement
|
||||
|
||||
1. Select a well known and reputable supplier. Establishing a relationship with a hardware supplier that has a reputation for privacy, supply chain security is preferred.
|
||||
|
||||
2. Order the supplies to a registered mailbox, to prevent exposing your organization's location
|
||||
|
||||
## Tamper Proofing
|
||||
|
||||
All hardware:
|
||||
|
|
|
|||
|
|
@ -38,14 +38,11 @@ The proposer must combine these values into a JSON file, such as:
|
|||
|
||||
1. Turn on online machine
|
||||
|
||||
1. Clone the repository if it's not available locally:
|
||||
|
||||
* `git clone <repository_git_url>`
|
||||
|
||||
1. Pull the latest changes from the `ceremonies` repository
|
||||
|
||||
* `git pull origin main`
|
||||
|
||||
1. Clone the `vaults` repository if it's not available locally and get the latest changes:
|
||||
```
|
||||
$ git clone <repository_git_url>
|
||||
$ git pull origin main
|
||||
```
|
||||
1. Unseal the SD Card Pack
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
|
@ -66,19 +63,15 @@ The proposer must combine these values into a JSON file, such as:
|
|||
|
||||
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
|
||||
|
||||
1. Once booted, unplug the AirgapOS SD card
|
||||
1. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage
|
||||
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
|
||||
1. Copy the git repo locally from the Ceremony SD card
|
||||
|
||||
* `cp -r /media/vaults /root`
|
||||
|
||||
1. Change into the vaults directory:
|
||||
|
||||
* `cd /root/vaults`
|
||||
|
||||
1. Copy the git repo locally from the Ceremony SD card and change to it
|
||||
```
|
||||
$ cp -r /media/vaults /root
|
||||
$ cd /root/vaults
|
||||
```
|
||||
1. Create a new payloads directory in the `vaults` repository for the date on which the ceremony for the transaction will take place if it doesn't already exist
|
||||
|
||||
* `mkdir -p <namespace>/ceremonies/<date>/payloads`
|
||||
|
|
@ -101,31 +94,21 @@ The proposer must combine these values into a JSON file, such as:
|
|||
|
||||
* `cp -r /root/vaults /media`
|
||||
|
||||
1. Unplug the SD card from the air-gapped machine
|
||||
|
||||
1. Plug in the SD card into the online machine
|
||||
1. Transfer the SD card from the air-gapped machine to the online machine
|
||||
|
||||
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
1. Copy the updated repository locally:
|
||||
|
||||
* `cp -r /media/vaults ~/`
|
||||
|
||||
1. Change into locally copied directory
|
||||
|
||||
* `cd ~/vaults`
|
||||
|
||||
1. Stage the modified file:
|
||||
|
||||
* `git add <namespace>/ceremonies/<date>/payloads/*`
|
||||
|
||||
1. Create a signed git commit:
|
||||
|
||||
* `git commit -S -m "add payload signature for payload_<num>.json"`
|
||||
|
||||
1. Push the latest commit to the repository
|
||||
|
||||
* `git push origin main`
|
||||
1. Copy the updated repository locally and switch to it:
|
||||
```
|
||||
$ cp -r /media/vaults ~/
|
||||
$ cd ~/vaults
|
||||
```
|
||||
1. Stage, sign, commit and push the changes to the ceremonies repository:
|
||||
```
|
||||
$ git add <namespace>/ceremonies/<date>/payloads/*
|
||||
$ git commit -S -m "add payload signature for payload_<num>.json"
|
||||
$ git push origin main
|
||||
```
|
||||
|
||||
1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.
|
||||
|
||||
|
|
|
|||
|
|
@ -10,14 +10,16 @@
|
|||
|
||||
## Procedure
|
||||
|
||||
1. Unseal a tamper proofed laptop
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
|
||||
|
||||
1. Follow a given model manual to remove all radio cards, storage drive, speakers, and microphone using standard industry laptop repair tactics
|
||||
1. Remove all radio cards, storage drive, speakers, and microphone using standard industry laptop repair tactics
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}
|
||||
|
||||
1. Apply a new label which indicates the laptop has been provisioned
|
||||
1. Apply a new label which indicates the laptop has been provisioned (include date, and any other desired metadata such as a unique ID (e.g Laptop #4))
|
||||
|
||||
1. Return the provisioned laptop to inventory
|
||||
1. Place the provisioned laptop in inventory
|
||||
|
||||
1. Update inventory to reflect that this hardware has ben provisioned
|
||||
1. Update inventory to reflect that this hardware has been provisioned, and including the metadata in the `description.txt` for that item according to the [inventory repository structure](../procurer/create-inventory-repository.md)
|
||||
Loading…
Reference in New Issue