Merge branch 'feat/encryption-key-generation'

quorum-vault-system/src/SUMMARY.md

@@ -31,3 +31,8 @@
                 * [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
                 * [Ceremony SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md)
                 * [SOL - Transfer Token](generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md)
+<<<<<<< HEAD
+                * [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md)
+=======
+                * [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)
+>>>>>>> feat/encrypt-wallet-to-namespace

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md

@@ -0,0 +1,53 @@
+# Decrypt Namespace Secret
+
+## Requirements
+
+{{ #include ../../operator-requirements.md:requirements }}
+
+* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md) 
+
+* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
+
+## Procedure
+
+1. Enter the designated location with required personnel and equipment
+
+1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
+
+1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage
+
+{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
+
+1. Place all materials except for the laptop into High Visibility Storage
+
+1. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop 
+
+1. Turn on the machine
+
+1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
+
+1. Retrieve Ceremony SD Card from High Visibility Storage and plug it into the machine
+
+1. Copy the Ceremony SD Card contents to machine
+
+    * Find device name using `lsblk`
+
+    * Copy the contents of the card to machine:
+
+        * `cp -r /media/<device_name>/* ~`
+
+1. Start `keyfork` using the relevant Shardfile:
+
+	* `keyfork recover shard --daemon /media/<media_name>/path/to/shardfile.asc`
+
+    * Follow on screen prompts
+
+1. Derive the OpenPGP root certificate:
+
+    * `keyfork derive openpgp > secret_key.asc`
+
+1. Decrypt the secret material:
+
+    * `sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted`
+
+1. Proceed to transfer the secret (`decrypted`) to desired location such as hardware wallet, power washed chromebook (via SD card) etc. 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md

@@ -0,0 +1,24 @@
+# Encrypt Wallet to Namespace Key
+
+Procedure for importing an arbitrary secret (raw key, mnemonic, state secrets) into a Namespace.
+
+## Requirements
+
+* [Namespace OpenPGP Certificate]() 
+
+    * It can be on an SD card or accessed online
+
+## Procedure
+
+1. Access machine which has the secret that should be encrypted available
+
+    * If not on a computer, but a hardware wallet or otherwise, perform the steps on a air-gapped machine
+
+1. Load the OpenPGP certificate:
+
+1. Encrypt the secret to certificate:
+
+    * `sq encrypt --for-file <certificate> <file_to_encrypt> --output encrypted.asc` TODO: sq needs to be added to airgapOS
+
+1. Once encrypted, name the file appropriately and add it to an `artifacts/` directory in the appropriate namespace subdirectory in the ceremonies repository
+

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md

@@ -32,7 +32,9 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
 
-	* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile>`
+    * Replace the values: <path_to_input_shard>, <pgp_cert_id>
+
+	* `keyfork wizard generate-shard-secret --shard-to shardfile.asc --output shardfile.new.asc --cert-output keyring.new.asc --derive-openpgp-cert encryption_cert.new.asc,userid=<user_id>` TODO: NOT IMPLEMENTED
 
 1. Unseal an SD card pack
 
@@ -40,23 +42,27 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Place all unsealed SD cards into High Visibility Storage
 
-1. Back up the `<output_shardfile>` to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
+1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
 
     1. `lsblk` to find media name
 
-    1. `cp <shard_file_name> /media/<media_name>`
+    1. Back up the output shardfile: 
+        * `cp shardfile.new.asc /media/<media_name>/`
+
+    1. Back up the new keyring file:
+
+        * `cp keyring.new.asc /media/<media_name>/`
+
+    1. Back up the root PGP certificate:
+        * `cp root_pgp_cert.asc /media/<media_name>/`
 
     1. Each backup should be placed into High Visibility Storage after it's made
 
-<!--
-1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
-
-    * `keyfork recover shard --daemon /media/external/<shard_file_name>`
--->
-
     1. Unplug the SD card and place it in High Visibility Storage
 
-1. Label the SD card "Shardfile \[date\] \[namespace\]"
+    1. Label the SD card "Shardfile [date] [namespace]"
+
+1. Upload the newly generated artifacts into the ceremonies repository
 
 1. Gather all the original items that were in the air-gapped bundle:
 
@@ -65,3 +71,4 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
     * AirgapOS SD card
 
 {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
+

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md

@@ -32,7 +32,11 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
 1. Run the relevant keyfork wizard to perform the ceremony:
 
-	* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc`
+    * Replace the following values: <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_cert_id>
+
+
+    * `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc --derive-openpgp-cert encryption_cert.asc,userid=<pgp_cert_id>` TODO: NOT IMPLEMENTED
+
 
 1. Unseal an SD card pack
 
@@ -44,24 +48,24 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
     1. Find media name using `lsblk`
 
+    1. Back up the root OpenPGP certificate
+
+        * `cp encryption_cert.asc /media/<media_name>/`
+
     1. Back up the `shardfile.asc`     
 
-        * `cp shardfile.asc /media/<media_name>` 
+        * `cp shardfile.asc /media/<media_name>/` 
 
     1. Back up the `keyring.asc`
 
-        * `cp keyring.asc /media/<media_name>`
-
-<!--
-    1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
-
-        * `echo -e '#!/bin/bash\nkeyfork recover shard --daemon' > /media/<media_name>/autorun.sh`
--->
+        * `cp keyring.asc /media/<media_name>/`
 
     1. Unplug the SD card and place it in High Visibility Storage
 
     1. Label the SD card "Shardfile [date]"
 
+1. Upload the newly generated artifacts into the ceremonies repository
+
 1. Gather all the original items that were in the air-gapped bundle:
 
     * Air-gapped computer

quorum-vault-system/src/generated-documents/level-2/operator-requirements.md

@@ -4,7 +4,6 @@
 ## For Quorum Based Operations
 // ANCHOR: requirements
 
-
 * [Air-gapped bundle](/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
 
 * Minimum of 2 [Operators](/system-roles.md#operator)