public
/
docs
5
0
Fork 0
Code Issues 9 Pull Requests 3 Packages Projects Releases Wiki Activity

Compare commits

base: public:main
Branches Tags
public:main
public:feat/level-1
public:feat/rename-to-trove
public:feat/refactor-proposer-docs
public:feat/template-coin-docs
public:feat/cosmos-docs
public:anton/add-commit-hash-to-title
public:anton/clean-up
public:lance/personal-pgp-cleanup
public:feat/generate-sol-address-doc
public:feat/use-mini-quorum
public:feat/export-namespace-mnemonic
public:feat/decrypt-namespace-secret
public:feat/encrypt-wallet-to-namespace
public:feat/encryption-key-generation
public:feat/tamper-proofing-chain-of-custody
public:coding-standards
public:feat/quorum-kms
..
compare: public:feat/encrypt-wallet-to-namespace
Branches Tags
public:feat/level-1
public:feat/rename-to-trove
public:main
public:feat/refactor-proposer-docs
public:feat/template-coin-docs
public:feat/cosmos-docs
public:anton/add-commit-hash-to-title
public:anton/clean-up
public:lance/personal-pgp-cleanup
public:feat/generate-sol-address-doc
public:feat/use-mini-quorum
public:feat/export-namespace-mnemonic
public:feat/decrypt-namespace-secret
public:feat/encrypt-wallet-to-namespace
public:feat/encryption-key-generation
public:feat/tamper-proofing-chain-of-custody
public:coding-standards
public:feat/quorum-kms

No commits in common. "main" and "feat/encrypt-wallet-to-namespace" have entirely different histories.
main ... feat/encry

113 changed files with 989 additions and 1917 deletions
Show Stats Expand all files Collapse all files

5
.editorconfig
View File

@ -10,10 +10,9 @@ indent_style = tab
indent_size = 2
[*.md]
indent_style = tab
indent_size = 4
indent_style = space
indent_size = 2
[*]
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true

24
Makefile
View File

@ -1,24 +1,24 @@
PORT := 8080
.PHONY: default
default: build-trove
default: build-qvs
out:
mkdir -p out
.PHONY: build-trove
build-trove: out/trove/index.json
out/trove/index.json: out Containerfile.trove $(shell find quorum-vault-system -type f)
mkdir -p out/trove
.PHONY: build-qvs
build-qvs: out/qvs/index.json
out/qvs/index.json: out Containerfile.qvs $(shell find quorum-vault-system -type f)
mkdir -p out/qvs
docker \
build \
-f Containerfile.trove \
--output type=oci,rewrite-timestamp=true,force-compression=true,name=git.distrust.co/public/docs-trove,tar=true,dest=- \
-f Containerfile.qvs \
--output type=oci,rewrite-timestamp=true,force-compression=true,name=git.distrust.co/public/docs-qvs,tar=true,dest=- \
. \
| tar -C out/trove -mx
| tar -C out/qvs -mx
.PHONY: serve-trove
serve-trove: build-trove
tar -C out/trove -cf - . | docker load
docker run -p $(PORT):8080 git.distrust.co/public/docs-trove
.PHONY: serve
serve-qvs: build-qvs
tar -C out/qvs -cf - . | docker load
docker run -p $(PORT):8080 git.distrust.co/public/docs-qvs

92
notes-from-lance.txt Normal file
View File

@ -0,0 +1,92 @@
# Distrust meet 2025-01-13
1. choose location
a. random location
b. if shipped, neutral location, picked up by both
* barrel jacks are more secure
Level 0
* key import from unknown trust level
* key export to unknown trust level
* use any tools you want
level 1
* icepick level 1
* sealing or vault
* self custody (by design)
* trust single person
* portable ceremonies are this level
* doesn't matter where they do it, a single individual is trusted
* they use tamper evidence because they don't trust others
* level 2 assumes witnesses
- [ ] move paragraph above procedures in provisioner/index
- [ ] add more steps to the docs to make it more explicit
- [ ] gotta fix the mnemonic word
---
break out the requirements for bootstrapping into separate prep doc
o
* assume every ceremony will be done by different people
* you need to be able to do this ceremony to pass
* if u wanna be a multi party operator you need to have a personal computer
* personal operator key provisioning
* provisioning computer
* provisioner should just buy a laptop and tamper proof it
* operators should be gutting laptops
* num of laptops
* redundant primary laptop
* redundant operator laptops
* spare bundles for ceremonies
* all levels need hardware procurement
* commit inventory to a repo, ceremonies repo is fine,
it can be a text file
## procurer
* obtain numbers of needed items, quantity of each item
* tamper proof all hardware, sd cards, laptops, etc.
* tamper proof booster pack of 5 sd cards
- [ ] specner you can go and do these cermonies right now
operator
* gets equipment from ceremony inventory
* get both Spencer and Herve to use a laptop from inventory with airgapos to set up their pgp keys
* provisioned hardware (that's what provisioners do) can write label on bundles
* operator kits
* ceremony kits
* safes and vaults
* everything labelled
* didn't use tamper evident bags because they had big vaults
* CSA tamper evident safes
* Spencer tries first, then gets Herve to do it once it's smooth
* could write some data layer stuff in rust
- [ ] track down bug for keyfork mnemonic
* use docs as a way to decide what features to implement
* lighter use
*
- [ ] look ahead at other coins
* shell script to make tx
- [ ] do level 0 doc
- [ ] hide document components

0
trove/.gitignore → quorum-vault-system/.gitignore vendored
View File

4
trove/README.md → quorum-vault-system/README.md
View File

@ -1,6 +1,6 @@
# Trove
# Quorum Key Management (QVS)
Trove is an open source system of playbooks and tooling which
Quorum Key Management (QVS) is an open source system of playbooks and tooling which
facilitates the creation and maintenance of highly resilient Quorum-based Key
Management Systems based on a strict threat model which can be used for a
variety of different cryptographic algorithms.

2
trove/book.toml → quorum-vault-system/book.toml
View File

@ -3,4 +3,4 @@ authors = ["Anton Livaja", "Lance R. Vick", "Ryan Heywood"]
language = "en"
multilingual = false
src = "src"
title = "Trove"
title = "Quorum Vault System (QVS)"

0
trove/get-commit-hash.sh → quorum-vault-system/get-commit-hash.sh
View File

34
quorum-vault-system/src/SUMMARY.md Normal file
View File

@ -0,0 +1,34 @@
# Summary
* [Introduction](intro.md)
* [Threat Model](threat-model.md)
* [Selecting a Quorum](selecting-quorum.md)
* [System Roles](system-roles.md)
* [Key Types](key-types.md)
* [Software](software.md)
* [Location](locations.md)
* [Glossary](glossary.md)
* [Generated Documents]()
* [All Levels]()
* [Create Ceremony Repository](generated-documents/all-levels/create-ceremonies-repository.md)
* [Personal PGP Key Provisioning](generated-documents/all-levels/pgp-key-provisioning.md)
* [Level 2]()
* [Fixed-Location]()
* [Procurer](generated-documents/level-2/fixed-location/procurer/index.md)
* [Procure Facility](generated-documents/level-2/fixed-location/procurer/procure-facility.md)
* [Procure Tamper Proofing Equipment](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md)
* [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md)
* [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md)
* [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
* [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
* [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
* [Proposer]()
* [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md)
* [Approver]()
* [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
* [Operator](generated-documents/level-2/fixed-location/operator/index.md)
* [Quorum Entropy Ceremony](generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md)
* [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
* [Ceremony SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md)
* [SOL - Transfer Token](generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md)
* [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)

12
trove/src/component-documents/autorun-sh-setup.md → quorum-vault-system/src/component-documents/autorun-sh-setup.md
View File

@ -9,14 +9,14 @@ This setup can be done on any machine.
* In your Terminal use this command: `vi autorun.sh`
* Once you are in the editor press "i" to enter "insert mode"
* Type in the contents, replacing <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with your chosen threshold numbers according to your [Quorum](selecting-quorum.md):
* Type in the contents, replacing <N> and <M> with your chosen threshold numbers according to your [Quorum](selecting-quorum.md):
```sh
#!/bin/sh
keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smart_cards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'
keyfork wizard generate-shard-secret --threshold <M> --max <N> --output shards.pgp
```
* Press "esc"
* Press ":"
* Press "x"
@ -38,4 +38,4 @@ This setup can be done on any machine.
c. Copy the `autorun.sh` file to the Storage Device
1. Make note of this hash on a piece of paper or print it as you will need it to verify the file during Ceremonies.
1. Make note of this hash on a piece of paper or print it as you will need it to verify the file during Ceremonies.

0
trove/src/component-documents/ceremony-log-template.md → quorum-vault-system/src/component-documents/ceremony-log-template.md
View File

16
trove/src/component-documents/vaults-repository.md → quorum-vault-system/src/component-documents/ceremony-repository.md
View File

@ -1,20 +1,16 @@
/* ANCHOR: all */
# Vaults Repository
# Ceremony Repository
// ANCHOR: content
This repository holds data pertaining to vaults. The primary data consists of:
This repository holds data pertaining to ceremonies. The primary data consists of:
* Operation proposals
* Transaction proposals
* Operation approvals
* Payloads
* Transaction approvals
* Trusted PGP keyring
* Shardfiles
* Blockchain metadata
* Shardfile
* Policies (such as spending rules)
@ -24,6 +20,8 @@ This repository holds data pertaining to vaults. The primary data consists of:
* MUST be a private repository
* MUST be write protected, requiring approval from at least 1 individual other than one who opened the PR for merging
* MUST require signed commits
## Repository Structure

35
quorum-vault-system/src/component-documents/git-commit-signing.md Normal file
View File

@ -0,0 +1,35 @@
/* ANCHOR: all */
# Git Commit Signing
// ANCHOR: steps
1. Retrieve the value of your PGP key ID by using:
`gpg --list-keys`
1. Set up local `.gitconfig` file with desired PGP key:
```
[user]
name = <name>
email = <email>
signingKey = <pgp_key_id>
[commit]
gpgsign = true
merge = true
[core]
editor = "code --wait"
```
1. Set up environment variables for using smart cards
Open the `~/.bashrc` file and add the following content at the end:
```bash
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
GPG_TTY=$(tty)
export GPG_TTY
```
// ANCHOR_END: steps
/* ANCHOR: all */

12
trove/src/component-documents/git-repository-initialization.md → quorum-vault-system/src/component-documents/git-repository-initialization.md
View File

@ -7,13 +7,19 @@ Git is used because it permits cryptographic singing of commits using PGP, as we
## Procedure: Setting up Repository
// ANCHOR: procedure
1. Create a git repository using a git system such as Forgejo, GitLab, GitHub etc.
1. Create a git repository using a git system such as Forjego, GitLab, GitHub etc.
1. Set appropriate permissions to limit who can write to the repository.
* Require that all commits are signed using well known PGP keys
* `main` branch should be write protected so that merges to that branch can only be done if at least 2 approvals are present
1. Optionally set up a cron job that periodically pulls the data from the repository as a backup.
* The organization may choose to require more approvals based on risk tolerance and operational capacity
* The merges should be done via CLI signed commits
* Require that all commits are signed using well known PGP keys
1. Optionally set up a chron job that periodically pulls the data from the repository as a backup.
// ANCHOR_END: procedure
/* ANCHOR_END: all */

0
trove/src/component-documents/gui-git-commit.md → quorum-vault-system/src/component-documents/gui-git-commit.md
View File

0
trove/src/component-documents/hardware-destruction.md → quorum-vault-system/src/component-documents/hardware-destruction.md
View File

4
trove/src/component-documents/hardware-models.md → quorum-vault-system/src/component-documents/hardware-models.md
View File

@ -63,8 +63,12 @@ Some options include:
* NitroKey 3
* Solo Key
* YubiKey 5
* Librem Key
// ANCHOR_END: smart-cards
## Tamper Proofing

0
trove/src/component-documents/hardware-procurement-and-chain-of-custody.md → quorum-vault-system/src/component-documents/hardware-procurement-and-chain-of-custody.md
View File

12
trove/src/component-documents/inventory-repository.md → quorum-vault-system/src/component-documents/inventory-repository.md
View File

@ -1,7 +1,4 @@
/* ANCHOR: all */
# Inventory Repository
// ANCHOR: content
This repository is used to keep track of available inventory and tamper proofing evidence
@ -18,14 +15,5 @@ bundles/
description.txt
tamper_evidence_front.jpeg
tamper_evidence_back.jpeg
sd_cards/
<num>
...
```
## Procedure: Setting up Repository
{{ #include ./git-repository-initialization.md:procedure}}
// ANCHOR_END: content
/* ANCHOR_END: all */

0
trove/src/component-documents/online-machine-provisioning.md → quorum-vault-system/src/component-documents/online-machine-provisioning.md
View File

74
trove/src/component-documents/openpgp-setup.md → quorum-vault-system/src/component-documents/openpgp-setup.md
View File

@ -1,75 +1,79 @@
/* ANCHOR: all */
# OpenPGP Setup
## Generating Keys using `keyfork`
Setting up a personal PGP key pair is necessary for a number of different
aspects while bootstrapping QVS. The keys are a fundamental building block, and
as such need to be set up in a manner that minimizes exposure risks.
## Generating Keys using `keyfork` and `oct`
// ANCHOR: steps-keyfork
1. Insert an SD card into the system
1. Insert a smartcard into the system, and get its ID:
1. Change working directory to SD card mount location
```
$ cd /media/TRANSFER
```
1. Insert all smartcards to be provisioned into the system.
1. Set expiry time via environment variable - you can update 2y to desired value:
```
$ export KEYFORK_OPENPGP_EXPIRE=2y
```
* `identifier="$(oct list -i | head -1)`
1. Generate a mnemonic, encrypting to a newly-generated key:
* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$identifier"`
Ensure the User ID is your name and your email.
1. If additional keys are required, recover the Keyfork key from the encrypted
mnemonic:
```
$ keyfork mnemonic generate --encrypt-to-self encrypted.asc --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"'
```
* `gpg --import cert.asc`
The `--provision-count` option can be provided to ensure the correct amount
of smartcards is provisioned - the program will error if the amount of
smartcards available is not equal to the count requested.
* `gpg --decrypt encrypted-mnemonic.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic &`
Note: The PIN can't use sequential numbers, characters or repeated patterns.
* Remove your previous key, and plug in the new key.
* `identifier="$(oct list -i | head -1)"`
* `keyfork provision openpgp-card --identifier "$identifier" --account-id 0`
1. Insert an SD card to contain the public certificate and the encrypted mnemonic.
* `lsblk`
* `sudo mount /dev/<your_device> media/`
* `cp cert.asc encrypted-mnemonic.asc /media`
// ANCHOR_END: steps-keyfork
## Generating Keys on Smartcard
## Generating Keys on Smartcard
// ANCHOR: steps-on-key-gen
1. Insert the smart card into the USB port if it is not already plugged in.
1. Open Command Prompt (Windows) or Terminal (macOS / Linux).
1. Enter the GPG command:
1. Enter the GPG command:
* `gpg --card-edit`
1. At the gpg/card> prompt, enter the command: admin
1. If you want to use keys larger than 2048 bits, run: key-attr
1. Enter the command: generate
1. When prompted, specify if you want to make an off-card backup of your encryption key.
1. When prompted, specify if you want to make an off-card backup of your encryption key.
* Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore the key.
1. Specify how long the key should be valid for (specify the number in days, weeks, months, or years).
1. Confirm the expiration day.
1. When prompted, enter your name.
1. Enter your email address.
1. If needed, enter a comment.
1. Review the name and email, and accept or make changes.
1. Enter the default admin PIN again. The green light on the smart card will flash while the keys are being written.
1. Enter a Passphrase as the key will not allow you to pass without having a passphrase. If you do not enter a Passphrase generation will fail.
// ANCHOR_END: steps-on-key-gen

2
trove/src/component-documents/physical-artifact-storage.md → quorum-vault-system/src/component-documents/physical-artifact-storage.md
View File

@ -1,6 +1,6 @@
# Physical Artifact Storage
Trove requires that some of the hardware containing cryptographic material be
QVS requires that some of the hardware containing cryptographic material be
securely stored in physical locations. The two primary cases where physical
storage is necessary are the storage of Location Key Smart Cards, and Operator
Key Smart Cards. These Smart Cards are necessary to successfully execute a

2
trove/src/component-documents/public-ceremony-artifact-storage.md → quorum-vault-system/src/component-documents/public-ceremony-artifact-storage.md
View File

@ -1,7 +1,7 @@
# Redundant Storage of Ceremony Artifacts
Ceremony Artifacts consist of data which is not sensitive in nature, but
essential to ongoing operation of a Trove.
essential to ongoing operation of a QVS.
The primary artifacts which are produced during the ceremony are:

0
trove/src/component-documents/pureboot/enable-pure-boot-restricted-boot.md → quorum-vault-system/src/component-documents/pureboot/enable-pure-boot-restricted-boot.md
View File

0
trove/src/component-documents/pureboot/flash-pureboot-firmware.md → quorum-vault-system/src/component-documents/pureboot/flash-pureboot-firmware.md
View File

0
trove/src/component-documents/pureboot/initialize-pureboot-smart-card.md → quorum-vault-system/src/component-documents/pureboot/initialize-pureboot-smart-card.md
View File

0
trove/src/component-documents/pureboot/secure-boot-sequence.md → quorum-vault-system/src/component-documents/pureboot/secure-boot-sequence.md
View File

0
trove/src/component-documents/purism-procurement-procedure.md → quorum-vault-system/src/component-documents/purism-procurement-procedure.md
View File

0
trove/src/component-documents/repeat-use-airgapos.md → quorum-vault-system/src/component-documents/repeat-use-airgapos.md
View File

30
quorum-vault-system/src/component-documents/sd-formatting.md Normal file
View File

@ -0,0 +1,30 @@
# SD Formatting
// ANCHOR: steps
1. Insert a fresh SD card into the SD card slot or connect it via a USB card reader to your computer
* microSD or standard SD card can be used
2. Launch a terminal
3. List all block devices, including your SD card:
* `lsblk`
4. Look for your SD card in the output of the `lsblk` command. It will typically be listed as `/dev/sdX`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
5. Before formatting, you need to unmount the SD card. Replace `/dev/sdX1` with the actual partition name you identified in the previous step:
* `sudo umount /dev/sdX1`
6. Use the mkfs command to format the SD card. You can choose the file system type (e.g., vfat for FAT32, ext4, etc.). Replace /dev/sdX with the actual device name (without the partition number):
* `sudo mkfs.vfat /dev/sdX`
7. You can verify that the SD card has been formatted by running lsblk again or by checking the file system type:
* `lsblk -f`
8. Once formatting is complete, you can safely remove physically or eject the SD card:
* `sudo eject /dev/sdX`
//ANCHOR_END:steps

0
trove/src/component-documents/setting-smart-card-pins.md → quorum-vault-system/src/component-documents/setting-smart-card-pins.md
View File

3
trove/src/component-documents/storage-device-management.md → quorum-vault-system/src/component-documents/storage-device-management.md
View File

@ -9,7 +9,8 @@ USB devices are assigned names when they are connected to a Linux operating
system. The first storage device is assigned the name `sda` (storage device a),
the second `sdb`, the third `sdc` and so on.
One may use the `lsblk` to list the detected storage devices for a system, which will output something like this:
One may use the `lsblk` to list the detected storage devices for a system, which
will output something like this:
```
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda 202:0 1 50G 0 disk

16
trove/src/component-documents/tamper-evidence-methods.md → quorum-vault-system/src/component-documents/tamper-evidence-methods.md
View File

@ -114,9 +114,9 @@ Sealing bags of standard size objects which need to be protected can fit in. The
#### Sealing
// ANCHOR: vsbwf-procedure-sealing
1. Insert object(s) into plastic sealing bag
1. Insert object(s) into plastic bag
1. Fill bag with enough plastic beads that most of the object is surrounded
1. Fill bag with enough plastic beads that all of the object is surrounded
1. Use vacuum sealer to remove air from the bag until the beads are no longer able to move
@ -124,18 +124,20 @@ Sealing bags of standard size objects which need to be protected can fit in. The
1. Date and sign the polaroid photographs and store them in a local lock box
1. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.
1. Take the SD card to an online connected device, ensuring continued dual custody, and commit the photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.
// ANCHOR_END: vsbwf-procedure-sealing
#### Unsealing
// ANCHOR: vsbwf-procedure-unsealing
a. Retrieve digital/physical photographs of both sides of sealed bundle
1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object
b. Compare all photographs to object for differences
1. Compare polaroid and printed photographs of digital record to the current state of the sealed object
c. Proceed with unsealing the object if no differences are detected
1. Compare polaroid to printed photographs of digital record
1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an [incident response process (todo)](TODO).
// ANCHOR_END: vsbwf-procedure-unsealing
@ -232,4 +234,4 @@ Placing objects into a safe helps improve the security of objects, and introduce
* [Purism Liberty phone anti-interdiction](http://web.archive.org/web/20240903104700/https://puri.sm/posts/anti-interdiction-on-the-librem-5-usa/)
// ANCHOR_END: entire-doc
/* ANCHOR_END: all */
/* ANCHOR_END: all */

0
trove/src/component-documents/verifying-signatures.md → quorum-vault-system/src/component-documents/verifying-signatures.md
View File

67
quorum-vault-system/src/fixed-location-reusable-laptop-ceremony.md Normal file
View File

@ -0,0 +1,67 @@
# Fixed Location Reusable Laptop Ceremony
This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls.
The fixed location should include a work-station which makes it easy to perform the [tamper proofing](tamper-evidence-methods.md#tamper-proofing-station) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does.
* TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops
The primary tamper proofing methods for the fixed location device are:
* Heads firmware protection (TODO link to document which explains how to set up Purism)
* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing)
* On-premises audio and visual monitoring (TODO select appropriate equipment)
* Physical vault (TODO find adequate vaults)
## Procedure
### Unsealing
1. Select at least two authorized operators who will be participating in the ceremony
2. Print photographs of tamper proofing of the laptop which will be used for the ceremony
* Both photos of vacuum sealed bag with filler and glitter on the bottom screws of laptop are required
3. Make an entry into the access log, specifying the:
* Individuals involved
* Approximate time of entry
4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
* Ensure that no individual is bringing in any electronic devices. A hand-held or gate metal detector can be used for this.
5. Access the laptop safe, and move the laptop, its hardware token, and polaroid to the Tamper Proofing Workstation
* Compare the polaroid and digital photographs for any differences
* Then compare the photographs to the actual object
* Check the glitter on the bottom screws of the laptop ensuring there are no scratch marks, and compare the screws to photos
* If there are any issues detected, initiate incident response
6. Initiate the [Secure Boot Sequence](secure-boot-sequence.md)
{{ #include secure-boot-sequence.md }}
7. Use one of the [Playbooks](todo) to carry out a task
#### Sealing
{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing}}
2. Remove the SD card from the camera and use chain of custody principles to ensure the integrity of the data
3. Place the sealed laptop and signed polaroids, as well as the hardware token back in the safe
4. Exit the SCIF and lock it
5. Update the log with the exit time
6. Upload the photos to a git repository, ensuring the commit is signed using PGP

0
trove/src/flashing-iso.md → quorum-vault-system/src/flashing-iso.md
View File

3
quorum-vault-system/src/generated-documents/all-levels/create-ceremonies-repository.md Normal file
View File

@ -0,0 +1,3 @@
# Create Ceremony Repository
{{ #include ../../component-documents/ceremony-repository.md:content }}

71
quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md Normal file
View File

@ -0,0 +1,71 @@
# Personal PGP Key Provisioning
## Requirements
* Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
* [AirgapOS SD card](../level-2/fixed-location/provisioner/provision-airgapos.md)
* 2+ new smart cards
* 2+ SD cards
## Generate OpenPGP Key
1. Insert AirgapOS SD card into computer
1. Boot to AirgapOS
* Boot from the SD card by modifying the Boot Menu
* [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary
{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
## Adding a OpenPGP Public Certificate to the Ceremony Repository
1. Ensure you are on the correct branch:
* `git checkout main`
1. Pull the latest ceremony repo changes
* `git pull origin main`
1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html):
1. Obtain the fingerprint for the certificate:
* `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"`
2. Copy the certificate to a name based on the keyring:
* `cp cert.asc "${fingerprint}.asc"`
1. If exporting a certificate from GnuPG:
1. Find your key fingerprint:
* `gpg --list-keys`
1. Export your OpenPGP public certificate:
* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc`
1. Place the file in `keys/all/<key_fingerprint>.asc`
1. Create signed git commit:
* `git commit -S -m "add <name> pgp key"`
1. Push to the commit:
* `git push origin main`
1. Communicate your new key fingerprint to all other participants:
* Preferred: In person
* Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo

2
trove/src/generated-documents/level-2/basic-requirements.md → quorum-vault-system/src/generated-documents/level-2/basic-requirements.md
View File

@ -6,7 +6,7 @@
* 2 individuals with appropriate role
* Each needs a [Personal PGP key pair](/generated-documents/all-levels/pgp-key-provisioning.html)
* Each needs a [Personal PGP key pair](/key-types.md#personal-pgp-keypair)
* [Tamper-proofing equipment](/generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html)

91
quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md Normal file
View File

@ -0,0 +1,91 @@
# Approver - Approve Transaction
The approver is responsible for verifying a transaction proposed by a [proposer](../../../../system-roles.md).
## Requirements
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
* [Online Machine](TODO)
* [SD Card Pack](../provisioner/provision-sd-card.md)
* [Air-Gapped Bundle](../provisioner/air-gapped-bundle.md)
* The approver should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
* The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
* Clone the [Ceremonies Repository](../provisioner/provision-ceremonies-repository.md) for your organization to the machine
## Procedure
1. Turn on online machine
1. Pull the latest changes from the `ceremonies` repository
1. Unseal the SD Card Pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Plug a fresh SD card into the online machine
1. Save the ceremonies repo to the SD card, referred to as the Ceremony SD card
1. Unplug the Ceremony SD card
1. Unseal the tamper proofed bundle
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
1. Once booted, unplug the AirgapOS SD card
1. Plug in the Ceremony SD card
1. Copy the git repo locally from the Ceremony SD card
* `cp -r /media/external/ceremonies /root/ceremonies; cd /root/ceremonies`
1. Verify the detached signature for the payload
* `gpg --verify <filename> <filename>.1.sig`
* The filename will be of format: `keys/ceremonies/<date>/payloads/payload_<number>.json`
1. Verify the key is authenticated:
* `sq-wot --gpg list "<their@email.co>"`
* Ensure the output of the command includes "fully authenticated"
1. Sign the transaction payload:
* `gpg --detach-sign <filename> > <filename>.2.sig`
1. Create a signed git commit:
* `git commit -S -m "add <name> pgp key"`
1. Copy the updated ceremonies repo to the SD card
* `cp -r . /media/external/ceremonies`
1. Unplug the SD card from the air-gapped machine
1. Plug in the SD card into the online machine
1. Push the latest commit to the repository
1. Tamper proof the AirgapOS and Air-gapped laptop
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
## Appendix
### Git Commit Signing Configuration
{{ #include ../../../../component-documents/git-commit-signing.md:steps }}

8
trove/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md
View File

@ -6,7 +6,7 @@
* [Personal PGP Keys](/key-types.html#personal-pgp-keypair)
{{ #include ../../../../component-documents/linux-workstation.md:content }}
* Online computer
## Procedure
@ -14,17 +14,17 @@
1. Open the SD Card Pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Plug in a fresh SD card into computer
1. Navigate to the ceremony repository for the ceremony being executed
* {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Find the SD cards device name using `lsblk`
1. Write the ceremony repo data to the SD card:
`sudo cp -r vaults/ /media`
`cp ceremonies/ /media/<device_name>`
1. Unplug the SD card

88
trove/src/generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md
View File

@ -1,16 +1,16 @@
# Solana: Sign and Broadcast Transaction
# Operator - SPL Token Transfer
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* Online machine
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Quorum PGP key pairs](../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
{{ #include ../../../../operator-requirements.md:requirements }}
* [Ceremony SD card](../../ceremony-sd-card-provisioning.md)
## Procedure
@ -28,33 +28,14 @@
### Online Machine: Acquire Nonce
1. Turn on online linux workstation
1. Turn on online machine
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
1. Run the command: `icepick workflow sol broadcast --nonce-address=<nonce_address>`
* e.g `vaults/<namespace>/<coin>/0-na.txt`
* The nonce address is found on the Ceremony SD card
* Set the nonce address variable:
```
$ nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"
```
1. Set `ICEPICK_DATA_DIRECTORY`:
{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
```
$ export ICEPICK_DATA_DIRECTORY=/media/external/
```
1. set `ICEPICK_CONFIG_FILE`
```
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
```
1. Run the command:
```
$ icepick workflow sol broadcast --nonce-address=$nonce_address
```
* Await completion message before removing Ceremony SD card
* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
@ -63,33 +44,48 @@
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
1. Boot the computer
1. Boot the computer
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
1. Verify keyring data from the Ceremony SD card:
1. Import keys into the system
* `gpg --import keys/all/*.asc`
1. Plug in the operator's smartcard, and ensure it is loaded:
* `gpg --card-status`
1. Print the list of trusted keys:
* `sq-wot --gpg list`
1. Repeat for every operator, ensuring all keys are cross-trusted.
1. Terminate `gpg-agent`: `killall gpg-agent`
1. Verify all signatures for the workflow data:
* `for file in <payload.json>.*.sig; do echo "Verifying: $file"; gpg --verify "${file}" "<payload.json>"; done`
* Ensure that the script doesn't output any "WARNING" messages to the console. If it does, abort the ceremony and initiate incident response.
1. Start Keyfork using the relevant Shardfile:
```
$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
* `keyfork recover shard --daemon /media/external/shard.asc`
* The Shardfile may be named something else. Use `find /media/external -type f -name '*shard*.asc'` to list all files.
1. Follow on screen prompts
1. Set `ICEPICK_DATA_DIRECTORY`:
```
$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
```
1. Run the `icepick` command with the transaction payload
* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
```
$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* `icepick workflow sol transfer-token --input-file=<(jq .values <payload.json>)`
* Follow on screen prompts
1. Unplug the Ceremony SD card and place it in High Visibility Storage
@ -102,12 +98,6 @@
1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
```
$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
$ rm $ICEPICK_DATA_DIRECTORY/nonce.json
```
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Repeat

10
trove/src/generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md
View File

@ -4,7 +4,7 @@ Procedure for importing an arbitrary secret (raw key, mnemonic, state secrets) i
## Requirements
* [Namespace OpenPGP Certificate]()
* [Namespace OpenPGP Certificate]()
* It can be on an SD card or accessed online
@ -14,11 +14,11 @@ Procedure for importing an arbitrary secret (raw key, mnemonic, state secrets) i
* If not on a computer, but a hardware wallet or otherwise, perform the steps on a air-gapped machine
1. Load the OpenPGP certificate:
1. Encrypt the secret to certificate:
* `sq encrypt --without-signature --for-file <certificate> <file_to_encrypt> --output encrypted.asc`
* `sq encrypt --for-file <certificate> <file_to_encrypt> --output encrypted.asc` TODO: sq needs to be added to airgapOS
1. Once encrypted, name the file appropriately and add it to an `artifacts/` directory in the appropriate namespace subdirectory in the `vaults` repository
{{ #include ../../../../component-documents/git-basics.md:content }}
1. Once encrypted, name the file appropriately and add it to an `artifacts/` directory in the appropriate namespace subdirectory in the ceremonies repository

0
trove/src/generated-documents/level-2/fixed-location/operator/index.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/index.md
View File

67
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md Normal file
View File

@ -0,0 +1,67 @@
# Namespace Entropy Ceremony
This is a ceremony for generating and sharding entropy to a set of existing Quorum Keys.
## Requirements
{{ #include ../../operator-requirements.md:requirements }}
* [SD Card Pack](../procurer/procure-sd-card-pack.md)
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
## Procedure
1. Enter the designated location with the operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Plug the AirgapOS SD card into the laptop
1. Turn on the machine
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
1. Plug the Ceremony SD card into the machine
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile>`
1. Unseal an SD card pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all unsealed SD cards into High Visibility Storage
1. Back up the `<output_shardfile>` to any desired number of SD cards, and label each "Shardfile [unique_name] [date]"
1. `lsblk` to find media name
1. `cp <shard_file_name> /media/<media_name>`
1. Each backup should be placed into High Visibility Storage after it's made
<!--
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
* `keyfork recover shard --daemon /media/external/<shard_file_name>`
-->
1. Unplug the SD card and place it in High Visibility Storage
1. Label the SD card "Shardfile \[date\] \[namespace\]"
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

71
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md Normal file
View File

@ -0,0 +1,71 @@
# Quorum Entropy Ceremony
This is a ceremony for generating entropy which is used to derive Quorum PGP keys, load them into smart cards and shard entropy to them.
## Requirements
{{ #include ../../operator-requirements.md:requirements }}
* [SD Card Booster Pack](../provisioner/provision-sd-card.md)
* `N` Smart Cards in the chosen `M of N` quorum
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
## Procedure
1. Enter the designated location with required personnel and equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all materials except for the laptop into High Visibility Storage
1. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop
1. Turn on the machine
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
1. Run the relevant keyfork wizard to perform the ceremony:
* `keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smart_cards_per_operator> --output shardfile.asc --cert-output keyring.asc`
1. Unseal an SD card pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all unsealed SD cards into High Visibility Storage
1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Find media name using `lsblk`
1. Back up the `shardfile.asc`
* `cp shardfile.asc /media/<media_name>`
1. Back up the `keyring.asc`
* `cp keyring.asc /media/<media_name>`
<!--
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
* `echo -e '#!/bin/bash\nkeyfork recover shard --daemon' > /media/<media_name>/autorun.sh`
-->
1. Unplug the SD card and place it in High Visibility Storage
1. Label the SD card "Shardfile [date]"
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

16
trove/src/generated-documents/level-2/fixed-location/procurer/index.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/index.md
View File

@ -8,10 +8,12 @@ The procurer is responsible for:
* [Hardware](procure-hardware.md) (computers, sd cards, sd card adapters, smart cards, cameras etc.)
* Creating and maintaining the [Inventory](create-inventory-repository.md)
* Ensuring equipment is properly tamper proofed
* Ensuring inventory is updated properly
* Maintaining stock of supplies in the inventory
* Minimizing hardware supply chain security risks
## Order of Operations
@ -20,16 +22,8 @@ The procurer is responsible for:
1. Procuring a [facility](./procure-facility.md)
1. Creating a [Inventory repository](create-inventory-repository.md)
1. Procuring [tamper proofing equipment](./procure-tamper-proofing-equipment.md)
1. Procuring [hardware](./procure-hardware.md)
* Laptops
* SD cards
* SD card USB adapters
* Smart cards
1. Procuring [SD cards](./procure-sd-card-pack.md)

10
trove/src/generated-documents/level-2/fixed-location/procurer/procure-facility.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-facility.md
View File

@ -7,3 +7,13 @@
1. Procure an enclosure for locking equipment. A simple lockbox or a safe can be used. It should be at least large enough to fit several laptops, with some extra room.
1. Designate the location as the facility for conducting ceremonies and update documentation and policies to reflect this
## Maintenance
* The facility should always be well stocked with SD cards
* Usage of these SD cards:
* Transferring transaction data from online to air-gapped machine
* Storing tamper proofing evidence produced at the end of the ceremony

4
trove/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md
View File

@ -14,10 +14,6 @@
## Procedure: Online Procurement
1. Select a well known and reputable supplier. Establishing a relationship with a hardware supplier that has a reputation for privacy, supply chain security is preferred.
2. Order the supplies to a registered mailbox, to prevent exposing your organization's location
## Tamper Proofing
All hardware:

2
trove/src/generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md
View File

@ -23,4 +23,4 @@
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}
1. Label the tamper proofed package "SD Card Pack [date]"
1. Label the tamper proofed package "SD Card Pack [date]"

0
trove/src/generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md
View File

136
quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md Normal file
View File

@ -0,0 +1,136 @@
# Proposer - Create Transaction Payload
The proposer is a fiduciary whose responsibility is to make sound financial decisions on behalf of a business and determine where funds are moving from, where to and in which amount. The reasons for sending funds may range across settlement, exchanging, staking and more.
The proposer MUST include the workflow type and all arguments required by a workflow, such as `from_address`, `to_address`, `asset_name`, etc., as well as a UTC datetime representing the time when the transaction is proposed.
The proposer must combine these values into a JSON file, such as:
```json
{
"workflow": ["cosmos", "withdraw"],
"values": {
"delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer",
"validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh",
"asset_name": "KYVE",
"asset_amount": "0.4",
"chain_name": "korellia"
},
"proposal_datetime": "2025-01-28T18:18:00"
}
```
## Requirements
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
* [Air-Gapped Bundle](../provisioner/air-gapped-bundle.md)
* The proposer should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
* The proposer should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo
* [Online Machine](TODO)
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
* Clone the [Ceremonies Repository](../provisioner/provision-ceremonies-repository.md) for your organization to the machine
## Procedure
1. Turn on online machine
1. Pull the latest changes from the `ceremonies` repository
1. Unseal the SD Card Pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Plug a fresh SD card into the online machine
1. Save the ceremonies repo to the SD card, referred to as the Ceremony SD card
1. Unplug the Ceremony SD card
1. Unseal the tamper proofed bundle
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
1. Once booted, unplug the AirgapOS SD card
1. Plug in the Ceremony SD card
1. Copy the git repo locally from the Ceremony SD card
* `cp -r /media/external/ceremonies /root/ceremonies; cd /root/ceremonies`
1. Create a new directory in the `ceremonies` repository for the date on which the ceremony for the transaction will take place if it doesn't already exist, for example `2024-01-01/`
* `mkdir -p keys/ceremonies/2024-01-01/payloads`
1. Determine a new filename `payload_<num>.json`, for example `payload_1.json`
1. Collect data for the transaction being sent, and structure it according to the template below, replacing values with valid ones. The values have to come from a organization approved list of values, for each field, except for `datetime` which is just the current date and time.
```json
{
"workflow": ["<workflow_namespace>", "<workflow_name>"],
"values": {
"<workflow_field>": "<workflow_value>"
},
"proposal_datetime": "<datetime>"
}
```
Example data object:
```json
{
"workflow": ["cosmos", "withdraw"],
"values": {
"delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer",
"validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh",
"asset_name": "KYVE",
"asset_amount": "0.4",
"chain_name": "korellia"
},
"proposal_datetime": "2025-01-28T18:18:00"
}
```
1. Import the keys relevant to the ceremony:
* `gpg --import keys/all/*.asc`
1. Sign the data in the CLI using `gpg` or another OpenPGP implementation:
* `gpg --detach-sign <file> <file>.1.sig`
1. Copy the updated ceremonies repo to the SD card
* `cp -r . /media/external/ceremonies`
1. Unplug the SD card from the air-gapped machine
1. Plug in the SD card into the online machine
1. Create a signed git commit:
* `git commit -S -m "add <name> pgp key"`
1. Push the latest commit to the repository
1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.
1. Tamper proof the AirgapOS and Air-gapped laptop
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
## Appendix
### Git Commit Signing Configuration
{{ #include ../../../../component-documents/git-commit-signing.md:steps }}

0
trove/src/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md
View File

6
trove/src/generated-documents/level-2/fixed-location/provisioner/index.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/index.md
View File

@ -4,12 +4,14 @@ The provisioner is responsible for:
* Provisioning hardware
* Provisioning SD Cards (AirapOS, Ceremony etc.)
* Provisioning SD Cards (AirapOS, Keychain, Shardfiles etc.)
* Provisioning bundles (e.g Air-Gapped bundle)
* Provisioning ceremony bundles
## Procedures
* [Provision SD Card](./provision-sd-card.md)
* [Provision Ceremonies Repository](./provision-ceremonies-repository.md)
* [Provision AirgapOS](./provision-airgapos.md)
* [Provision Computer](./procure-computer.md)
* Requires tamper proofing equipment to be available

16
trove/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md → quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md
View File

@ -6,7 +6,7 @@
* Tamper proofing evidence (photographs)
* [SD Card Pack(s)](../procurer/procure-sd-card-pack.md)
* [SD Card Pack(s)](../procurer/procure-sd-card-pack.md)
* High Visibility Storage
@ -18,7 +18,7 @@
1. Turn on one of the computers - this one will be used for writing the SD cards
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.
1. Use the `make reproduce` command
@ -32,16 +32,18 @@
1. Retrieve a labelled SD card from High Visibility Storage, and plug it into the computer where AirgapOS will be built
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Look for your SD card in the output of the `lsblk` command. It will typically be listed as `/dev/sdX`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
1. Flash `airgap.iso` to an SD Card:
* `dd if=out/airgap.iso of=/dev/<device_name> bs=4M conv=fsync`
* `dd if=out/airgap.iso of=/dev/<device_name> bs=4M status=progress conv=fsync`
1. Reset the computer, and boot the SD card
1. Reset the computer, and boot the SD card
1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`:
* Find out the block device name using `lsblk`
* Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>
1. `./sdtool /dev/<device_name> permlock`
@ -56,6 +58,6 @@
1. Verify the card can't be written to:
* `echo "42" | dd of=/dev/<device_name>`
* `echo "42" | dd of=/dev/<device_name>`
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}

3
quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md Normal file
View File

@ -0,0 +1,3 @@
# Provision Ceremony Repository
{{ #include ../../../../component-documents/ceremony-repository.md:content }}

23
quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-computer.md Normal file
View File

@ -0,0 +1,23 @@
# Provision Computer
## Requirements
{{ #include ../../basic-requirements.md:requirements }}
* Tamper proofing evidence (photographs)
* Non-provisioned computer
## Procedure
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
1. Follow a given model manual to remove all radio cards, storage drive, speakers, and microphone using standard industry laptop repair tactics
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}
1. Apply a new label which indicates the laptop has been provisioned
1. Return the provisioned laptop to inventory
1. Update inventory to reflect that this hardware has ben provisioned

0
quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-sd-card.md Normal file
View File

0
trove/src/generated-documents/level-2/hardware.md → quorum-vault-system/src/generated-documents/level-2/hardware.md
View File

21
quorum-vault-system/src/generated-documents/level-2/operator-requirements.md Normal file
View File

@ -0,0 +1,21 @@
/* ANCHOR: all */
# Base Requirements
## For Quorum Based Operations
// ANCHOR: requirements
* [Air-gapped bundle](/generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
* Minimum of 2 [Operators](/system-roles.md#operator)
* [Personal PGP key pair](/key-types.md#personal-pgp-keypair) for each operator
* Tamper-proofing equipment
* Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
* The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo
// ANCHOR_END: requirements
/* ANCHOR_END: all */

6
trove/src/glossary.md → quorum-vault-system/src/glossary.md
View File

@ -10,7 +10,7 @@ using an algorithm, called a cipher.
Entropy in cryptography refers to the measure of randomness or unpredictability
in data used for generating cryptographic keys and other security elements.
## Trove
## Quorum Key Management (QVS)
A set of highly specified processes and tooling used for setting up a highly
resilient quorum-based key management system.
@ -19,7 +19,7 @@ resilient quorum-based key management system.
An individual who manages an [Operator Key](#operator-key) which is used for
protecting the passphrase of a Location key and participates in different
aspects of the lifecycle management of the Trove system.
aspects of the lifecycle management of the QVS system.
## Operator Key
@ -116,7 +116,7 @@ the total number of shards that exist. The minimum recommended threshold is
## Organization
An organization which owns the Trove and is responsible for funding the setup and
An organization which owns the QVS and is responsible for funding the setup and
maintenance. The organization is also responsible for ensuring that the
[Warehouse](#warehouse) is properly maintained in order to ensure that the
ciphertext blobs associated with the system are redundantly stored and

0
trove/src/img/download-airgap-os.png → quorum-vault-system/src/img/download-airgap-os.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 85 KiB

After

Width:  |  Height:  |  Size: 85 KiB

8
trove/src/intro.md → quorum-vault-system/src/intro.md
View File

@ -1,13 +1,13 @@
# Introduction
Trove is an open source system of playbooks and
Quorum Vaulting System (QVS) is an open source system of playbooks and
tooling which facilitates the creation and maintenance of highly resilient
[quorum](glossary.md#quorum)-based key management systems based on a strict
[threat model](threat-model.md) which can be used for a variety of different
cryptographic algorithms. The system was designed and developed by
[Distrust](https://distrust.co), with the generous support of sponsors.
The basic premise of Trove is that primary cryptographic material akin to a root
The basic premise of QVS is that primary cryptographic material akin to a root
certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated
during a secure key derivation ceremony, and then used to derive chosen
cryptographic material via different algorithms such as PGP keys, digital asset
@ -23,7 +23,7 @@ access controls in order to reconstruct the secret material, namely the RE.
## Use Cases
Trove can be used for a wide range of use-cases which span but are not limited
QVS can be used for a wide range of use-cases which span but are not limited
to:
* Deriving a PGP key pair whose public key can be used as a "one-way deposit
@ -42,7 +42,7 @@ a cold signing setup.
## Playbooks
Trove can be set up by using a set of highly opinionated playbooks which outline
QVS can be set up by using a set of highly opinionated playbooks which outline
the process. The base documentation should be read in its entirety by all
participants of the ceremony in order to ensure that the system is well
understood by all to ensure that the integrity of the process is preserved and

4
trove/src/key-types.md → quorum-vault-system/src/key-types.md
View File

@ -1,4 +1,4 @@
# PGP Key Types
# Key Types
## Personal PGP Keypair
@ -8,7 +8,7 @@ When bootstrapping a system, the initial PGP keys can be generated using [this g
### Requirements
* MUST not be transferred
* MUST not be transferred
* MUST be generated offline

2
trove/src/local-key-provisioning.md → quorum-vault-system/src/local-key-provisioning.md
View File

@ -1,7 +1,7 @@
# Local Key Provisioning
This document contains instructions on how Operators collaborate to set up
Trove which requires an N-of-M quorum to be reconstituted. The encrypted shards
QVS which requires an N-of-M quorum to be reconstituted. The encrypted shards
which result from this ceremony are stored in separate physical
[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
to which shards are encrypted, and whose passphrases are protected using

2
trove/src/location-key-provisioning.md → quorum-vault-system/src/location-key-provisioning.md
View File

@ -3,7 +3,7 @@
## Description
This ceremony is for generating Location Keys. Location Keys are typically
stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
Location Keys are keypairs to which the Root Entropy of a Trove is sharded. The
Location Keys are keypairs to which the Root Entropy of a QVS is sharded. The
keypairs are stored exclusively on Smart Cards, and the PINs which protect the
Smart Cards are encrypted to Operator Keys.

6
trove/src/locations.md → quorum-vault-system/src/locations.md
View File

@ -30,7 +30,7 @@ This level of defenses is largely focused on remote attacks, and as such does no
* Co-working space
* Regular office (non specific to Trove)
* Regular office (non specific to QVS)
### Reference Design
@ -44,7 +44,7 @@ This level of defenses is focused on insider threats and as such requires a cons
### Examples
* Purpose specific facility for Trove
* Purpose specific facility for QVS
* Short term rental
@ -82,7 +82,7 @@ This level of defenses is focused on insider threats and as such requires a cons
locations simultaneously
* SHOULD be facilities owned by different organizations to reduce the risk of
collusion unless the organization who owns the Trove system has their own facility such
collusion unless the organization who owns the QVS system has their own facility such
as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
## Level 4 (SCIF)

0
trove/src/one-time-use-laptop-coin-ceremony.md → quorum-vault-system/src/one-time-use-laptop-coin-ceremony.md
View File

0
trove/src/operator-key-provisioning.md → quorum-vault-system/src/operator-key-provisioning.md
View File

0
trove/src/q&a.md → quorum-vault-system/src/q&a.md
View File

4
trove/src/quorum-team.md → quorum-vault-system/src/quorum-team.md
View File

@ -1,7 +1,7 @@
# Quorum Team
The Quorum Team is a team of individuals who are selected to perform different
roles related to a Trove. Some of the Quorum Team members have ongoing roles,
roles related to a QVS. Some of the Quorum Team members have ongoing roles,
while others may participate in a partial manner.
Depending on the type of actions performed, some or all of the members of the
@ -28,7 +28,7 @@ Controllers may be used to protect access to physical locations - according to
risk appetite.
## Witness
Witnesses are individuals who are familiar with the Trove specification, and can
Witnesses are individuals who are familiar with the QVS specification, and can
ensure that the different aspects of the system are set up correctly, and
processes carried out as they should be. The main objective of the witnesses is
to monitor and attest that processes such as the ceremonies are done according

2
trove/src/sdtool-instructions.md → quorum-vault-system/src/sdtool-instructions.md
View File

@ -19,7 +19,7 @@ This tool is also available via [stagex](https://registry.hub.docker.com/r/stage
* To get container hash: `docker inspect --format='{{json .RepoDigests}}' stagex/sdtool`
* Check the [signatures dir](https://codeberg.org/stagex/stagex/src/branch/main/signatures/stagex) in stagex project for latest signed hashes
1. {{ #include finding-device-name.md:content }}
1. Use `lsblk` to figure out the SD card device name
* Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>

2
trove/src/selecting-quorum.md → quorum-vault-system/src/selecting-quorum.md
View File

@ -1,6 +1,6 @@
# Selecting a Quorum
The backbone of Trove is a Quorum which is used to reconstitute or re-assemble
The backbone of QVS is a Quorum which is used to reconstitute or re-assemble
cryptographic material, and approve actions. Quorum is a general term referring
to a system which requires the collaboration of multiple individuals in order to
achieve something, and it is based on a Threshold which determines how many

0
trove/src/side-channel-attacks.md → quorum-vault-system/src/side-channel-attacks.md
View File

4
trove/src/software.md → quorum-vault-system/src/software.md
View File

@ -1,5 +1,5 @@
# Software
This page outlines the software used for setting up Trove.
This page outlines the software used for setting up QVS.
## [[Stageˣ]](https://codeberg.org/stagex/stagex)
@ -39,7 +39,7 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032
seed, which is used for hierarchical deterministic key derivation.
This software is the backbone for all cryptographic actions performed as part
of Trove. It was developed by [Distrust](https://distrust.co) and is included
of QVS. It was developed by [Distrust](https://distrust.co) and is included
with AirgapOS and has been audited by two firms, NCC and Cure53 with no
significant vulnerabilities found.

43
quorum-vault-system/src/system-roles.md Normal file
View File

@ -0,0 +1,43 @@
# System Roles
There are several roles which are required to properly operate the QVS system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QVS. At least 2 individuals are required for [level 2](threat-model.md#adversary-1).
To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum.
## General Requirements
Individuals who are selected for the roles:
* MUST have background checks conducted
* MUST have a clearly defined set of responsibilities
* MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information
## Provisioner
Responsible for more technical aspects of preparing equipment for ceremonies such as creating air-gapped machines by removing radio cards, and tamper proofing them along with SD cards which are loaded with AirgapOS etc.
## Procurer
Responsible for tasks such as procuring a location, tamper proofing equipment, hardware, and maintaining inventory.
## Proposer
This is an individual who is a business owner or stakeholder, or a financial controller. Their role is to make fiduciary decisions which protect the financial interest of the organization and its clients. Their role is specifically to propose the movement of funds, specifying the amount, origin and destination.
## Approver
This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QVS system but related decision making may be under the purview of an Approver. While there is 1 proposer per transaction, there may be an arbitrary number of Approvers, and they are required to sign proposed transactions according to a [policy](todo) which should be well defined.
## Operator
Trained on how the QVS system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system.
Operators conduct ceremonies and ensure that the controls around QVS are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QVS system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more.
As a QVS grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns.
## Witness
QVS relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QVS system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred.

18
trove/src/threat-model.md → quorum-vault-system/src/threat-model.md
View File

@ -1,10 +1,10 @@
# Threat Model
Trove is designed according to a high-assurance threat model which ers on the
QVS is designed according to a high-assurance threat model which ers on the
side of making exaggerated, rather than conservative assumptions in order to
build a resilient system.
The assumption is made that attackers who target Trove are extremely
The assumption is made that attackers who target QVS are extremely
sophisticated, well funded and patient attackers, and as such, the full arsenal
of attacks is on the table. This means that the attacker can purchase and
weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's
used, or the individuals or locations that hold secret material which is the
backbone of the system.
To achieve this, the Trove focuses on reducing the risk by:
To achieve this, the QVS focuses on reducing the risk by:
* Only using fully open source software and firmware to allow full verification
of their security properties
@ -26,7 +26,7 @@ of their security properties
* Creating custom purpose specific tooling which eliminates dependencies in
order to reduce supply chain attacks, and adds desirable security properties
* Building as much of the software and firmware deterministically as possible - aiming for 100%
* Building as much of the software and firmware deterministically as possible - aiming for 100%
* The [StageX](https://codeberg.org/stagex/stagex) project is the effort towards this end
@ -64,7 +64,7 @@ Some additional assumptions are made to help contextualize the threat model:
## Threat Model Levels
Different threat model levels allow an organization to start benefiting from the security properties of the Trove system immediately, with a clear path to upgrading over time as resources and time become available.
Different threat model levels allow an organization to start benefiting from the security properties of the QVS system immediately, with a clear path to upgrading over time as resources and time become available.
Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein.
@ -140,7 +140,7 @@ This level focuses on defending against insider threats.
* Exploit any vulnerability within 24h of public knowledge
#### Requirements
### Requirements
* All production access:
@ -156,7 +156,7 @@ This level focuses on defending against insider threats.
* MUST be anchored to keys in dedicated HSMs held by each administrator
* Consider OpenPGP or PKCS#11 smart cards that support touch-approval for ssh
* Consider OpenPGP or PKSC#11 smart cards that support touch-approval for ssh
* Any code in the transaction signing trust supply chain:
@ -198,11 +198,11 @@ This level focuses on defending against insider threats.
* App phone stores already anchor to developer held signing keys
#### Reference Design
### Reference Design
* Create offline CA key(s)
* Consider OpenPGP key generated on airgap using keyfork, backed up, and copies transmitted to a smart cards such as a Yubikey
* Consider OpenGPG key generated on airgap using keyfork, backed up, and copies transmitted to a smart cards such as a Yubikey
* CA key smart cards are stored in dual-access tamper evident locations

57
trove/src/SUMMARY.md
View File

@ -1,57 +0,0 @@
# Summary
* [Introduction](intro.md)
* [Threat Model](threat-model.md)
* [Selecting a Quorum](selecting-quorum.md)
* [System Roles](system-roles.md)
* [PGP Key Types](key-types.md)
* [Software](software.md)
* [Location](locations.md)
* [Glossary](glossary.md)
* [Generated Documents]()
* [All Levels]()
* [Create Vaults Repository](generated-documents/all-levels/create-vaults-repository.md)
* [Personal PGP Key Provisioning](generated-documents/all-levels/pgp-key-provisioning.md)
* [Level 2]()
* [Fixed-Location]()
* [Procurer](generated-documents/level-2/fixed-location/procurer/index.md)
* [Procure Facility](generated-documents/level-2/fixed-location/procurer/procure-facility.md)
* [Create Inventory Repository](generated-documents/level-2/fixed-location/procurer/create-inventory-repository.md)
* [Procure Tamper Proofing Equipment](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md)
* [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md)
* [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md)
* [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
* [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
* [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
* [Proposer]()
* [Solana: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/sol-create-transaction-payload.md)
* [Pyth: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/pyth-create-transaction-payload.md)
* [Cosmos: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/cosmos-create-transaction-payload.md)
* [Kyve: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/kyve-create-transaction-payload.md)
* [Seda: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/seda-create-transaction-payload.md)
* [Approver]()
* [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
* [Operator](generated-documents/level-2/fixed-location/operator/index.md)
* [Quorum Entropy Ceremony](generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md)
* [Ceremony SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md)
* [Namespace Operations]()
* [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
* [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md)
* [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)
* [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md)
* [Coins]()
* [Solana]()
* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md)
* [Pyth]()
* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/pyth/generate-address.md)
* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth/sign-and-broadcast-transaction.md)
* [Cosmos - General]()
* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md)
* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md)
* [Kyve]()
* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/kyve/generate-address.md)
* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/kyve/sign-and-broadcast-transaction.md)
* [Seda]()
* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/seda/generate-address.md)
* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/seda/sign-and-broadcast-transaction.md)

6
trove/src/component-documents/finding-device-name.md
View File

@ -1,6 +0,0 @@
/* ANCHOR: all */
// ANCHOR: content
Look for your SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
* Mount the device using: `sudo mount /dev/<your_device> /media`
// ANCHOR_END: content
/* ANCHOR_END: all */

18
trove/src/component-documents/git-basics.md
View File

@ -1,18 +0,0 @@
/* ANCHOR: all */
// ANCHOR: content
1. Connect SD card to online linux workstation
1. {{ #include finding-device-name.md:content }}
1. If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
1. Copy the repository with updated files to an online linux workstation, sign, commit and push to the `vaults` repository:
```
$ cp -r /media/vaults ~/vaults/
$ cd ~/vaults
$ git add .
$ git commit -S -m "<message>"
$ git push origin HEAD
```
// ANCHOR_END: content
/* ANCHOR_END: all */

27
trove/src/component-documents/git-commit-signing.md
View File

@ -1,27 +0,0 @@
/* ANCHOR: all */
# Git Commit Signing
// ANCHOR: steps
1. Retrieve the value of your PGP key ID from smartcard
```
gpg --card-status
```
1. Configure git to sign commits with smartcard
```
$ git config --global user.name <name>
$ git config --global user.email <email>
$ git config --global user.signingKey <pgp_key_id>
$ git config --global commit.gpgsign true
$ git config --global commit.merge true
```
1. Configure ssh to authenticate with smartcard
```
$ echo 'export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"' > ~/.bashrc
$ source ~/.bashrc
```
Note: If you use another shell such as zsh, adjust acccordingly
// ANCHOR_END: steps
/* ANCHOR: all */

7
trove/src/component-documents/linux-workstation.md
View File

@ -1,7 +0,0 @@
/* ANCHOR: all */
# Linux Workstation (Online Machine)
// ANCHOR: content
* Linux Workstation (online machine)
* Any internet connected computer with a Linux shell will suffice
// ANCHOR_END: content
/* ANCHOR_END: all */

26
trove/src/component-documents/sd-formatting.md
View File

@ -1,26 +0,0 @@
# SD Formatting
// ANCHOR: steps
1. Insert a fresh SD card into the SD card slot or connect it via a USB card reader to your computer
* microSD or standard SD card can be used
1. Launch a terminal
1. {{ #include finding-device-name.md: content }}
1. Before formatting, you need to unmount the SD card. Replace `/dev/sdX1` with the actual partition name you identified in the previous step:
* `sudo umount /dev/sdX1`
1. Use the mkfs command to format the SD card. You can choose the file system type (e.g., vfat for FAT32, ext4, etc.). Replace /dev/sdX with the actual device name (without the partition number):
* `sudo mkfs.vfat /dev/sdX`
1. You can verify that the SD card has been formatted by running lsblk again or by checking the file system type:
* `lsblk -f`
1. Once formatting is complete, you can safely remove physically or eject the SD card:
* `sudo eject /dev/sdX`
//ANCHOR_END:steps

3
trove/src/generated-documents/all-levels/create-vaults-repository.md
View File

@ -1,3 +0,0 @@
# Create Ceremony Repository
{{ #include ../../component-documents/vaults-repository.md:content }}

77
trove/src/generated-documents/all-levels/pgp-key-provisioning.md
View File

@ -1,77 +0,0 @@
# Personal PGP Key Provisioning
## Requirements
* [AirgapOS SD card](../level-2/fixed-location/provisioner/provision-airgapos.md)
* Provided by [Air-Gapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
* Alternative: Create your own from documentation in [AirgapOS Repository](https://git.distrust.co/public/airgap)
* AirgapOS Laptop
* Provided by [Air-Gapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
* Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
{{ #include ../../component-documents/linux-workstation.md:content }}
* 1+ Smart Card
* At least 1 primary smart card
* Any number of backup smart cards
* 1 Transfer SD card
* Document will assume the card is labelled as "TRANSFER"
## Process
1. If using pre-sealed Cold Bundle unseal as follows:
{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
1. Boot AirgapOS Laptop
{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
1. Power down AirgapOS Laptop
1. Switch to Linux Workstation
1. Attach SD card from AirgapOS machine
1. Attach smartcard provisioned with AirgapOS machine
1. Import newly generated public key into local keychain
```
$ gpg --import /media/TRANSFER/*.pub.asc
```
{{ #include ../../component-documents/git-commit-signing.md:steps }}
1. Push new key material to Vaults repository
a. Clone repository (if not done previously)
```
$ git clone <vaults_repository_url> ~/vaults
```
b. Checkout main branch
```
$ cd ~/vaults
$ git checkout main
$ git pull origin main
```
c. Commit and push modifications
```
$ cp /media/TRANSFER/*.asc keys/all
$ git add .
$ git commit -S -m "add <name> pgp key"
$ git push origin main
```
1. Communicate your new key fingerprint to all other participants:
* Preferred: In person
* Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
1. Get confirmation they have imported your key to their keychains
* e.g. `gpg --import <your_key_id>.asc`
* Confirm this is done for keyrings on workstations used to interact with the Vaults repository

85
trove/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md
View File

@ -1,85 +0,0 @@
# Approver - Approve Transaction
The approver is responsible for verifying a transaction proposed by a [proposer](../../../../system-roles.md).
## Requirements
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
{{ #include ../../../../component-documents/linux-workstation.md:content }}
* [SD Card Pack](../provisioner/provision-sd-card.md)
* [Air-Gapped Bundle](../provisioner/air-gapped-bundle.md)
* The approver should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
* The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the `vaults` repo
* Clone the [Vaults Repository](../../../all-levels/create-vaults-repository.md) for your organization to the machine
## Procedure
1. Turn on online linux workstation
1. Pull the latest changes from the `vaults` repository
1. Unseal the SD Card Pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Plug a fresh SD card into the online linux workstation
1. Save the `vaults` repository to the SD card, referred to as the Ceremony SD card
1. Unplug the Ceremony SD card
1. Unseal the tamper proofed bundle
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
1. Once booted, unplug the AirgapOS SD card
1. Plug in the Ceremony SD card
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Copy the git repo locally from the Ceremony SD card and change into it
```
$ cp -r /media/vaults /root/vaults
$ cd /root/vaults
```
1. Plug in the Operator smart card
1. Verify the existing signatures and add your own signature:
* `icepick workflow --add-signature-to-quorum <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc`
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Copy the updated vaults repo to the SD card
* `cp -r /root/vaults /media`
1. Unplug the SD card from the air-gapped machine
1. Plug in the SD card into the online linux workstation
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
1. Copy the updated repository locally and change into it:
```
$ cp -r /media/vaults ~/
$ cd ~/vaults
```
1. Stage, sign, commit and push changes to the ceremonies repository:
```
$ git add <namespace>/ceremonies/<date>/payloads/*
$ git commit -S -m "add payload signature for payload_<num>.json"
$ git push origin main
```
1. Tamper proof the AirgapOS and Air-gapped laptop
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

43
trove/src/generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md
View File

@ -1,43 +0,0 @@
# Cosmos: Generate Address
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Offline Machine: Generate Address
{{ #include ../template-gen-address-0.md:content }}
1. Generate a new address:
* `icepick workflow cosmos generate-address --chain-name <chain-name> --account $account_id > $account_id.json`
{{ #include ../template-gen-address-1.md:content }}
### Online Machine: Updating Vaults Repository
1. Turn on online linux workstation
{{ #include ../../../../../../component-documents/git-basics.md:content }}

130
trove/src/generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md
View File

@ -1,130 +0,0 @@
# Solana: Sign and Broadcast Transaction
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Online Machine: Acquire Nonce
1. Turn on online linux workstation
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
* e.g `vaults/<namespace>/<coin>/0-na.txt`
* Set the nonce address variable:
```
$ nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"
```
1. Set `ICEPICK_DATA_DIRECTORY`:
{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
```
$ export ICEPICK_DATA_DIRECTORY=/media/external/
```
1. set `ICEPICK_CONFIG_FILE`
```
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
```
1. Run the command:
```
$ icepick workflow cosmos broadcast --chain-name <chain-name> --nonce-address=$nonce_address
```
* Await completion message before removing Ceremony SD card
* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
### Offline Machine: Create and Sign Transaction
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
1. Boot the computer
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
1. Start Keyfork using the relevant Shardfile:
```
$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
1. Follow on screen prompts
1. Set `ICEPICK_DATA_DIRECTORY`:
```
$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
```
1. Run the `icepick` command with the transaction payload
* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
```
$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* Follow on screen prompts
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Broadcast Transaction: Online Machine
1. Retrieve Ceremony SD from High Visibility Storage and plug it into online machine
1. The still running broadcast command on the online machine will broadcast the transaction automatically
1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
```
$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
$ rm $ICEPICK_DATA_DIRECTORY/account_info.json
```
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Repeat
1. You may repeat previous steps as many times as necessary to process all workflow payloads
## Finalization
1. Shut down online linux workstation
1. Shut down the air gapped machine
### Sealing
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

45
trove/src/generated-documents/level-2/fixed-location/operator/coins/kyve/generate-address.md
View File

@ -1,45 +0,0 @@
# Kyve: Generate Address
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Offline Machine: Generate Address
{{ #include ../template-gen-address-0.md:content }}
1. Generate a new address:
* `icepick workflow cosmos generate-address --chain-name kyve --account $account_id > $account_id.json`
The option `--chain-name` can use `kyve`, `kaon` (testnet), and `korellia` (devnet)
{{ #include ../template-gen-address-1.md:content }}
### Online Machine: Updating Vaults Repository
1. Turn on online linux workstation
{{ #include ../../../../../../component-documents/git-basics.md:content }}

132
trove/src/generated-documents/level-2/fixed-location/operator/coins/kyve/sign-and-broadcast-transaction.md
View File

@ -1,132 +0,0 @@
# Kyve: Sign and Broadcast Transaction
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Online Machine: Acquire Nonce
1. Turn on online linux workstation
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
* e.g `vaults/<namespace>/<coin>/0-na.txt`
* Set the nonce address variable:
```
$ nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"
```
1. Set `ICEPICK_DATA_DIRECTORY`:
{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
```
$ export ICEPICK_DATA_DIRECTORY=/media/external/
```
1. set `ICEPICK_CONFIG_FILE`
```
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
```
1. Run the command:
```
$ icepick workflow cosmos broadcast --chain-name kyve --nonce-address=$nonce_address
```
The option `--chain-name` can use `kyve`, `kaon` (testnet), and `korellia` (devnet)
* Await completion message before removing Ceremony SD card
* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
### Offline Machine: Create and Sign Transaction
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
1. Boot the computer
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
1. Start Keyfork using the relevant Shardfile:
```
$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
1. Follow on screen prompts
1. Set `ICEPICK_DATA_DIRECTORY`:
```
$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
```
1. Run the `icepick` command with the transaction payload
* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
```
$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* Follow on screen prompts
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Broadcast Transaction: Online Machine
1. Retrieve Ceremony SD from High Visibility Storage and plug it into online machine
1. The still running broadcast command on the online machine will broadcast the transaction automatically
1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
```
$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
$ rm $ICEPICK_DATA_DIRECTORY/account_info.json
```
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Repeat
1. You may repeat previous steps as many times as necessary to process all workflow payloads
## Finalization
1. Shut down online linux workstation
1. Shut down the air gapped machine
### Sealing
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

102
trove/src/generated-documents/level-2/fixed-location/operator/coins/pyth/generate-address.md
View File

@ -1,102 +0,0 @@
# Pyth: Generate Address
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Offline Machine: Generate Address
{{ #include ../template-gen-address-0.md:content }}
1. Generate a new address:
```
$ icepick workflow sol generate-address --account $account_id > $account_id.json
```
{{ #include ../template-gen-address-1.md:content }}
### Online Machine: Generate Nonce Account
1. Turn on online machine
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
1. Copy the `vaults` repository from the Ceremony SD card:
```
$ cp -r /media/vaults ~/
```
* If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
1. Ensure `icepick` is available on system
* Follow steps from [installation guide](TODO)
1. Change directory into the desired \<namespace>/\<coin> directory:
```
$ cd ~/vaults/<namespace>/<coin>
```
1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory:
```
$ ls -la .
```
1. Once you have selected the appropriate account, set the account_id variable:
```
$ account_id=<num>
```
1. Use `icepick` to generate nonce account:
* If using a non-`mainnet-beta` cluster, be sure to provide the `--cluster` argument
* Set `icepick` config file:
```
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
```
```
$ icepick workflow sol generate-nonce-account --input-file $account_id.json > $account_id-na.json
```
* Repeat command if returned message is "The transaction was possibly not received by the cluster."
1. Fund the wallet displayed on-screen with 0.01 SOL
* Once the funding is done, the nonce account will be created
1. Stage, commit, sign and push the changes:
```
$ git add .
$ git commit -m -S "<message>"
$ git push origin HEAD
```
### Sealing
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

1
trove/src/generated-documents/level-2/fixed-location/operator/coins/pyth/sign-and-broadcast-transaction.md
View File

@ -1 +0,0 @@
# Sign and Broadcast Transaction

45
trove/src/generated-documents/level-2/fixed-location/operator/coins/seda/generate-address.md
View File

@ -1,45 +0,0 @@
# Seda: Generate Address
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Offline Machine: Generate Address
{{ #include ../template-gen-address-0.md:content }}
1. Generate a new address:
* `icepick workflow cosmos generate-address --chain-name seda --account $account_id > $account_id.json`
The option `--chain-name` can use `seda` or `seda-devnet`.
{{ #include ../template-gen-address-1.md:content }}
### Online Machine: Updating Vaults Repository
1. Turn on online linux workstation
{{ #include ../../../../../../component-documents/git-basics.md:content }}

132
trove/src/generated-documents/level-2/fixed-location/operator/coins/seda/sign-and-broadcast-transaction.md
View File

@ -1,132 +0,0 @@
# Seda: Sign and Broadcast Transaction
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Online Machine: Acquire Nonce
1. Turn on online linux workstation
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
* e.g `vaults/<namespace>/<coin>/0-na.txt`
* Set the nonce address variable:
```
$ nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"
```
1. Set `ICEPICK_DATA_DIRECTORY`:
{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
```
$ export ICEPICK_DATA_DIRECTORY=/media/external/
```
1. set `ICEPICK_CONFIG_FILE`
```
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
```
1. Run the command:
```
$ icepick workflow cosmos broadcast --chain-name seda --nonce-address=$nonce_address
```
The option `--chain-name` can use `seda` or `seda-devnet`.
* Await completion message before removing Ceremony SD card
* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
### Offline Machine: Create and Sign Transaction
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
1. Boot the computer
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
1. Start Keyfork using the relevant Shardfile:
```
$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
1. Follow on screen prompts
1. Set `ICEPICK_DATA_DIRECTORY`:
```
$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
```
1. Run the `icepick` command with the transaction payload
* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
```
$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
```
* Follow on screen prompts
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Broadcast Transaction: Online Machine
1. Retrieve Ceremony SD from High Visibility Storage and plug it into online machine
1. The still running broadcast command on the online machine will broadcast the transaction automatically
1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
```
$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
$ rm $ICEPICK_DATA_DIRECTORY/account_info.json
```
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Repeat
1. You may repeat previous steps as many times as necessary to process all workflow payloads
## Finalization
1. Shut down online linux workstation
1. Shut down the air gapped machine
### Sealing
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

102
trove/src/generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md
View File

@ -1,102 +0,0 @@
# Solana: Generate Address
## Requirements
{{ #include ../../../../operator-requirements.md:requirements }}
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Offline Machine: Generate Address
{{ #include ../template-gen-address-0.md:content }}
1. Generate a new address:
```
$ icepick workflow sol generate-address --account $account_id > $account_id.json
```
{{ #include ../template-gen-address-1.md:content }}
### Online Machine: Generate Nonce Account
1. Turn on online machine
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
1. Copy the `vaults` repository from the Ceremony SD card:
```
$ cp -r /media/vaults ~/
```
* If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
1. Ensure `icepick` is available on system
* Follow steps from [installation guide](TODO)
1. Change directory into the desired \<namespace>/\<coin> directory:
```
$ cd ~/vaults/<namespace>/<coin>
```
1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory:
```
$ ls -la .
```
1. Once you have selected the appropriate account, set the account_id variable:
```
$ account_id=<num>
```
1. Use `icepick` to generate nonce account:
* If using a non-`mainnet-beta` cluster, be sure to provide the `--cluster` argument
* Set `icepick` config file:
```
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
```
```
$ icepick workflow sol generate-nonce-account --input-file $account_id.json > $account_id-na.json
```
* Repeat command if returned message is "The transaction was possibly not received by the cluster."
1. Fund the wallet displayed on-screen with 0.01 SOL
* Once the funding is done, the nonce account will be created
1. Stage, commit, sign and push the changes:
```
$ git add .
$ git commit -m -S "<message>"
$ git push origin HEAD
```
### Sealing
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

42
trove/src/generated-documents/level-2/fixed-location/operator/coins/template-gen-address-0.md
View File

@ -1,42 +0,0 @@
/* ANCHOR: all */
// ANCHOR: content
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
1. Turn on air-gapped machine
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
1. Copy the `vaults` repository to the machine and switch to it
```
$ cp -r /media/vaults /root/
$ cd /root/vaults
```
1. Start Keyfork using the relevant Shardfile:
```
$ keyfork recover shard --daemon <namespace>/shardfile.asc
```
* Follow on screen prompts
1. If the desired `<coin>` directory doesn't exist for the namespace, create it:
```
$ mkdir -p <namespace>/<coin>
```
1. Connect to the appropriate coin directory:
```
$ cd <namespace>/<coin>/
```
1. Check what the latest address account is:
```
$ ls -la .
```
1. Find what the latest number for the address is, and add 1 to it. This will be the new address account.
* For example if the latest address file is 42, the new account_id would be 43. The addresses should start at `0`
* Set an environment variable with the new account_id:
```
$ account_id=<num>
```
// ANCHOR_END: content
/* ANCHOR_END: all */

22
trove/src/generated-documents/level-2/fixed-location/operator/coins/template-gen-address-1.md
View File

@ -1,22 +0,0 @@
/* ANCHOR: all */
// ANCHOR: content
1. Sign the file using:
* Import OpenPGP keys:
* `gpg --import /media/vaults/keys/all/*.asc`
* `gpg --detach-sign $account_id.json`
1. You may repeat the previous steps, starting at the step where the `account_id` is set.
1. Once finished, copy the updated repository back to the Ceremony SD card:
* `cp -rf /root/vaults /media/`
1. Shut down the air gapped machine
1. Unplug the Ceremony SD card and place it into High Visibility Storage
// ANCHOR_END: content
/* ANCHOR_END: all */

45
trove/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md
View File

@ -1,45 +0,0 @@
# Decrypt Namespace Secret
## Requirements
{{ #include ../../operator-requirements.md:requirements }}
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
## Procedure
{{ #include template-ceremony-setup.md:content }}
1. Retrieve Ceremony SD Card from High Visibility Storage and plug it into the machine
1. Copy the Ceremony SD Card contents to machine
* `cp -r /media/vaults /root/`
1. Start `keyfork` using the relevant Shardfile:
```
$ keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc
```
* Follow on screen prompts
1. Derive the OpenPGP root certificate:
```
$ keyfork derive openpgp > secret_key.asc
```
1. Decrypt the secret material:
* `sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted`
1. Proceed to transfer the secret (`decrypted`) to desired location such as hardware wallet, power washed chromebook (via SD card) etc.
1. Shut down the air gapped machine
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

59
trove/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md
View File

@ -1,59 +0,0 @@
# Export Namespace Mnemonic
## Requirements
{{ #include ../../operator-requirements.md:requirements }}
* [SD Card Pack](../procurer/procure-sd-card-pack.md)
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
## Procedure
1. Enter the designated location with the quorum of operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Place Ceremony SD card in High Visibility Storage
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
1. Boot the computer
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
1. Recover the mnemonic from an existing shardfile
* `keyfork shard combine /media/vaults/<namespace>/shardfile.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
1. Follow on screen prompts
1. Unplug the Ceremony SD card and place it in High Visibility Storage
1. Unseal the SD Card Pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Put the mnemonic on an SD card for transport or use `cat` command to output it in the terminal for entry into a hardware wallet or otherwise
* WARNING: if displaying on screen, ensure nothing else can see the mnemonic. It is recommended to cover the operator and the machine with a blanket to obstruct the view of the screen.
1. Shut down the air gapped machine
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

68
trove/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
View File

@ -1,68 +0,0 @@
# Namespace Entropy Ceremony
This is a ceremony for generating and sharding entropy to a set of existing Quorum Keys.
## Requirements
{{ #include ../../operator-requirements.md:requirements }}
* [SD Card Pack](../procurer/procure-sd-card-pack.md)
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
## Procedure
{{ #include template-ceremony-setup.md:content }}
1. Plug the Ceremony SD card into the machine
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
* Replace the values: <path_to_input_shard>, <pgp_user_id>
```
$ keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive='openpgp --public "Your Name <your@email.co>" --output certificate.asc'
```
1. Unseal an SD card pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all unsealed SD cards into High Visibility Storage
1. Plug in the Ceremony SD card
1. Back up the files
```
$ cp shardfile.asc /media/vaults/<namespace>/
$ cp certificate.asc /media/vaults/<namespace>/
$ cp -r /media/vaults /root/
```
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Plug in fresh SD card
1. `cp -r /root/vaults /media/`
1. Unplug the SD card
1. Label the SD card "Ceremony [date]"
1. Place the SD caard in High Visibility Storage
1. Power down the air-gapped machine
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
{{ #include ../../../../component-documents/git-basics.md:content }}
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

68
trove/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
View File

@ -1,68 +0,0 @@
# Quorum Entropy Ceremony
This is a ceremony for generating entropy which is used to derive Quorum PGP keys, load them into smart cards and shard entropy to them.
## Requirements
{{ #include ../../operator-requirements.md:requirements }}
* [Ceremony SD Card](./ceremony-sd-card-provisioning.md)
* [SD Card Pack](../procurer/procure-sd-card-pack.md)
* `N` Smart Cards in the chosen `M of N` quorum
* High Visibility Storage: plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
## Procedure
{{ #include template-ceremony-setup.md:content }}
1. Run the relevant keyfork operation to perform the ceremony:
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values
```
$ keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "Your Name <your@email.co>" --output certificate.asc'
```
1. Unseal an SD card pack by following tamper proofing steps:
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all unsealed SD cards into High Visibility Storage
1. Plug in the Ceremony SD card
1. Back up the files
```
$ cp shardfile.asc /media/vaults/<namespace>/
$ cp keyring.asc /media/vaults/<namespace>/
$ cp certificate.asc /media/vaults/<namespace>/
$ cp -r /media/vaults /root/
```
1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
1. Plug in fresh SD card
1. `cp -r /root/vaults /media/`
1. Unplug the SD card
1. Label the SD card "Ceremony [date]"
1. Place the SD card in High Visibility Storage
1. Power down the air-gapped machine
1. Transfer the ceremony artifacts to online linux workstation using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
{{ #include ../../../../component-documents/git-basics.md:content }}
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

Some files were not shown because too many files have changed in this diff Show More