Makefile

@@ -1,24 +1,24 @@
 PORT := 8080
 .PHONY: default
-default: build-trove
+default: build-qvs
 
 out:
 	mkdir -p out
 
-.PHONY: build-trove
-build-trove: out/trove/index.json
-out/trove/index.json: out Containerfile.trove $(shell find quorum-vault-system -type f)
-	mkdir -p out/trove
+.PHONY: build-qvs
+build-qvs: out/qvs/index.json
+out/qvs/index.json: out Containerfile.qvs $(shell find quorum-vault-system -type f)
+	mkdir -p out/qvs
 	docker \
 		build \
-		-f Containerfile.trove \
-		--output type=oci,rewrite-timestamp=true,force-compression=true,name=git.distrust.co/public/docs-trove,tar=true,dest=- \
+		-f Containerfile.qvs \
+		--output type=oci,rewrite-timestamp=true,force-compression=true,name=git.distrust.co/public/docs-qvs,tar=true,dest=- \
 		. \
-	| tar -C out/trove -mx
+	| tar -C out/qvs -mx
 
-.PHONY: serve-trove
-serve-trove: build-trove
-	tar -C out/trove -cf - . | docker load
-	docker run -p $(PORT):8080 git.distrust.co/public/docs-trove
+.PHONY: serve-qvs
+serve-qvs: build-qvs
+	tar -C out/qvs -cf - . | docker load
+	docker run -p $(PORT):8080 git.distrust.co/public/docs-qvs
 
 

quorum-vault-system/README.md

@@ -1,6 +1,6 @@
-# Trove
+# Quorum Key Management (QVS)
 
-Trove is an open source system of playbooks and tooling which
+Quorum Key Management (QVS) is an open source system of playbooks and tooling which
 facilitates the creation and maintenance of highly resilient Quorum-based Key
 Management Systems based on a strict threat model which can be used for a
 variety of different cryptographic algorithms.

quorum-vault-system/book.toml

@@ -3,7 +3,4 @@ authors = ["Anton Livaja", "Lance R. Vick", "Ryan Heywood"]
 language = "en"
 multilingual = false
 src = "src"
-title = "Trove"
-
-[output.html]
-additional-css = ["theme/custom.css"]
+title = "Quorum Vault System (QVS)"

quorum-vault-system/src/SUMMARY.md

@@ -0,0 +1,45 @@
+# Summary
+* [Introduction](intro.md)
+    * [Threat Model](threat-model.md)
+    * [Selecting a Quorum](selecting-quorum.md)
+    * [System Roles](system-roles.md)
+    * [PGP Key Types](key-types.md)
+    * [Software](software.md)
+    * [Location](locations.md)
+    * [Glossary](glossary.md)
+* [Generated Documents]()
+    * [All Levels]()
+        * [Create Vaults Repository](generated-documents/all-levels/create-vaults-repository.md)
+        * [Personal PGP Key Provisioning](generated-documents/all-levels/pgp-key-provisioning.md)
+    * [Level 2]()
+        * [Fixed-Location]()
+            * [Procurer](generated-documents/level-2/fixed-location/procurer/index.md)
+                * [Procure Facility](generated-documents/level-2/fixed-location/procurer/procure-facility.md)
+                * [Create Inventory Repository](generated-documents/level-2/fixed-location/procurer/create-inventory-repository.md)
+                * [Procure Tamper Proofing Equipment](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md)
+                * [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md)
+                * [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md)
+            * [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
+                * [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
+                * [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
+                * [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
+            * [Proposer]()
+                * [Solana: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/sol-create-transaction-payload.md)
+                * [Cosmos: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/cosmos-create-transaction-payload.md)
+            * [Approver]()
+                * [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
+            * [Operator](generated-documents/level-2/fixed-location/operator/index.md)
+                * [Quorum Entropy Ceremony](generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md)
+                * [Ceremony SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md)
+                * [Namespace Operations]()
+                    * [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
+                    * [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md)
+                    * [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)
+                    * [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md)
+                * [Coins]()
+                    * [Solana]()
+                        * [Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
+                        * [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md)
+                    * [Cosmos]()
+                        * [Generate Address](generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md)
+                        * [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md)

quorum-vault-system/src/component-documents/finding-device-name.md

@@ -0,0 +1,6 @@
+/* ANCHOR: all */
+// ANCHOR: content
+Look for your SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
+    * Mount the device using: `sudo mount /dev/<your_device> /media`
+// ANCHOR_END: content
+/* ANCHOR_END: all */

quorum-vault-system/src/component-documents/git-basics.md

@@ -4,14 +4,14 @@
 
 1. {{ #include finding-device-name.md:content }}
 
-1. If the `~/trove/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/trove` before re-running the previous step
+1. If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
 
 1. Copy the repository with updated files to an online linux workstation, sign, commit and push to the `vaults` repository:
     ```
-    $ cp -r /media/trove ~/trove/
-    $ cd ~/trove
+    $ cp -r /media/vaults ~/vaults/
+    $ cd ~/vaults
     $ git add .
-    $ git commit -S -m "<message>"
+    $ git commit -m -S "<message>"
     $ git push origin HEAD
     ```
 // ANCHOR_END: content

quorum-vault-system/src/component-documents/git-commit-signing.md

@@ -12,8 +12,8 @@
     $ git config --global user.name <name>
     $ git config --global user.email <email>
     $ git config --global user.signingKey <pgp_key_id>
-    $ git config --global commit.gpgsign true
-    $ git config --global commit.merge true
+    $ git config --global commit.gpgsign = true
+    $ git config --global commit.merge = true
     ```
 
 1. Configure ssh to authenticate with smartcard

quorum-vault-system/src/component-documents/gui-git-commit.md

@@ -0,0 +1,58 @@
+/* ANCHOR: all */
+# Committing Using Git Graphical User Interface
+
+The GitKraken tool can be used to produce commits with data.
+
+    - [ ] TODO deterministic build of GitKraken / custom tool for this
+    - [ ] TODO maybe it's better to train the team to use `git` in the terminal for now until we have a better tool because GitKraken introduces a lot of surface area for attacks
+
+# GitKraken Guide: Create a File, Edit in VS Code, and Commit
+// ANCHOR: steps
+1. Clone the Repository
+    * Launch the GitKraken application.
+    * Clone the ceremony repository:
+        * Click on the **"Clone"** button on the left sidebar.
+        * Enter the repository URL you want to clone.
+        * Choose a local directory where you want to save the repository.
+        * Click **"Clone the repo"**.
+
+1. Create a new file
+    * **Navigate to the repository**: Make sure you are in the cloned repository in GitKraken.
+    * **Create a new file**:
+        * Right-click on the folder where you want to create the file in the left sidebar.
+        * Select **"New File"**.
+        * Name your file (e.g., `<file_name>`).
+
+1. Open the File in Visual Studio Code
+    * **Open Visual Studio Code**:
+        * Right-click on the newly created file
+        * Select **"Open in External Editor"** (this should open the file in Visual Studio Code)
+
+1. Add content to the file
+    * In Visual Studio Code, type a simple JSON blob. For example:
+     ```json
+     {
+       "name": "Sample",
+       "version": "1.0.0",
+       "description": "This is a sample JSON blob."
+     }
+     ```
+    * Save the file: Press `Ctrl + S` (or `Cmd + S` on Mac) to save the changes.
+
+1. Stage the changes
+    * **Return to GitKraken**: Go back to GitKraken.
+    * **Stage the File**:
+        * In the left sidebar, you will see the file you just created under the **"Unstaged Files"** section.
+        * Click the checkbox next to `<file_name>` to stage the file.
+
+1. Commit the Changes
+    * **Commit the Changes**:
+        * In the commit message box at the bottom, type a commit message (e.g., "Add <file_name> with sample JSON blob").
+        * Click the **"Commit changes"** button.
+
+1. Push the Changes (if needed)
+    * Push to remote repository:
+        * If you want to push your changes to the remote repository, click the **"Push"** button in the top toolbar.
+// ANCHOR_END: steps
+
+/* ANCHOR_END: all */

quorum-vault-system/src/component-documents/hardware-models.md

@@ -18,8 +18,6 @@
 ## SD Cards
 // ANCHOR: sd-models
 
-1 GB is sufficient space for all Trove purposes.
-
 * [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb)
 
 * [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248)

quorum-vault-system/src/component-documents/openpgp-setup.md

@@ -19,7 +19,7 @@
     $ export KEYFORK_OPENPGP_EXPIRE=2y
     ```
 
-1. Generate a mnemonic, and shard (encrypt) it to the newly-generated key:
+1. Generate a mnemonic, encrypting to a newly-generated key:
 
 	Ensure the User ID is your name and your email.
 
@@ -33,17 +33,6 @@
 
 	Note: The PIN can't use sequential numbers, characters or repeated patterns.
 
-	---
-
-	Alternatively, if the user wants to see the mnemonic, and encrypt it in a
-	different manner, the `--encrypt-to-self encrypted.asc` portion of the
-	command can be ommited and the command piped into a file by appending
-	`> mnemonic.txt` to the end of the command.
-
-    ```
-	$ keyfork mnemonic generate --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"' > mnemonic.txt
-    ```
-
 // ANCHOR_END: steps-keyfork
 
 ## Generating Keys on Smartcard

quorum-vault-system/src/component-documents/physical-artifact-storage.md

@@ -0,0 +1,44 @@
+# Physical Artifact Storage
+
+QVS requires that some of the hardware containing cryptographic material be
+securely stored in physical locations. The two primary cases where physical
+storage is necessary are the storage of Location Key Smart Cards, and Operator
+Key Smart Cards. These Smart Cards are necessary to successfully execute a
+ceremony.
+
+There are two primary physical artifacts which need to be stored properly:
+
+* Operator Smart Cards
+
+* Location Smart Cards
+
+## Operator Smart Cards
+
+These cards should be stored by Operators in personal vaults using a high
+quality hidden safe, or in a vaulting facility such as a bank vault, or a
+private vaulting provider.
+
+## Location Smart Cards
+
+These cards should only be stored in secure vaults which meet the criteria
+outlined for Storage Locations in the [Location](locations.md) document.
+
+## Additional Criteria
+
+* MUST apply glitter nail polish to screws/seams of hardware casing, and take
+photographs. It's best to use nail polish where the glitter is of different
+sizes and colors.
+
+* MAY put the hardware in a vacuum sealed bag with confetti, and take
+photographs.
+
+* MUST place smart cards in a tamper proof bag, whose picture is taken upon
+sealing, and stored along with other [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+* SHOULD provision all GPG keys to at least two smart cards, ideally made
+by different manufacturers in order to decrease the likelihood that they both
+simultaneously experience a hardware failure.
+
+* SHOULD place the smart cards in anti-static bags
+
+* SHOULD place the smart cards in a faraday bag

quorum-vault-system/src/component-documents/public-ceremony-artifact-storage.md

@@ -0,0 +1,35 @@
+# Redundant Storage of Ceremony Artifacts
+
+Ceremony Artifacts consist of data which is not sensitive in nature, but
+essential to ongoing operation of a QVS.
+
+The primary artifacts which are produced during the ceremony are:
+
+* PGP Key Certificates
+
+* Shard Files
+
+* Pin Files
+
+* Pictures of tamper proof measures such as tamper proof bags, glitter applied
+to bags, or hardware, such as screws on the bottoms of laptops etc. Pictures
+should be cryptographically signed to prevent tampering.
+
+## Key Principles
+
+* MUST verify that all Public Artifacts generated during the Ceremonies are
+present in the Ceremony Artifacts bundle.
+
+* MUST store all Ceremony Artifacts in at least 2 different cloud storage
+systems. Some options are:
+
+    * AWS S3
+
+    * Google Cloud Platform Storage
+
+    * Azure Storage
+
+    * GitHub
+
+* The data SHOULD have proper access controls, and only be accessible to
+authorized personnel who are part of the organization.

quorum-vault-system/src/component-documents/tamper-evidence-methods.md

@@ -114,9 +114,6 @@ Sealing bags of standard size objects which need to be protected can fit in. The
 #### Sealing
 // ANCHOR: vsbwf-procedure-sealing
 
-	<details>
-	<summary>Vacuum sealing based tamper proofing</summary>
-
 1. Insert object(s) into plastic sealing bag
 
 1. Fill bag with enough plastic beads that most of the object is surrounded
@@ -128,39 +125,18 @@ Sealing bags of standard size objects which need to be protected can fit in. The
 1. Date and sign the polaroid photographs and store them in a local lock box
 
 1. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.
-	</details>
-
-	<details>
-	<summary>Safe based tamper proofing</summary>
-
-	1. Place items into safe
-
-	1. Ensure the safe is properly locked
-	</details>
 
 // ANCHOR_END: vsbwf-procedure-sealing
 
 #### Unsealing
 // ANCHOR: vsbwf-procedure-unsealing
 
-	<details>
-	<summary>Vacuum sealing based tamper proofing</summary>
-
     a. Retrieve digital/physical photographs of both sides of sealed bundle
 
     b. Compare all photographs to object for differences
 
     c. Proceed with unsealing the object if no differences are detected
-	</details>
 
-	<details>
-	<summary>Safe based tamper proofing</summary>
-
-	1. Inspect the safe for any signs of tampering
-
-	1. Retrieve items from the safe
-
-	</details>
 // ANCHOR_END: vsbwf-procedure-unsealing
 
 // ANCHOR_END: vsbwf-procedure
@@ -243,20 +219,6 @@ Some examples include:
 
 Placing objects into a safe helps improve the security of objects, and introduces an additional layer of tamper evidence.
 
-## Safe Operations
-// ANCHOR: safe-sealing
-
-	1. Place items into safe
-
-	1. Ensure the safe is properly locked
-// ANCHOR_END: safe-sealing
-
-// ANCHOR: safe-unsealing
-
-	1. Inspect the safe for any signs of tampering
-
-	1. Retrieve items from the safe
-// ANCHOR_END: safe-unsealing
 ## References
 
 * [Blog About Tamper Evident Protection Methods](http://web.archive.org/web/20241130002204/https://dys2p.com/en/2021-12-tamper-evident-protection.html)
@@ -269,4 +231,5 @@ Placing objects into a safe helps improve the security of objects, and introduce
 
 * [Purism Liberty phone anti-interdiction](http://web.archive.org/web/20240903104700/https://puri.sm/posts/anti-interdiction-on-the-librem-5-usa/)
 // ANCHOR_END: entire-doc
+
 /* ANCHOR_END: all */

quorum-vault-system/src/component-documents/vaults-repository.md

@@ -1,7 +1,7 @@
 /* ANCHOR: all */
 # Vaults Repository
 
-// ANCHOR: data
+// ANCHOR: content
 This repository holds data pertaining to vaults. The primary data consists of:
 
 * Operation proposals
@@ -19,9 +19,7 @@ This repository holds data pertaining to vaults. The primary data consists of:
 * Policies (such as spending rules)
 
 * Ceremony logs 
-// ANCHOR_END: data
 
-// ANCHOR: content
 ## Directives
 
 * MUST be a private repository

quorum-vault-system/src/flashing-iso.md

@@ -0,0 +1,21 @@
+# Flash ISO Image to a Storage Device
+
+1. Select a new Storage Device which can be overwritten entirely
+
+1. Find the name of the Storage Device using [this guide](storage-device-management.md#finding-a-storage-device-name)
+
+1. Use the `dd` utility in the Terminal to flash AirgapOS to it. You will need
+to replace `<your_storage_device>` with the name of your device.
+
+```bash
+sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/<your_thumb_drive> status=progress
+```
+
+In the example, the name of the device is `sda` so the complete command would look like this:
+
+```bash
+sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/sda status=progress
+```
+
+Once this step is complete, you have successfully set up a Storage Device
+with AirgapOS.

quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md

@@ -49,11 +49,11 @@
 
 	a. Clone repository (if not done previously)
     ```
-    $ git clone <vaults_repository_url> ~/trove
+    $ git clone <vaults_repository_url> ~/vaults
     ```
 	b. Checkout main branch
     ```
-    $ cd ~/trove
+    $ cd ~/vaults
     $ git checkout main
     $ git pull origin main
     ```

quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md

@@ -30,9 +30,9 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
 
 1. Plug a fresh SD card into the online linux workstation
 
-1. Save the `vaults` repository to the SD card, referred to as the Trove SD card
+1. Save the `vaults` repository to the SD card, referred to as the Ceremony SD card
 
-1. Unplug the Trove SD card
+1. Unplug the Ceremony SD card
 
 1. Unseal the tamper proofed bundle
 
@@ -42,13 +42,13 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
 
 1. Once booted, unplug the AirgapOS SD card
 
-1. Plug in the Trove SD card
+1. Plug in the Ceremony SD card
 
 1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
 
-1. Copy the git repo locally from the Trove SD card and change into it
+1. Copy the git repo locally from the Ceremony SD card and change into it
 	```
-	$ cp -r /media/trove /root/vaults
+	$ cp -r /media/vaults /root/vaults
 	$ cd /root/vaults
 	```
 1. Plug in the Operator smart card
@@ -71,8 +71,8 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
 
 1. Copy the updated repository locally and change into it:
 	```
-	$ cp -r /media/trove ~/
-	$ cd ~/trove
+	$ cp -r /media/vaults ~/
+	$ cd ~/vaults
 	```
 1. Stage, sign, commit and push changes to the ceremonies repository:
 	```

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md

@@ -1,4 +1,4 @@
-# Trove SD Card Provisioning
+# Ceremony SD Card Provisioning
 
 ## Requirements
 
@@ -24,7 +24,7 @@
 
 1. Write the ceremony repo data to the SD card:
 
-    `sudo cp -r trove/ /media`
+    `sudo cp -r vaults/ /media`
 
 1. Unplug the SD card 
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md

@@ -10,7 +10,7 @@
 
 * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
 
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
+* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
 
 ## Procedure
 
@@ -18,7 +18,7 @@
 
 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
 
-1. Place Trove SD card in High Visibility Storage
+1. Place Ceremony SD card in High Visibility Storage
 
 1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
 
@@ -32,7 +32,7 @@
 
 1. Generate a new address:
 
-    * `icepick workflow cosmos generate-address --chain-name <chain-name> --account $account_id > $account_id.json`
+    * `icepick workflow cosmos generate-address --account $account_id > $account_id.json`
 
 {{ #include ../template-gen-address-1.md:content }}
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md

@@ -10,7 +10,7 @@
 
 * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
 
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
+* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
 
 ## Procedure
 
@@ -18,7 +18,7 @@
 
 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
 
-1. Place Trove SD card in High Visibility Storage
+1. Place Ceremony SD card in High Visibility Storage
 
 1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
 
@@ -26,39 +26,6 @@
 
 1. Place all contents except for the laptop into High Visibility Storage
 
-### Online Machine: Acquire Nonce
-
-1. Turn on online linux workstation
-
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
-
-1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
-
-	* e.g `trove/<namespace>/<coin>/0-na.txt`
-
-	* Set the nonce address variable:
-	```
-	$ nonce_address="$(cat trove/<namespace>/<coin>/<account_id>-na.txt)"
-	```
-1. Set `ICEPICK_DATA_DIRECTORY`:
-
-	{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/external/
-	```
-
-1. set `ICEPICK_CONFIG_FILE`
-	```
-	$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
-	```
-1. Run the command:
-	```
-	$ icepick workflow cosmos broadcast --chain-name <chain-name> --nonce-address=$nonce_address
-	```
-	* Await completion message before removing Trove SD card
-
-	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
-
 ### Offline Machine: Create and Sign Transaction
 
 1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
@@ -67,13 +34,13 @@
 
 1. Unplug the AirgapOS SD card and place it in High Visibility Storage
 
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
+1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
 
 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
 
 1. Start Keyfork using the relevant Shardfile:
 	```
-	$ keyfork recover shard --daemon /media/<device_name>/trove/<namespace>/shardfile.asc
+	$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
 	```
 	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
 
@@ -85,29 +52,33 @@
 	```
 1. Run the `icepick` command with the transaction payload
 
-	* The payload is located in the appropriate vault location (e.g /media/<device_name>/trove/<namespace>/ceremonies/<date>...)
+	* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
 	```
-	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/trove/<namespace>/shardfile.asc
+	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
 	```
 	* Follow on screen prompts
 
-1. Unplug the Trove SD card and place it in High Visibility Storage
+1. Unplug the Ceremony SD card and place it in High Visibility Storage
 
 ### Broadcast Transaction: Online Machine
 
-1. Retrieve Trove SD from High Visibility Storage and plug it into online machine
+1. Power on linux workstation
 
-1. The still running broadcast command on the online machine will broadcast the transaction automatically
+1. Retrieve Ceremony SD from High Visibility Storage and plug it into linux workstation
+
+1. Run the broadcast command:
+	```
+	$ keyfork workflow cosmos broadcast --input-file <payload.json> --nonce-address=<nonce_address>
+	```
+	* The `<nonce_address>` is the principal or primary address
 
 1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
 
 1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
 	```
 	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
-	$ rm $ICEPICK_DATA_DIRECTORY/account_info.json
 	```
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
+1. Unplug the Ceremony SD card and place it in High Visibility Storage
 
 ### Repeat
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md

@@ -10,7 +10,7 @@
 
 * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
 
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
+* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
 
 ## Procedure
 
@@ -18,7 +18,7 @@
 
 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
 
-1. Place Trove SD card in High Visibility Storage
+1. Place Ceremony SD card in High Visibility Storage
 
 1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
 
@@ -41,23 +41,36 @@
 
 1. Turn on online machine
 
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
+1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
 
 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
 
-1. Copy the `vaults` repository from the Trove SD card:
+1. Copy the `vaults` repository from the Ceremony SD card:
 	```
-    $ cp -r /media/trove ~/
+    $ cp -r /media/vaults ~/
 	```
-    * If the `~/trove/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/trove` before re-running the previous step
+    * If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
+
+1. Ensure `keyfork` is available on the system:
+
+    * Follow steps from [installation guide](https://git.distrust.co/public/keyfork#install)
 
 1. Ensure `icepick` is available on system
 
     * Follow steps from [installation guide](TODO)
 
+1. Set unsafe `keyfork` usage variable:
+	```
+    $ export INSECURE_HARDWARE_ALLOWED=1
+	```
+	* [Bug: user shouldn't have to set this insecure config. Issue #34 fixes this.](https://git.distrust.co/public/icepick/issues/34)
+1. Generate throwaway mnemonic to generate address which will be used for funding the creation of nonce account:
+	```
+    $ keyfork mnemonic generate | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
+	```
 1. Change directory into the desired \<namespace>/\<coin> directory:
 	```
-    $ cd ~/trove/<namespace>/<coin>
+    $ cd ~/vaults/<namespace>/<coin>
 	```
 1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory:
 	```
@@ -69,20 +82,20 @@
 	```
 1. Use `icepick` to generate nonce account:
 
-	* If using a non-`mainnet-beta` cluster, be sure to provide the `--cluster` argument
+    * The following command will need to be updated to use the appropriate \<cluster>, which can be `devnet`, `testnet` or `mainnet-beta`
 
     * Set `icepick` config file:
 	```
     $ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
 	```
 	```
-    $ icepick workflow sol generate-nonce-account --input-file $account_id.json > $account_id-na.json
+    $ icepick workflow sol generate-nonce-account --authorization-address "$(cat $account_id.txt)" --input-file $account_id.json > $account_id-na.json
 	```
     * Repeat command if returned message is "The transaction was possibly not received by the cluster."
 
-1. Fund the wallet displayed on-screen with 0.01 SOL
+1. Airdrop the wallet displayed on-screen with 0.01 SOL
 
-    * Once the funding is done, the nonce account will be created
+    * Once the airdrop is done, nonce account will be created
 
 1. Stage, commit, sign and push the changes:
     ```

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md

@@ -10,7 +10,7 @@
 
 * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
 
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
+* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
 
 ## Procedure
 
@@ -18,7 +18,7 @@
 
 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
 
-1. Place Trove SD card in High Visibility Storage
+1. Place Ceremony SD card in High Visibility Storage
 
 1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
 
@@ -30,15 +30,15 @@
 
 1. Turn on online linux workstation
 
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
+1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
 
 1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
 
-	* e.g `trove/<namespace>/<coin>/0-na.txt`
+	* e.g `vaults/<namespace>/<coin>/0-na.txt`
 
 	* Set the nonce address variable:
 	```
-	$ nonce_address="$(cat trove/<namespace>/<coin>/<account_id>-na.txt)"
+	$ nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"
 	```
 1. Set `ICEPICK_DATA_DIRECTORY`:
 
@@ -55,7 +55,7 @@
 	```
 	$ icepick workflow sol broadcast --nonce-address=$nonce_address
 	```
-	* Await completion message before removing Trove SD card
+	* Await completion message before removing Ceremony SD card
 
 	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
 
@@ -67,13 +67,13 @@
 
 1. Unplug the AirgapOS SD card and place it in High Visibility Storage
 
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
+1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
 
 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
 
 1. Start Keyfork using the relevant Shardfile:
 	```
-	$ keyfork recover shard --daemon /media/<device_name>/trove/<namespace>/shardfile.asc
+	$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
 	```
 
 	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
@@ -86,17 +86,17 @@
 	```
 1. Run the `icepick` command with the transaction payload
 
-	* The payload is located in the appropriate vault location (e.g /media/<device_name>/trove/<namespace>/ceremonies/<date>...)
+	* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
 	```
-	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/trove/<namespace>/shardfile.asc
+	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
 	```
 	* Follow on screen prompts
 
-1. Unplug the Trove SD card and place it in High Visibility Storage
+1. Unplug the Ceremony SD card and place it in High Visibility Storage
 
 ### Broadcast Transaction: Online Machine
 
-1. Retrieve Trove SD from High Visibility Storage and plug it into online machine
+1. Retrieve Ceremony SD from High Visibility Storage and plug it into online machine
 
 1. The still running broadcast command on the online machine will broadcast the transaction automatically
 
@@ -108,7 +108,7 @@
 	$ rm $ICEPICK_DATA_DIRECTORY/nonce.json
 	```
 
-1. Unplug the Trove SD card and place it in High Visibility Storage
+1. Unplug the Ceremony SD card and place it in High Visibility Storage
 
 ### Repeat
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/template-gen-address-0.md

@@ -6,11 +6,11 @@
 
 1. Unplug the AirgapOS SD card and place it in High Visibility Storage
 
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
+1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
 
 1. Copy the `vaults` repository to the machine and switch to it
     ```
-	$ cp -r /media/trove /root/
+	$ cp -r /media/vaults /root/
 	$ cd /root/vaults
     ```
 1. Start Keyfork using the relevant Shardfile:

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/template-gen-address-1.md

@@ -5,18 +5,18 @@
 
     * Import OpenPGP keys:
 
-        * `gpg --import /media/trove/keys/all/*.asc`
+        * `gpg --import /media/<device_name>/vaults/keys/all/*.asc`
 
-    * `gpg --detach-sign $account_id.json`
+    * `gpg --detach-sign $account_id.txt`
 
 1. You may repeat the previous steps, starting at the step where the `account_id` is set.
 
-1. Once finished, copy the updated repository back to the Trove SD card:
+1. Once finished, copy the updated repository back to the Ceremony SD card:
 
     * `cp -rf /root/vaults /media/`
 
 1. Shut down the air gapped machine
 
-1. Unplug the Trove SD card and place it into High Visibility Storage
+1. Unplug the Ceremony SD card and place it into High Visibility Storage
 // ANCHOR_END: content
 /* ANCHOR_END: all */

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md

@@ -4,7 +4,7 @@
 
 {{ #include ../../operator-requirements.md:requirements }}
 
-* [Trove SD Card](../operator/ceremony-sd-card-provisioning.md)
+* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
 
 * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
 
@@ -12,15 +12,15 @@
 
 {{ #include template-ceremony-setup.md:content }}
 
-1. Retrieve Trove SD Card from High Visibility Storage and plug it into the machine
+1. Retrieve Ceremony SD Card from High Visibility Storage and plug it into the machine
 
-1. Copy the Trove SD Card contents to machine
+1. Copy the Ceremony SD Card contents to machine
 
-    * `cp -r /media/trove /root/`
+    * `cp -r /media/vaults /root/`
 
 1. Start `keyfork` using the relevant Shardfile:
 	```
-	$ keyfork recover shard --daemon /root/trove/<namespace>/shardfile.asc
+	$ keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc
 	```
     * Follow on screen prompts
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md

@@ -16,7 +16,7 @@ Procedure for importing an arbitrary secret (raw key, mnemonic, state secrets) i
 
 1. Encrypt the secret to certificate:
 
-    * `sq encrypt --without-signature --for-file <certificate> <file_to_encrypt> --output encrypted.asc`
+    * `sq encrypt --for-file <certificate> <file_to_encrypt> --output encrypted.asc` 
 
 1. Once encrypted, name the file appropriately and add it to an `artifacts/` directory in the appropriate namespace subdirectory in the `vaults` repository
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md

@@ -6,7 +6,7 @@
 
 * [SD Card Pack](../procurer/procure-sd-card-pack.md)
 
-* [Trove SD Card](../operator/ceremony-sd-card-provisioning.md) 
+* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md) 
 
 * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
 
@@ -16,7 +16,7 @@
 
 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
 
-1. Place Trove SD card in High Visibility Storage
+1. Place Ceremony SD card in High Visibility Storage
 
 1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
 
@@ -30,15 +30,15 @@
 
 1. Unplug the AirgapOS SD card and place it in High Visibility Storage
 
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine 
+1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine 
 
 1. Recover the mnemonic from an existing shardfile
 
-    * `keyfork shard combine /media/trove/<namespace>/shardfile.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
+    * `keyfork shard combine /media/vaults/<namespace>/shardfile.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
 
 1. Follow on screen prompts
 
-1. Unplug the Trove SD card and place it in High Visibility Storage
+1. Unplug the Ceremony SD card and place it in High Visibility Storage
 
 1. Unseal the SD Card Pack 
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md

@@ -8,7 +8,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 * [SD Card Pack](../procurer/procure-sd-card-pack.md)
 
-* [Trove SD Card](../operator/ceremony-sd-card-provisioning.md)
+* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
 
 * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
 
@@ -16,13 +16,13 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 {{ #include template-ceremony-setup.md:content }}
 
-1. Plug the Trove SD card into the machine
+1. Plug the Ceremony SD card into the machine
 
 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
 
     * Replace the values: <path_to_input_shard>, <pgp_user_id>
 	```
-    $ keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive='openpgp --public "Your Name <your@email.co>" --output certificate.asc'
+    $ keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive=openpgp --public "<pgp_user_id>" --output certificate.asc
 	```
 
 1. Unseal an SD card pack
@@ -31,13 +31,13 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Place all unsealed SD cards into High Visibility Storage
 
-1. Plug in the Trove SD card
+1. Plug in the Ceremony SD card
 
 1. Back up the files
     ```
-    $ cp shardfile.asc /media/trove/<namespace>/
-    $ cp certificate.asc /media/trove/<namespace>/
-    $ cp -r /media/trove /root/
+    $ cp shardfile.asc /media/vaults/<namespace>/
+    $ cp certificate.asc /media/vaults/<namespace>/
+    $ cp -r /media/vaults /root/
     ```
 
 1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
@@ -54,7 +54,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
 
 1. Power down the air-gapped machine
 
-1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Trove SD card
+1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
 
 {{ #include ../../../../component-documents/git-basics.md:content }}
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md

@@ -6,7 +6,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
 {{ #include ../../operator-requirements.md:requirements }}
 
-* [Trove SD Card](./ceremony-sd-card-provisioning.md)
+* [Ceremony SD Card](./ceremony-sd-card-provisioning.md)
 
 * [SD Card Pack](../procurer/procure-sd-card-pack.md)
 
@@ -22,7 +22,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
     * Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values
 	```
-	$ keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "Your Name <your@email.co>" --output certificate.asc'
+	$ keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive=openpgp --public "<pgp_user_id>" --output certificate.asc
 	```
 
 1. Unseal an SD card pack by following tamper proofing steps:
@@ -31,14 +31,14 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
 1. Place all unsealed SD cards into High Visibility Storage
 
-1. Plug in the Trove SD card
+1. Plug in the Ceremony SD card
 
 1. Back up the files
     ```
-    $ cp shardfile.asc /media/trove/<namespace>/
-    $ cp keyring.asc /media/trove/<namespace>/
-    $ cp certificate.asc /media/trove/<namespace>/
-    $ cp -r /media/trove /root/
+    $ cp shardfile.asc /media/vaults/<namespace>/
+    $ cp keyring.asc /media/vaults/<namespace>/
+    $ cp certificate.asc /media/vaults/<namespace>/
+    $ cp -r /media/vaults /root/
     ```
 
 1. To create additional backups of the updated `vaults` repository, plug in SD cards one at a time and use following steps to back up ceremony artifacts
@@ -55,7 +55,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
 
 1. Power down the air-gapped machine
 
-1. Transfer the ceremony artifacts to online linux workstation using one of the SD cards and commit the changes made to the `vaults` repository that's on the Trove SD card
+1. Transfer the ceremony artifacts to online linux workstation using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
 
 {{ #include ../../../../component-documents/git-basics.md:content }}
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md

@@ -40,7 +40,7 @@ All hardware:
 
 For [Level 2](../../../../threat-model.md#level-2) security, air-gapped computers which are used for cryptographic material management and operations are required.
 
-{{ #include ../../../../hardware.md:computer-models }}
+{{ #include ../../hardware.md:computer-models }}
 
 ### SD Cards & Adapters
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md

@@ -10,7 +10,7 @@ These items don't require dual custody and can be purchased at any location.
 
 ### Digital camera
 
-{{ #include ../../../../hardware.md:camera-models}}
+{{ #include ../../hardware.md:camera-models}}
 
 ### Polaroid camera
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/cosmos-create-transaction-payload.md

@@ -0,0 +1,27 @@
+# Cosmos: Create Transaction Payload
+
+{{ #include template-create-tx-0.md:content }}
+
+1. Use icepick to generate and sign the payload by running one of the following available workflows:
+	#### Stake
+	Stake coins on the provided chain.
+
+	`$ icepick workflow cosmos stake --delegate-address <delegate-address> --validator-address <validator-address> --chain-name <chain-name> --asset-name <asset-name> --asset-amount <asset-amount> --gas-factor <gas-factor> --export-for-quorum --sign`
+
+	#### Transfer
+	Transfer coins on the cosmos blockchain.
+
+	`$ icepick workflow cosmos transfer --from-address <from-address> --to-address <to-address> --asset-name <asset-name> --asset-amount <asset-amount> --export-for-quorum --sign`
+
+	#### Withdraw
+	Withdraw staked coins from a validator. Staked coins may be held for an unbonding period, depending on the chain upon which they are staked.
+
+	`$ icepick workflow cosmos withdraw --delegate-address <delegate-address> --validator-address <validator-address> --asset-name <asset-name> --gas-factor <gas-factor> --export-for-quorum-sign`
+
+
+	#### Withdraw Rewards
+	Withdraw rewards gained from staking to a validator.
+
+	`$ icepick workflow cosmos withdraw-rewards --delegate-address <delegate-address> --validator-address <validator-address> --gas-factor <gas-factor> --export-for-quorum-sign`
+
+{{ #include template-create-tx-1.md:content }}

quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/sol-create-transaction-payload.md

@@ -11,10 +11,6 @@
 	#### Transfer Token
 	Transfer SPL tokens on Solana blockchain.
 
-	The following SPL tokens, provided to `--token-name`, are supported:
-
-	* [PYTH](https://www.pyth.network/)
-
 	`$ icepick workflow sol transfer-token --from-address <from-address> --to-address <to-address> --token-name <token-name> --token-amount <token-amount> --export-for-quorum --sign`
 
 {{ #include template-create-tx-1.md:content }}

quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/template-create-tx-0.md

@@ -31,11 +31,11 @@
 
 1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
 
-1. Save the `vaults` repo to the SD card, referred to as the Trove SD card
+1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card
 	```
-	$ cp -r ~/trove/ /media
+	$ cp -r ~/vaults/ /media
 	```
-1. Unplug the Trove SD card
+1. Unplug the Ceremony SD card
 
 1. Unseal the tamper proofed bundle
 
@@ -45,11 +45,11 @@
 
 1. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage
 
-1. Plug in the Trove SD card
+1. Plug in the Ceremony SD card
 
-1. Copy the git repo locally from the Trove SD card and change to it
+1. Copy the git repo locally from the Ceremony SD card and change to it
 	```
-	$ cp -r /media/trove /root
+	$ cp -r /media/vaults /root
 	$ cd /root/vaults
 	```
 1. Create a new payloads directory in the `vaults` repository for the date on which the ceremony for the transaction will take place if it doesn't already exist

quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/template-create-tx-1.md

@@ -10,8 +10,8 @@
 
 1. Copy the updated repository locally and switch to it:
 	```
-	$ cp -r /media/trove ~/
-	$ cd ~/trove
+	$ cp -r /media/vaults ~/
+	$ cd ~/vaults
 	```
 1. Stage, sign, commit and push the changes to the ceremonies repository:
 	```

quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md

@@ -36,7 +36,7 @@
 
 1. Flash `airgap.iso` to an SD Card:
 
-    * `dd if=out/airgap.iso of=/dev/<device_name> bs=4M conv=fsync`
+    * `dd if=out/airgap.iso of=/dev/<device_name> bs=4M status=progress conv=fsync`
 
 1. Reset the computer, and boot the SD card 
 

quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md

@@ -0,0 +1,3 @@
+# Provision Ceremony Repository
+
+{{ #include ../../../../component-documents/vaults-repository.md:content }}

quorum-vault-system/src/generated-documents/level-2/hardware.md

@@ -0,0 +1,47 @@
+/* ANCHOR: all */
+# Hardware for Level 2 Threat Model
+
+## Computers 
+
+* Computers for this use are are appropriate as long as they are compatible with AirgapOS. At this level, the essential aspect of hardware procurement is to ensure dual custody at all times. Outside of that any additional protections are welcome but not necessary.
+
+* Laptops with chargers over ports which don't allow data transfer is preferred (non USB etc.)
+
+// ANCHOR: computer-models 
+
+* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
+    * [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D)
+
+* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
+    * [Disassembly Manual](https://www.insidemylaptop.com/how-to-disassemble-lenovo-ideapad-flex-5-1470-model-81c9/)
+
+* [Purism Librem 14](https://puri.sm/products/librem-14/)
+
+* [Nova Custom](https://novacustom.com/de/) (Untested)
+
+* [NitroPad](https://shop.nitrokey.com/shop?&search=nitropad) (Untested)
+
+* Computers which are compatible which can be verified via [this guide](https://git.distrust.co/public/airgap#hardware-compatibility)
+
+// ANCHOR_END: computer-models
+
+## Digital Camera
+// ANCHOR: camera-models
+
+* MUST have >10MP
+
+// ANCHOR_END: camera-models
+
+### Models
+// ANCHOR:digital-cameras
+
+* Modern phone cameras
+
+* [Kodak PIXPRO Friendly Zoom FZ43-BK 16MP Digital Camera with 4X Optical Zoom and 2.7" LCD Screen](https://www.amazon.com/Kodak-Friendly-FZ43-BK-Digital-Optical/dp/B01CG62D00)
+    
+* [Kodak PIXPRO Friendly Zoom FZ43-BK 16MP Digital Camera with 4X Optical Zoom and 2.7" LCD Screen](https://www.amazon.com/KODAK-Friendly-FZ45-BK-Digital-Optical/dp/B0B8PDHRWY)
+
+* [Sony Cyber-Shot DSC-W800](https://www.amazon.com/Sony-DSCW800-Digital-Camera-Black/dp/B00I8BIBCW)
+
+// ANCHOR_END:digital-cameras
+/* ANCHOR_END: all */

quorum-vault-system/src/glossary.md

@@ -10,7 +10,7 @@ using an algorithm, called a cipher.
 Entropy in cryptography refers to the measure of randomness or unpredictability
 in data used for generating cryptographic keys and other security elements.
 
-## Trove
+## Quorum Key Management (QVS)
 
 A set of highly specified processes and tooling used for setting up a highly
 resilient quorum-based key management system.
@@ -19,7 +19,7 @@ resilient quorum-based key management system.
 
 An individual who manages an [Operator Key](#operator-key) which is used for
 protecting the passphrase of a Location key and participates in different
-aspects of the lifecycle management of the Trove system.
+aspects of the lifecycle management of the QVS system.
 
 ## Operator Key
 
@@ -116,7 +116,7 @@ the total number of shards that exist. The minimum recommended threshold is
 
 ## Organization
 
-An organization which owns the Trove and is responsible for funding the setup and
+An organization which owns the QVS and is responsible for funding the setup and
 maintenance. The organization is also responsible for ensuring that the
 [Warehouse](#warehouse) is properly maintained in order to ensure that the
 ciphertext blobs associated with the system are redundantly stored and

quorum-vault-system/src/intro.md

@@ -1,13 +1,13 @@
 # Introduction
 
-Trove is an open source system of playbooks and
+Quorum Vaulting System (QVS) is an open source system of playbooks and
 tooling which facilitates the creation and maintenance of highly resilient
 [quorum](glossary.md#quorum)-based key management systems based on a strict
 [threat model](threat-model.md) which can be used for a variety of different
 cryptographic algorithms. The system was designed and developed by
 [Distrust](https://distrust.co), with the generous support of sponsors.
 
-The basic premise of Trove is that primary cryptographic material akin to a root
+The basic premise of QVS is that primary cryptographic material akin to a root
 certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated
 during a secure key derivation ceremony, and then used to derive chosen
 cryptographic material via different algorithms such as PGP keys, digital asset
@@ -23,7 +23,7 @@ access controls in order to reconstruct the secret material, namely the RE.
 
 ## Use Cases
 
-Trove can be used for a wide range of use-cases which span but are not limited
+QVS can be used for a wide range of use-cases which span but are not limited
 to:
 
 * Deriving a PGP key pair whose public key can be used as a "one-way deposit
@@ -42,7 +42,7 @@ a cold signing setup.
 
 ## Playbooks
 
-Trove can be set up by using a set of highly opinionated playbooks which outline
+QVS can be set up by using a set of highly opinionated playbooks which outline
 the process. The base documentation should be read in its entirety by all
 participants of the ceremony in order to ensure that the system is well
 understood by all to ensure that the integrity of the process is preserved and

quorum-vault-system/src/local-key-provisioning.md

@@ -0,0 +1,53 @@
+# Local Key Provisioning
+
+This document contains instructions on how Operators collaborate to set up
+QVS which requires an N-of-M quorum to be reconstituted. The encrypted shards
+which result from this ceremony are stored in separate physical
+[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
+to which shards are encrypted, and whose passphrases are protected using
+[Operator Keys](glossary#operator-key).
+
+
+### Requirements
+
+* [Smart Card](hardware.md#smart-cards): whatever number of smart
+cards you would like to have seeded for each Operator, usually 2 per Operator is
+recommended - one NitroKey 3 and 1 YubiKey Series 5.
+
+* [Storage Devices](hardware.md#storage-device): as many storage
+devices as you would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+* Storage Device loaded with
+	* [airgap.iso](repeat-use-airgapos.md)
+	* [airgap.iso.asc](repeat-use-airgapos.md)
+	* [autorun.sh](autorun-sh-setup.md)
+
+* All participants need Ceremony Notes which contain a record of which they
+verified and wrote down themselves:
+	* The SHA256 hash of airgap.iso
+	* The SHA256 hash of autorun.sh
+
+### Steps
+
+1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
+established [Location](locations.md)
+
+2. Ensure that no participants have brought digital devices other than ones
+necessary for the ceremony. A faraday bag may be used to hold any such devices
+for the duration of the ceremony.
+
+3. Plug in a new Storage Device
+
+4. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
+
+5. As prompted plug in new Smart Cards
+
+6. Once the ceremony is complete, make as many copies of the Storage Device
+from Step 3 as desired.
+
+7. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
+ for storage of the Operator Smart Cards and Location Smart Cards
+
+8. Follow the [Public Ceremony Artifacts Storage](public-ceremony-artifact-storage.md)
+guide for all public artifacts produced during the ceremony
+

quorum-vault-system/src/location-key-provisioning.md

@@ -0,0 +1,117 @@
+# Location Key Provisioning
+
+## Description
+This ceremony is for generating Location Keys. Location Keys are typically
+stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
+Location Keys are keypairs to which the Root Entropy of a QVS is sharded. The
+keypairs are stored exclusively on Smart Cards, and the PINs which protect the
+Smart Cards are encrypted to Operator Keys.
+
+## Requirements
+* Smart Card(s): whatever number of smart cards you would like to have seeded
+for each Operator, usually 2 per Operator is recommended - one NitroKey 3 and
+1 YubiKey Series 5.
+
+* [Storage Devices](equipment.md#storage-device): as many storage devices as you
+would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+## Steps
+
+1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
+established [Location](locations.md)
+
+2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
+or the [One Time Use Airgap-OS](TODO)
+
+3. Provision new key in the selected secure environment
+
+    * Set system time to date greater than operator key creation but less than
+    operator key expiry
+
+        * `date -s "YYYY-MM-DD HH:MM:SS"`
+
+    * Load your personal PGP certificate which will be used as the Operator
+    Key in to the local keyring
+
+        * `gpg --import /media/<operator_key_id>`
+
+    * Generate the mnemonic:
+
+        * `keyfork mnemonic generate --size 256 > mnemonic.txt`
+
+    * Write the mnemonic on a small piece of paper as you will need to enter the
+    words in the next step. After entering the words, set the piece of paper
+    on fire (that's why it should be small enough - to make burning it easy)
+
+    * In a new terminal window start `keyfork` daemon with the mnemonic:
+
+        * `export KEYFORKD_SOCKET_PATH=/tmp/keyforkd.socket`
+
+        * `keyfork recover mnemonic`
+
+        * ctrl + z
+
+        * `bg`
+
+    * Derive PGP keypair:
+
+        * `keyfork derive openpgp "Location Key: Distrust Disaster Recovery" > location.priv.asc`
+
+    * Provision two YubiKey:
+
+        * To get the `smart_card_id`: `oct list`
+
+        * `oct admin --card <smart_card_id> import location.priv.asc`
+
+        *  `keyfork mnemonic generate --size 256 | awk '{ print $1, $2, $3, $4, $5 }' > smart-card-pin.txt`
+
+        * `oct pin --card <smart_card_id> set-user`
+
+            * Enter the <smart_card_pin>
+
+        * `oct pin --card <smart_card_id> set-admin`
+
+            * Enter the <smart_card_pin>
+
+    * Import PGP key into keyring
+
+        * `gpg --import location.priv.asc`
+
+    * Encrypt and back up the `mnemonic.txt`
+
+        * `gpg -er <operator_key_id> mnemonic.txt`
+
+        * `cp mnemonic.txt.gpg /media`
+
+    * Encrypt and back up the `smart-card-pin`
+
+        * `gpg -er <operator_key_id> smart-card-pin.txt`
+
+        * `cp smart-card-pin.txt.gpg /media`
+
+    * Export and back up `location.pub.asc`
+
+        * `gpg --armor --export <location_key_id> > location.pub.asc`
+
+        * `cp location.pub.asc /media`
+
+    * Duplicate all backup files to a second SD card:
+
+        * `mnemonic.txt.gpg`, `smart-card-pin.gpg`, `location.pub.asc`
+
+    * Copy the `location.pub.asc` to the SD card that was used to bring over
+    the operator key. This will be used to bring the public key to the Hybrid
+    Ceremony Later on:
+
+        * `cp location.pub.asc /media`
+
+    * For posterity, delete all the generated assets before shutting down
+    computer:
+
+        * `rm -rf *`
+
+4. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
+ for storage of the Operator Smart Cards and Location Smart Cards
+
+5. Follow the [Public Ceremony Artifacts Storage](public-ceremony-artifact-storage.md)
+guide for all public artifacts produced during the ceremony

quorum-vault-system/src/locations.md

@@ -30,7 +30,7 @@ This level of defenses is largely focused on remote attacks, and as such does no
 
 * Co-working space
 
-* Regular office (non specific to Trove)
+* Regular office (non specific to QVS)
 
 ### Reference Design 
 
@@ -44,7 +44,7 @@ This level of defenses is focused on insider threats and as such requires a cons
 
 ### Examples
 
-* Purpose specific facility for Trove
+* Purpose specific facility for QVS
 
 * Short term rental
 
@@ -82,7 +82,7 @@ This level of defenses is focused on insider threats and as such requires a cons
     locations simultaneously
 
 * SHOULD be facilities owned by different organizations to reduce the risk of
-collusion unless the organization who owns the Trove system has their own facility such
+collusion unless the organization who owns the QVS system has their own facility such
 as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
 
 ## Level 4 (SCIF)

quorum-vault-system/src/one-time-use-laptop-coin-ceremony.md

@@ -0,0 +1,7 @@
+# One Time Use Laptop Ceremony
+
+## Threat Model
+
+One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards.
+
+This flow is the same as [portable reusable laptop ceremony](portable-reusable-laptop-ceremony.md) except instead of tamper proofing the hardware at the end of the ceremony, it is destroyed.

quorum-vault-system/src/operator-key-provisioning.md

@@ -0,0 +1,44 @@
+# Operator Key Provisioning
+
+## Description
+This guide can be used for provisioning Operator key pairs, and the output of
+the ceremony is a set of the following for each Operator:
+* Smart Card(s) seeded with PGP keys
+* Storage Device with a backup of:
+    * PGP key pair public key
+
+## Requirements
+* Smart Card(s): whatever number of smart cards you would like to have seeded
+for each Operator, usually 2 per Operator is recommended - one NitroKey 3 and
+1 YubiKey Series 5.
+
+* [Storage Devices](hardware.md#storage-device): as many storage devices as you
+would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+## Playbook
+
+### Steps
+This playbook allows the setup of any number of Operator Keys. For each Operator,
+the steps that follow need to be repeated.
+
+1. Bring the Ceremony Machine and [Quorum](selecting-quorum.md) team into the
+established [Location](locations.md)
+
+2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
+
+3. Plug in a new Storage Device
+
+4. Run `keyfork wizard operator` TODO: this command is not part of `keyfork` yet
+
+5. As prompted plug in new Smart Cards
+
+6. Once the ceremony is complete, make as many copies of the Storage Device
+from Step 3 as desired.
+
+7. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
+ for storage of the Operator Smart Cards and Location Smart Cards
+
+8. Follow the [Online Artifacts Storage](public-ceremony-artifact-storage.md)
+guide for all public artifacts produced during the ceremony
+
+

quorum-vault-system/src/quorum-team.md

@@ -0,0 +1,40 @@
+# Quorum Team
+
+The Quorum Team is a team of individuals who are selected to perform different
+roles related to a QVS. Some of the Quorum Team members have ongoing roles,
+while others may participate in a partial manner.
+
+Depending on the type of actions performed, some or all of the members of the
+Quorum may be required to participate. For example, it is recommended that there
+is at least 1 witness for all sensitive actions, but having 3 witnesses during
+the primary Key Derivation Ceremony can give better assurances that the most
+crucial part of the ceremony was properly conducted.
+
+The roles which are required for the Quorum Team are the following:
+
+## Operator
+Operators are individuals who protect [Smart Cards](equipment.md) which
+store a [GPG Key Certificate](glossary.md#gpg-certificate), which is used
+for encrypting information, such as the [Location Key](glossary.md#location-key)
+PINs as well as other [Ceremony Artifacts](reduntant-storage-of-ceremony-artifacts.md).
+They are also individuals who participate in Ceremonies in order to Reconstitute
+the key and perform actions with it.
+
+## Controller
+Controllers are an additional optional role which can be used to protect access
+to the physical locations which hold the Location Keys. Some vaulting solutions
+allow for requiring more than 1 individual in order to access a vault. Multiple
+Controllers may be used to protect access to physical locations - according to
+risk appetite.
+
+## Witness
+Witnesses are individuals who are familiar with the QVS specification, and can
+ensure that the different aspects of the system are set up correctly, and
+processes carried out as they should be. The main objective of the witnesses is
+to monitor and attest that processes such as the ceremonies are done according
+to the strictly prescribed rules.
+
+## Courier
+This role can be fulfilled by members of the Quorum Team and their main role is
+getting materials to their designated locations - the main task being getting
+the Location Keys securely to their physical location.

quorum-vault-system/src/sdtool-instructions.md

@@ -0,0 +1,39 @@
+/* ANCHOR: all */
+# sdtool Usage Guide
+
+[`sdtool`](https://github.com/BertoldVdb/sdtool) is a tool for locking the contents of a SD card by means of burning a physical fuse.
+
+> It is relatively unknown that SD/MMC cards also have an electronic write protection system. Every card has two programmable flags, one for temporary write protection and one to lock the card forever. Writing these flags is not supported by most SD host devices. To remedy this, this page presents a program that allows a Linux host to configure the protection register.
+
+This tool is also available via [stagex](https://registry.hub.docker.com/r/stagex/sdtool). The binary can be exported from the image by doing the following:
+
+// ANCHOR: steps
+1. Get deterministically built binary of `sdtool` from StageX: 
+    * `docker pull stagex/sdtool`
+
+1. Extracting binary:
+    * Run docker container: `docker create -p 4000:80 --name sdtool stagex/sdtool`
+      * Copy image to tar: `docker export <container_id> -o sdtool.tar`
+      * Extract binary from tar: `mkdir -p sdtool-dir | tar -xvf sdtool.tar -C sdtool-dir | cp sdtool-dir/usr/bin/sdtool ./sdtool`
+      * You can verify the container hash:
+          * To get container hash: `docker inspect --format='{{json .RepoDigests}}'  stagex/sdtool`
+          * Check the [signatures dir](https://codeberg.org/stagex/stagex/src/branch/main/signatures/stagex) in stagex project for latest signed hashes
+
+1. {{ #include finding-device-name.md:content }}
+
+    * Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>
+
+1. `./sdtool /dev/<device_name> permlock`
+
+1. Test that the card can't be written to:
+
+    * Create a test file: 
+        
+        * `echo "test" > test.txt`
+
+    * Try writing the file to the SD card
+        
+        * `dd if=./test.txt of=/dev/<device_name> bs=1M conv=sync status=progress`
+
+// ANCHOR_END: steps
+/* ANCHOR_END: all */

quorum-vault-system/src/selecting-quorum.md

@@ -1,6 +1,6 @@
 # Selecting a Quorum
 
-The backbone of Trove is a Quorum which is used to reconstitute or re-assemble
+The backbone of QVS is a Quorum which is used to reconstitute or re-assemble
 cryptographic material, and approve actions. Quorum is a general term referring
 to a system which requires the collaboration of multiple individuals in order to
 achieve something, and it is based on a Threshold which determines how many

quorum-vault-system/src/software.md

@@ -1,5 +1,5 @@
 # Software
-This page outlines the software used for setting up Trove.
+This page outlines the software used for setting up QVS.
 
 ## [[Stageˣ]](https://codeberg.org/stagex/stagex)
 
@@ -39,7 +39,7 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032
 seed, which is used for hierarchical deterministic key derivation.
 
 This software is the backbone for all cryptographic actions performed as part
-of Trove. It was developed by [Distrust](https://distrust.co) and is included
+of QVS. It was developed by [Distrust](https://distrust.co) and is included
 with AirgapOS and has been audited by two firms, NCC and Cure53 with no
 significant vulnerabilities found.
 

quorum-vault-system/src/system-roles.md

@@ -0,0 +1,43 @@
+# System Roles
+
+There are several roles which are required to properly operate the QVS system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QVS. At least 2 individuals are required for [level 2](threat-model.md#adversary-1).
+
+To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum.
+
+## General Requirements
+
+Individuals who are selected for the roles:
+
+* MUST have background checks conducted
+
+* MUST have a clearly defined set of responsibilities
+
+* MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information
+
+## Procurer
+
+Responsible for tasks such as procuring a location, tamper proofing equipment, hardware, and maintaining inventory.
+
+## Provisioner
+
+Responsible for more technical aspects of preparing equipment for ceremonies such as creating air-gapped machines by removing radio cards, and tamper proofing them along with SD cards which are loaded with AirgapOS etc.
+
+## Proposer
+
+This is an individual who is a business owner or stakeholder, or a financial controller. Their role is to make fiduciary decisions which protect the financial interest of the organization and its clients. Their role is specifically to propose the movement of funds, specifying the amount, origin and destination.
+
+## Approver
+
+This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QVS system but related decision making may be under the purview of an Approver. While there is 1 proposer per transaction, there may be an arbitrary number of Approvers, and they are required to sign proposed transactions according to a [policy](todo) which should be well defined.
+
+## Operator
+
+Trained on how the QVS system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system.
+
+Operators conduct ceremonies and ensure that the controls around QVS are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QVS system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more.
+
+As a QVS grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns.
+
+## Witness
+
+QVS relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QVS system allows them to detect any deviation from the security-critical processes. While it is not required that a Witness be a trained Operator, it is highly preferred.

quorum-vault-system/src/threat-model.md

@@ -1,10 +1,10 @@
 # Threat Model
 
-Trove is designed according to a high-assurance threat model which ers on the
+QVS is designed according to a high-assurance threat model which ers on the
 side of making exaggerated, rather than conservative assumptions in order to
 build a resilient system.
 
-The assumption is made that attackers who target Trove are extremely
+The assumption is made that attackers who target QVS are extremely
 sophisticated, well funded and patient attackers, and as such, the full arsenal
 of attacks is on the table. This means that the attacker can purchase and
 weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
@@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's
 used, or the individuals or locations that hold secret material which is the
 backbone of the system.
 
-To achieve this, the Trove focuses on reducing the risk by:
+To achieve this, the QVS focuses on reducing the risk by:
 
 * Only using fully open source software and firmware to allow full verification
 of their security properties
@@ -64,7 +64,7 @@ Some additional assumptions are made to help contextualize the threat model:
 
 ## Threat Model Levels
 
-Different threat model levels allow an organization to start benefiting from the security properties of the Trove system immediately, with a clear path to upgrading over time as resources and time become available.
+Different threat model levels allow an organization to start benefiting from the security properties of the QVS system immediately, with a clear path to upgrading over time as resources and time become available.
 
 Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein.
 

trove/src/SUMMARY.md

@@ -1,70 +0,0 @@
-# Summary
-* [Introduction](intro.md)
-    * [Threat Model](threat-model.md)
-    * [Selecting a Quorum](selecting-quorum.md)
-    * [System Roles](system-roles.md)
-    * [PGP Key Types](key-types.md)
-    * [Software](software.md)
-    * [Location](locations.md)
-    * [Q&A](questions-and-answers.md)
-    * [Glossary](glossary.md)
-* [Level 1](generated-documents/level-1/intro.md)
-	* [Procure Hardware](generated-documents/level-1/procure-hardware.md)
-	* [Provision Laptop](generated-documents/level-1/provision-laptop.md)
-	* [Provision AirgapOS](generated-documents/level-1/provision-airgapos.md)
-	* [Provision Trove Git Repository](generated-documents/level-1/create-vaults-repository.md)
-	* [Provision Entropy & PGP Keypair](generated-documents/level-1/provision-entropy-and-pgp.md)
-	* [Cryptographic Operations]()
-		* [Digital Assets]()
-			* [Solana]()
-				* [Generate Address](generated-documents/level-1/cryptographic-operations/digital-assets/solana/generate-address.md)
-				* [Create Payload](generated-documents/level-1/cryptographic-operations/digital-assets/solana/create-payload.md)
-				* [Sign and Broadcast Tx](generated-documents/level-1/cryptographic-operations/digital-assets/solana/sign-and-broadcast-tx.md)
-			* [Cosmos]()
-			* [Bitcoin - coming soon]()
-			* [Ethereum - coming soon]()
-* [Level 2]()
-	* [Personal PGP Key Generation](generated-documents/level-2/fixed-location/pgp-key-provisioning.md)
-	* [Procurer](generated-documents/level-2/fixed-location/procurer/index.md)
-		* [Procure Facility](generated-documents/level-2/fixed-location/procurer/procure-facility.md)
-		* [Create Inventory Repository](generated-documents/level-2/fixed-location/procurer/create-inventory-repository.md)
-		* [Procure Tamper Proofing Equipment](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md)
-		* [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md)
-		* [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md)
-	* [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
-		* [Provision Trove Git Repository](generated-documents/level-2/fixed-location/provisioner/create-vaults-repository.md)
-		* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
-		* [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
-		* [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
-	* [Proposer]()
-		* [Solana: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/sol-create-transaction-payload.md)
-		* [Pyth: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/pyth-create-transaction-payload.md)
-		* [Cosmos: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/cosmos-create-transaction-payload.md)
-		* [Kyve: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/kyve-create-transaction-payload.md)
-		* [Seda: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/seda-create-transaction-payload.md)
-	* [Approver]()
-		* [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
-	* [Operator](generated-documents/level-2/fixed-location/operator/index.md)
-		* [Quorum Entropy Ceremony](generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md)
-		* [Trove SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md)
-		* [Namespace Operations]()
-			* [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
-			* [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md)
-			* [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)
-			* [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md)
-		* [Digital Assets]()
-			* [Solana]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md)
-			* [Pyth]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/pyth/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth/sign-and-broadcast-transaction.md)
-			* [Cosmos - General]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md)
-			* [Kyve]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/kyve/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/kyve/sign-and-broadcast-transaction.md)
-			* [Seda]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/seda/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/seda/sign-and-broadcast-transaction.md)

trove/src/component-documents/airgapos.md

@@ -1,68 +0,0 @@
-/* ANCHOR: all */
-
-// ANCHOR: requirements
-
-
-// ANCHOR-END: requirements
-
-// ANCHOR: procedure
-1. Turn on one of the computers - this one will be used for writing the SD cards
-
-1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.
-
-1. Use the `make reproduce` command
-
-1. Unseal the SD Card Pack
-
-{{ #include tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
-
-1. Label each SD card that will be used "AirgapOS [date]"
-
-1. Place all the SD cards into High Visibility Storage
-
-1. Retrieve a labelled SD card from High Visibility Storage, and plug it into the computer where AirgapOS will be built
-
-1. {{ #include finding-device-name.md:content }}
-
-1. Hash the .iso file and make note of it (it will be required later)
-
-	* `sha256sum out/airgap.iso`
-
-1. Flash `airgap.iso` to an SD Card:
-
-    * `dd if=out/airgap.iso of=/dev/<device_name> bs=4M conv=fsync`
-
-1. Reset the computer, and boot the SD card
-
-1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`:
-
-    * Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>
-
-1. `./sdtool /dev/<device_name> permlock`
-
-1. Once burned, unplug the SD card
-
-1. Plug the SD card into a different computer from the one that was used to write the SD card
-
-1. Boot the computer
-
-1. Open a terminal
-
-1. Verify the card can't be written to:
-
-    * `echo "42" | dd of=/dev/<device_name>`
-
-1. Verify the contents on the SD card match the recorded hash
-
-	* Build AirgapOS once more according to the [readme](https://git.distrust.co/public/airgap) in the repository.
-
-		* Ensure it's the same version as in the previous step
-
-	* `head -c $(stat -c '%s' out/airgap.iso) /dev/<device_name> | sha256sum`
-
-	* Additionally, the user can refer to the [StageX](https://codeberg.org/stagex/stagex) hashes of AirgapOS for a given version
-
-{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing }}
-// ANCHOR_END: procedure
-/* ANCHOR_END: all */
-

trove/src/component-documents/create-vaults-repository.md

@@ -1,3 +0,0 @@
-# Create Trove Git Repository
-
-{{ #include ../../component-documents/vaults-repository.md:content }}

trove/src/component-documents/digital-assets/solana/create-payload.md

@@ -1,25 +0,0 @@
-# Solana: Create Transaction Payload
-/* ANCHOR: all */
-// ANCHOR: content
-
-{{ #include ../template-create-tx-0.md:content }}
-
-1. Use icepick to generate and sign the payload by running one of the following available workflows:
-	#### Transfer
-	Transfer native Solana asset - SOL.
-
-	`icepick workflow sol transfer --to-address <to-address> --from-address <from-address> --amount <amount> --export-for-quorum --sign`
-
-	#### Transfer Token
-	Transfer SPL tokens on Solana blockchain.
-
-	The following SPL tokens, provided to `--token-name`, are supported:
-
-	* [PYTH](https://www.pyth.network/)
-
-	`icepick workflow sol transfer-token --from-address <from-address> --to-address <to-address> --token-name <token-name> --token-amount <token-amount> --export-for-quorum --sign`
-
-{{ #include ../template-create-tx-1.md:content }}
-// ANCHOR_END: content
-/* ANCHOR_END: all */
-

trove/src/component-documents/digital-assets/solana/generate-address.md

@@ -1,62 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: generate-nonce-account
-
-1. {{ #include ../../finding-device-name.md:content }}
-
-1. Copy the `vaults` repository from the Trove SD card:
-	```
-    $ cp -r /media/trove ~/
-	```
-    * If the `~/trove/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/trove` before re-running the previous step
-
-1. Ensure `icepick` is available on system
-
-    * Follow steps from [installation guide](TODO)
-
-1. Change directory into the desired \<namespace>/\<coin> directory:
-	```
-    $ cd ~/trove/<namespace>/<coin>
-	```
-1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory:
-	```
-    $ ls -la .
-	```
-1. Once you have selected the appropriate account, set the account_id variable:
-	```
-    $ account_id=<num>
-	```
-1. Use `icepick` to generate nonce account:
-
-	* If using a non-`mainnet-beta` cluster, be sure to provide the `--cluster` argument
-
-    * Set `icepick` config file:
-	```
-    $ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
-	```
-	```
-    $ icepick workflow sol generate-nonce-account --input-file $account_id.json > $account_id-na.json
-	```
-    * Repeat command if returned message is "The transaction was possibly not received by the cluster."
-
-1. Fund the wallet displayed on-screen with 0.01 SOL
-
-    * Once the funding is done, the nonce account will be created
-
-1. Stage, commit, sign and push the changes:
-    ```
-    $ git add .
-    $ git commit -m -S "<message>"
-    $ git push origin HEAD
-    ```
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
-
-// ANCHOR_END: generate-nonce-account
-/* ANCHOR_END: all */

trove/src/component-documents/digital-assets/solana/sign-and-broadcast-tx.md

@@ -1,125 +0,0 @@
-# Solana: Sign and Broadcast Transaction
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Online Machine: Acquire Nonce
-
-1. Turn on online linux workstation
-
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
-
-// ANCHOR: acquire-nonce
-1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
-
-	* e.g `trove/<namespace>/<coin>/0-na.txt`
-
-	* Set the nonce address variable:
-	```
-	$ nonce_address="$(cat trove/<namespace>/<coin>/<account_id>-na.txt)"
-	```
-1. Set `ICEPICK_DATA_DIRECTORY`:
-
-	{{ #include ../../finding-device-name.md:content }}
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/external/
-	```
-
-1. set `ICEPICK_CONFIG_FILE`
-	```
-	$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
-	```
-1. Run the command:
-	```
-	$ icepick workflow sol broadcast --nonce-address=$nonce_address
-	```
-	* Await completion message before removing Trove SD card
-
-	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
-//ANCHOR_END: acquire-nonce
-
-### Offline Machine: Create and Sign Transaction
-//ANCHOR: create-and-sign-tx
-1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
-
-1. Boot the computer
-
-1. Unplug the AirgapOS SD card and place it in High Visibility Storage
-
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
-
-1. {{ #include ../../finding-device-name.md:content }}
-
-1. Start Keyfork using the relevant Shardfile:
-	```
-	$ keyfork recover shard --daemon /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-
-	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
-
-1. Follow on screen prompts
-
-1. Set `ICEPICK_DATA_DIRECTORY`:
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
-	```
-1. Run the `icepick` command with the transaction payload
-
-	* The payload is located in the appropriate vault location (e.g /media/<device_name>/trove/<namespace>/ceremonies/<date>...)
-	```
-	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* Follow on screen prompts
-//ANCHOR_END: create-and-sign-tx
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Broadcast Transaction: Online Machine
-1. Retrieve Trove SD from High Visibility Storage and plug it into online machine
-
-//ANCHOR: broadcast-tx
-1. The still running broadcast command on the online machine will broadcast the transaction automatically
-
-1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
-
-1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
-	```
-	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
-	$ rm $ICEPICK_DATA_DIRECTORY/nonce.json
-	```
-//ANCHOR_END: broadcast-tx
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-//ANCHOR: finalize
-### Repeat
-
-1. You may repeat previous steps as many times as necessary to process all workflow payloads
-
-## Finalization
-
-1. Shut down online machine
-
-1. Shut down the air gapped machine
-
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
-//ANCHOR_END: finalize

trove/src/component-documents/digital-assets/template-create-tx-0.md

@@ -1,51 +0,0 @@
-/* ANCHOR: all */
-
-## Procedure
-// ANCHOR: content
-1. Turn on online linux workstation
-
-1. Clone the `vaults` repository if it's not available locally and get the latest changes:
-	```
-	$ git clone <repository_git_url>
-	$ git pull origin main
-	```
-1. Unseal the SD Card Pack
-
-{{ #include ../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Plug a fresh SD card into the online linux workstation
-
-1. {{ #include ../finding-device-name.md:content }}
-
-1. Save the `vaults` repo to the SD card, referred to as the Trove SD card
-	```
-	$ cp -r ~/trove/ /media
-	```
-1. Unplug the Trove SD card
-
-1. Unseal the tamper proofed bundle
-
-{{ #include ../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Insert the AirgapOS SD card into the airgapped machine and turn it on
-
-1. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage
-
-1. Plug in the Trove SD card
-
-1. Copy the git repo locally from the Trove SD card and change to it
-	```
-	$ cp -r /media/trove /root
-	$ cd /root/vaults
-	```
-1. Create a new payloads directory in the `vaults` repository for the date on which the ceremony for the transaction will take place if it doesn't already exist
-
-	* `mkdir -p <namespace>/ceremonies/<date>/payloads`
-
-	* e.g `mkdir -p acme-coin-01/ceremonies/2025-01-01/payloads`
-
-1. Use `icepick workflow --help` to list the available workflows and options
-
-1. Plug in the Operator smart card
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/digital-assets/template-create-tx-1.md

@@ -1,29 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-1. Copy the updated ceremonies repo to the SD card
-	```
-	$ cp -r /root/vaults /media
-	```
-1. Transfer the SD card from the air-gapped machine to the online machine
-
-1. {{ #include ../finding-device-name.md:content }}
-
-1. Copy the updated repository locally and switch to it:
-	```
-	$ cp -r /media/trove ~/
-	$ cd ~/trove
-	```
-1. Stage, sign, commit and push the changes to the ceremonies repository:
-	```
-    $ git add <namespace>/ceremonies/<date>/payloads/*
-	$ git commit -S -m "add payload signature for payload_<num>.json"
-	$ git push origin main
-	```
-
-1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.
-
-1. Tamper proof the AirgapOS and Air-gapped laptop
-
-{{ #include ../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/finding-device-name.md

@@ -1,6 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-Look for the SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
-    * Mount the device using: `sudo mount /dev/<device_name> /media`
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/generated-documents/level-1/create-vaults-repository.md

@@ -1,11 +0,0 @@
-# Provision Trove Git Repository
-
-This repository is meant for storing data pertaining to vaults. The primary data consists of:
-
-* Shardfiles
-
-* Blockchain metadata (addresses, nonces etc.)
-
-* Ceremony logs
-
-{{ #include ../../component-documents/vaults-repository.md:content }}

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/create-payload-requirements-template.md

@@ -1,10 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-{{ #include ../../../../component-documents/linux-workstation.md:content }}
-
-* Air-gapped machine
-
-* Trove SD Card
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/generate-address-requirements-template.md

@@ -1,12 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-{{ #include ../../../../component-documents/linux-workstation.md:content }}
-
-* [Air-gapped machine]()
-
-* Air-gapped machine
-
-* Trove SD Card
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/generate-address-template-0.md

@@ -1,44 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-
-1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
-
-1. Turn on air-gapped machine
-
-1. Unplug the AirgapOS SD card
-
-1. Retrieve Trove SD card and plug it into the air-gapped machine
-
-1. Copy the `trove` repository to the machine and switch to it
-    ```
-	$ cp -r /media/trove /root/
-	$ cd /root/vaults
-    ```
-1. Start Keyfork using the relevant Shardfile:
-	```
-	$ keyfork recover shard --daemon <namespace>/shardfile.asc
-	```
-    * Follow on screen prompts
-1. If the desired `<coin>` directory doesn't exist for the namespace, create it:
-	```
-    $ mkdir -p <namespace>/<coin>
-	```
-1. Connect to the appropriate coin directory:
-	```
-    $ cd <namespace>/<coin>/
-	```
-1. Check what the latest address account is:
-	```
-	$ ls -la .
-	```
-1. Find what the latest number for the address is, and add 1 to it. This will be the new address account.
-
-	* For example if the latest address file is 42, the new account_id would be 43. The addresses should start at `0`
-
-	* Set an environment variable with the new account_id:
-		```
-		$ account_id=<num>
-		```
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */%