Add TODOs following PR discussions

.editorconfig

@@ -10,10 +10,9 @@ indent_style = tab
 indent_size = 2
 
 [*.md]
-indent_style = tab
+indent_style = space
-indent_size = 4
+indent_size = 2
 
 [*]
 end_of_line = lf
 insert_final_newline = true
-trim_trailing_whitespace = true

Containerfile

@@ -2,12 +2,12 @@
 
 FROM scratch AS base
 
-COPY quorum-vault-system /quorum-vault-system
+COPY quorum-key-management /quorum-key-management
 
 FROM base AS build
 COPY --from=stagex/mdbook . /
 
-WORKDIR /quorum-vault-system
+WORKDIR /quorum-key-management
 RUN ["/usr/bin/mdbook", "build"]
 
 FROM stagex/filesystem AS install
@@ -17,7 +17,7 @@ COPY --from=stagex/musl . /
 COPY --from=stagex/zlib . /
 
 ADD index.html /var/www/html/
-COPY --from=build /quorum-vault-system/book /var/www/html
+COPY --from=build /quorum-key-management/book /var/www/html/qkm
 
 WORKDIR /var/www/html
 

Makefile

@@ -1,24 +1,22 @@
 PORT := 8080
-.PHONY: default
+default: build
-default: build-trove
 
 out:
 	mkdir -p out
 
-.PHONY: build-trove
+.PHONY: build
-build-trove: out/trove/index.json
+build: out/index.json
-out/trove/index.json: out Containerfile.trove $(shell find quorum-vault-system -type f)
+out/index.json: out Containerfile
-	mkdir -p out/trove
 	docker \
 		build \
-		-f Containerfile.trove \
+		-f Containerfile \
-		--output type=oci,rewrite-timestamp=true,force-compression=true,name=git.distrust.co/public/docs-trove,tar=true,dest=- \
+		--output type=oci,rewrite-timestamp=true,force-compression=true,name=distrust/docs,tar=true,dest=- \
 		. \
-	| tar -C out/trove -mx
+	| tar -C out/ -mx
 
-.PHONY: serve-trove
+.PHONY: serve
-serve-trove: build-trove
+serve: build
-	tar -C out/trove -cf - . | docker load
+	tar -C out/ -cf - . | docker load
-	docker run -p $(PORT):8080 git.distrust.co/public/docs-trove
+	docker run -p $(PORT):8080 distrust/docs
 
 

quorum-key-management/README.md

@@ -1,6 +1,6 @@
-# Trove
+# Quorum Key Management (QKM)
 
-Trove is an open source system of playbooks and tooling which
+Quorum Key Management (QKM) is an open source system of playbooks and tooling which
 facilitates the creation and maintenance of highly resilient Quorum-based Key
 Management Systems based on a strict threat model which can be used for a
 variety of different cryptographic algorithms.

quorum-key-management/book.toml

@@ -3,7 +3,4 @@ authors = ["Anton Livaja", "Lance R. Vick", "Ryan Heywood"]
 language = "en"
 multilingual = false
 src = "src"
-title = "Trove"
+title = "Quorum Vault System (QVS)"
-
-[output.html]
-additional-css = ["theme/custom.css"]

quorum-key-management/src/SUMMARY.md

@@ -0,0 +1,74 @@
+# Summary
+* [Introduction](intro.md)
+    * [Threat Model](threat-model.md)
+    * [Selecting a Quorum](selecting-quorum.md)
+    * [System Roles](system-roles.md)
+    * [Software](software.md)
+    * [Hardware](hardware.md)
+    * [Glossary](glossary.md)
+
+* [Preparations]()
+    * [Verifying Signatures](verifying-signatures.md)
+    * [Tamper Evidence Methods](tamper-evidence-methods.md)
+    * [Online Machine](online-machine-provisioning.md)
+
+    * [Fixed Location Reusable Laptop]()
+        * [Location](locations.md)
+        * [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
+        * [PureBoot]()
+            * [Flash PureBoot to Librem](flash-pureboot-firmware.md)
+            * [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
+            * [Change Smart Card PINs](setting-smart-card-pins.md)
+            * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
+            * [PureBoot Boot Sequence](secure-boot-sequence.md)
+
+        * [AirgapOS Setup]()
+            * [AirgapOS Setup](repeat-use-airgapos.md)
+            * [`autorun.sh` Setup](autorun-sh-setup.md)
+
+    * [One Time Use / Portable Use]()
+        * [Location](one-time-use-locations.md)
+        * [Procure Hardware](hardware-procurement-and-chain-of-custody.md)
+        * [AirgapOS Setup](one-time-use-airgapos.md)
+        * [Repository Setup](one-time-repository-setup.md)
+        * [Selecting Locations](one-time-use-locations.md)
+
+* [Root Entropy Ceremonies]()
+    * [Ceremony Log Template](ceremony-log-template.md)
+    * [Root Entropy Ceremonies](root-entropy-ceremonies.md)
+        * [Local Key Provisioning](local-key-provisioning.md)
+        * [Hybrid Key Provisioning](hybrid-key-provisioning.md)
+        * [Remote Key Provisioning](remote-key-provisioning.md)
+
+    * [Additional Key Ceremonies]()
+        * [Operator Key Provisioning](operator-key-provisioning.md)
+        * [Location Key Provisioning](location-key-provisioning.md)
+
+    * [Post Ceremony]()
+        * [Online Artifact Storage](public-ceremony-artifact-storage.md)
+        * [Physical Artifact Storage](physical-artifact-storage.md)
+
+* [Ceremonies]()
+    * [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md)
+    * [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md)
+    * [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md)
+
+* [Lifecycle Management]()
+    * [Destroying Hardware](hardware-destruction.md)
+    * [Storage Device Management](storage-device-management.md)
+
+* [Generated Documents]()
+    * [Level 1]()
+    * [Level 2]()
+        * [Fixed-Location]()
+            * [Provisioner](system-roles.md)
+                * [Hardware](generated-documents/level-2/fixed-location/provisioner/procure-hardware.md)
+                * [Location]()
+            * [Proposer](system-roles.md)
+                * [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md)
+            * [Approver](system-roles.md)
+                * [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
+            * [Operator](system-roles.md)
+                * [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md)
+    * [Level 3]()
+    * [Level 4]()

quorum-key-management/src/autorun-sh-setup.md

@@ -0,0 +1,44 @@
+# `autorun.sh` Setup
+
+This document describes how `autorun.sh`, a file that AirgapOS automatically
+boots and runs should be set up.
+
+This setup can be done on any machine.
+
+1. Create a file called `autorun.sh` that has the following contents:
+
+    You may accomplish this by doing the following:
+
+    * In your Terminal use this command:
+    `vi autorun.sh`
+    * Once you are in the editor press "i" to enter "insert mode"
+    * Type in the contents, replacing <N> and <M> with your chosen threshold
+    numbers according to your [Quorum](selecting-quorum.md):
+    ```sh
+    #!/bin/sh
+    keyfork wizard generate-shard-secret --threshold <M> --max <N> --output shards.pgp
+    ```
+    * Press "esc"
+    * Press ":"
+    * Press "x"
+    * Press Enter
+
+2. Hash the file
+    The file should be hashed by using the following command:
+
+    ```sh
+    sha256sum autorun.sh
+    ```
+    Make note of the hash on a piece of paper
+
+3. Copy the file to the Storage Device which contains AirgapOS.
+
+    a. If you don't have a Storage Device set up with AirgapOS use [this guide](repeat-use-airgapos.md)
+to do so.
+
+    b. Mount the AirgapOS Storage Device using [this guide](storage-device-management.md#mounting-a-storage-device)
+
+    c. Copy the `autorun.sh` file to the Storage Device
+
+4. Make note of this hash on a piece of paper or print it as you will need it to
+verify the file during Ceremonies.

quorum-key-management/src/fixed-location-reusable-hardware-procurement.md

@@ -1,4 +1,4 @@
-# Purism Procurement Procedure (Anti-Interdiction)
+# Procure Hardware
 
 1. Select a librem 14 laptop from https://puri.sm, and ensure:
     
@@ -16,6 +16,8 @@
 
     * Warranty: 1 Year
 
+    * Privacy Screen: Privacy Screen for Librem 14
+
     * USB Flash Drive: No USB Flash Drive
 
 2. Purism will reach out via email and establish secure communications using PGP, so ensure that the individual who is in charge of procurement has a PGP key that's been set up securely. Purism will:
@@ -24,16 +26,20 @@
 
     * Seal the screws on the bottom of the laptop using glitter of chosen color
 
+        * TODO: Add detail around using glitter with larger pieces and layering several types, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-996
+
     * Take photographs of the inside of the laptop, then of the outside after it's sealed
 
     * The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
 
+        * TODO: Add information about verifying the authenticity of the Purism signing key, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-961
+
     * The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape 
         
         * TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
 
     * The laptop will be sealed in a box using tamper proofing tape
 
-3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](./hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact.
+3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact.
 
-4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](../tamper-evidence-methods.md) should be applied to the laptop before it's stored.
+4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](tamper-evidence-methods.md) should be applied to the laptop before it's stored.

quorum-key-management/src/fixed-location-reusable-laptop-ceremony.md

@@ -0,0 +1,71 @@
+# Fixed Location Reusable Laptop Ceremony
+
+This device is intended for use in a secure facility such as a [SCIF](TODO) which has the added assurances of protecting the environment from a wide range of side-channel attacks, as well as protection from physical attacks, and more comprehensive tamper proofing controls.
+
+The fixed location should include a work-station which makes it easy to perform the [tamper proofing](tamper-evidence-methods.md#tamper-proofing-station) procedure. This station may consist of a simple frame which holds a LED light, for consistent lightning, as well as a camera stand above it which can be used to take pictures. The camera should have an SD card that easily slides out of it so that the device doesn't leave and re-enter the room, only the SD card does.
+
+    * TODO: this is actually not necessary for the fixed location device, but it's good to have this setup in the same facility maybe for processing/setting up the one time use laptops
+
+The primary tamper proofing methods for the fixed location device are:
+
+* Heads firmware protection (TODO link to document which explains how to set up Purism)
+
+* Glitter to prevent physical access to hardware (TODO link to how to properly use glitter for tamper proofing)
+
+* On-premises audio and visual monitoring (TODO select appropriate equipment)
+
+* Physical vault (TODO find adequate vaults)
+
+## Procedure
+
+### Unsealing
+
+1. Select at least two authorized operators who will be participating in the ceremony
+
+2. Print photographs of tamper proofing of the laptop which will be used for the ceremony
+
+    * Both photos of vacuum sealed bar with filler and glitter on the bottom screws of laptop are required
+
+- [ ] TODO how is hardware token stored (for pureboot/heads)
+
+3. Make an entry into the access log, specifying the:
+
+    * Individuals involved
+
+    * Approximate time of entry
+
+    * TODO: Document how this access log is implemented.
+
+4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
+
+    * Ensure that no individual is bringing in any electronic devices. A hand-held or gate metal detector can be used for this.
+
+5. Access the laptop safe, and move the laptop, its hardware token, and polaroid to the Tamper Proofing Workstation
+
+    * Compare the polaroid and digital photographs for any differences
+
+    * Then compare the photographs to the actual object
+
+    * Check the glitter on the bottom screws of the laptop ensuring there are no scratch marks, and compare the screws to photos
+
+    * If there are any issues detected, initiate incident response
+
+6. Initiate the [Secure Boot Sequence](secure-boot-sequence.md)
+
+{{ #include secure-boot-sequence.md }}
+
+7. Use one of the [Playbooks](todo) to carry out a task
+
+#### Sealing
+
+{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing}}
+
+2. Remove the SD card from the camera and use chain of custody principles to ensure the integrity of the data
+
+3. Place the sealed laptop and signed polaroids, as well as the hardware token back in the safe
+
+4. Exit the SCIF and lock it
+
+5. Update the log with the exit time
+
+6. Upload the photos to a git repository, ensuring the commit is signed using PGP

quorum-key-management/src/flashing-iso.md

@@ -0,0 +1,21 @@
+4. Flash ISO Image to a Storage Device
+
+    a. Select a new Storage Device which can be overwritten entirely
+
+    b. Find the name of the Storage Device using [this guide](storage-device-management.md#finding-a-storage-device-name)
+
+    d. Use the `dd` utility in the Terminal to flash AirgapOS to it. You will need
+    to replace `<your_storage_device>` with the name of your device.
+
+    ```bash
+    sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/<your_thumb_drive> status=progress
+    ```
+
+    In the example, the name of the device is `sda` so the complete command would look like this:
+
+    ```bash
+    sudo dd bs=4M if=~/airgap/dist/airgap.iso of=/dev/sda status=progress
+    ```
+
+    Once this step is complete, you have successfully set up a Storage Device
+    with AirgapOS.

quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md

@@ -0,0 +1,23 @@
+# Approver - Approve Transaction
+
+The approver is responsible for verifying a transaction proposed by a [proposer](../../../../system-roles.md).
+
+## Responsibilities
+
+* MUST verify the proposer data out of band (over a secure channel)
+
+    * Proposer data is primarily their PGP key
+
+* MUST verify the PGP signature of the data according to a policy
+
+    * TODO: specify how the policy works
+
+* MUST add their own well known PGP key signature to the data if the data is verified to be valid.
+
+    * NOTE: all transaction values must be signed as part of a single message
+
+To sign the transaction payload and produce a detached signature use:
+
+`gpg --armor --output <approver.sig> --detach-sig <filename>`
+
+Transmit the `proposer.asc` and `approver.sig` to the operator.

quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md

@@ -0,0 +1,145 @@
+# NOT PRODUCTION READY
+
+# Operator - Sign PYTH-SPL Transaction
+
+## Requirements
+
+* TODO: Move this into the "provisioner" document, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1002
+
+* 2 primary operators will be operating the offline machine and online machine
+
+    * Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key)
+
+* Photographic tamper proofing evidence
+
+    * Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
+
+        * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys
+
+            * TODO: where do we refer to permitted PGP keys
+
+* Ensure location has [tamper proofing tools](../../../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler)
+
+    * Vacuum sealer
+
+    * Vacuum roll
+
+    * Colored beads
+
+* PureBoot smart card (TODO)
+
+* 5 SD cards (2 fresh, formatted as ext4, and 3 cards with prepared data)
+
+    * 1 SD card for transferring transaction data from online to air-gapped machine
+
+    * 1 SD card for storing tamper proofing evidence produced at the end of the ceremony
+
+    * 1 SD card which has the shardfile, labelled "Shardile"
+
+        * This should be write-locked and stored in tamper proofing along with air-gapped machine
+    
+    * 1 SD card with "trusted keys" for proposers and approvers, both signed by each operator using their operator key (TODO)
+
+        * This should be write-locked and stored in tamper proofing along with air-gapped machine
+
+    * 1 SD card with AirgapOS
+        
+        * This should be write-locked and stored in tamper proofing along with air-gapped machine
+
+* Digital camera (TODO selection)
+
+* [Online machine](../../../../../../online-machine-provisioning.md) used for fetching transaction data
+
+## Procedure
+
+1. Enter the designated location with the 3 operators and all required equipment
+
+2. Lock access to the location - there should be no inflow or outflow of people during the ceremony
+
+3. Retrieve sealed laptop and polaroid from locked storage
+
+### Unsealing Tamper Proofing
+{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
+
+### Secure Boot Procedure
+0. Plug PureBoot smart card into air-gapped machine
+
+1. Plug in SD card labelled "AirgapOS"
+
+{{ #include ../../../../../../secure-boot-sequence.md:prepared}}
+
+0. Plug in SD card labelled "Trusted Keys"
+
+    * Load well known PGP keys of proposer and approver, and sign them using operator keys (TODO: NOT IMPLEMENTED)
+
+        * `gpg --import <keyfile_name>`
+
+1. Insert SD card labelled "shardfile"
+
+2. `keyfork recover shard --daemon`
+
+    * Follow on screen prompts
+
+3. As a last step, run the `icepick` command which is awaiting the transaction payload
+
+    * `icepick workflow sol-transfer` 
+
+    * Follow on screen prompts
+
+
+### Obtain Transaction Request
+
+1. Turn on online machine
+
+2. Get transaction request(s)
+
+    * TODO define means (could just be email?)
+
+3. Run `icepick workflow sol-broadcast` command
+
+    * Wait for prompt and plug in fresh SD card
+
+    * Await completion message before removing SD card
+
+    * This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in
+
+5. Unplug the SD card and pass it to the air-gapped machine operators
+
+### Sign Transaction
+
+1. Plug in SD card with transaction payload
+
+2. Wait for the screen to display the transaction information. (TODO: NOT IMPLEMENTED)
+
+    * In the background:
+
+        * The transaction is constructed
+
+        * Signatures of tx data are verified against well known keys which were loaded by operators into local GPG keychain and signed by operators (TODO: NOT IMPLEMENTED)
+
+3. If any issues are detected with data you will be prompted and should initiate [incident response (todo)](todo)
+
+4. Wait for the "completed" message
+
+5. Unplug and give the SD card back to the online machine operator
+
+### Broadcast Transaction
+
+* Online machine operator takes the SD card to online machine and plugs it in
+
+* The still running process from running the command to create the transaction in [Obtain Transaction Request](#obtain-transaction-request) will broadcast the transaction automatically
+
+* Await the "completed" message
+
+### Finalization
+
+* Shut down online machine
+
+* Shut down the air gapped machine
+
+* TODO: Add information about material disposal, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
+
+#### Sealing
+
+{{ #include ../../../../../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
+

quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md

@@ -0,0 +1,28 @@
+# Proposer - Create Transaction Payload
+
+The proposer is a fiduciary whose responsibility is to make sound financial decisions on behalf of a business and determine where funds are moving from, where to and in which amount. The reasons for sending funds may range across settlement, exchanging, staking and more.
+
+The proposer MUST clearly define, at a minimum:
+
+* Token Name (SOL, PYTH-SPL, ETH, BTC etc.)
+
+* FROM address
+
+* TO address
+
+* Amount
+
+The proposer must combine these values into a single message, which can be a simple JSON file, and sign it using a well known PGP key.
+
+```json
+{
+    "from-address": "<address>",
+    "to-address": "<address>",
+    "token-name": "<name>",
+    "token-amount": "<amount>"
+}
+```
+
+To sign use the command:
+
+`gpg --clearsign <filename>`

quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md

@@ -0,0 +1,56 @@
+# Provisioner - Procure Hardware
+
+The provisioner is responsible for procuring equipment. Their main focus is:
+
+* Minimizing hardware supply chain security risks
+
+* Ensuring availability of necessary equipment
+
+## Laptops
+
+### Air-Gapped Machine
+
+1. Procure a [Purism Librem 14](../../../../hardware.md#air-gapped-computer)
+
+2. Provision AirgapOS using [this guide](../../../../one-time-use-airgapos.md)
+
+3. Apply [vacuum sealing + filler tamper proofing](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) to the laptop and the SD card
+
+4. Store the sealed package in a secure location
+
+### Online Machine
+
+Procure either a ChromeBook or a computer capable of running QubesOS according to [this guide](../../../../online-machine-provisioning.md)
+
+## Tamper Proofing Equipment
+
+This guide contains specific equipment models: [guide](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler)
+
+* Vacuum Sealer
+
+* Vacuum sealer roll
+
+* Colored beads
+
+* Digital camera
+
+* Polaroid camera
+
+## Other Equipment
+
+* SD cards
+
+    * TODO: Add clarification around formatting and labeling SD cards, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-1004
+
+    * [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb)
+
+    * [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248)
+
+* SD Card USB Adapter
+
+    * SD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-sd-reader
+
+    * microSD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-microsd-reader
+
+    * Workflow station hub (may prove helpful with workflows): https://www.kingston.com/en/memory-card-readers/workflow-station-hub
+

quorum-key-management/src/glossary.md

@@ -10,7 +10,7 @@ using an algorithm, called a cipher.
 Entropy in cryptography refers to the measure of randomness or unpredictability
 in data used for generating cryptographic keys and other security elements.
 
-## Trove
+## Quorum Key Management (QKM)
 
 A set of highly specified processes and tooling used for setting up a highly
 resilient quorum-based key management system.
@@ -19,7 +19,7 @@ resilient quorum-based key management system.
 
 An individual who manages an [Operator Key](#operator-key) which is used for
 protecting the passphrase of a Location key and participates in different
-aspects of the lifecycle management of the Trove system.
+aspects of the lifecycle management of the QKM system.
 
 ## Operator Key
 
@@ -116,7 +116,7 @@ the total number of shards that exist. The minimum recommended threshold is
 
 ## Organization
 
-An organization which owns the Trove and is responsible for funding the setup and
+An organization which owns the QKM and is responsible for funding the setup and
 maintenance. The organization is also responsible for ensuring that the
 [Warehouse](#warehouse) is properly maintained in order to ensure that the
 ciphertext blobs associated with the system are redundantly stored and

quorum-key-management/src/hardware-destruction.md

@@ -8,8 +8,6 @@ Destroying hardware should be done by using a combination of:
 
 * Shredding
 
-* Pulverizing
-
 All three methods should be used because of the efficacy of using electron
 microscopy to read data from storage drives which have not been completely
 destroyed.

quorum-key-management/src/hardware-procurement-and-chain-of-custody.md

@@ -0,0 +1,48 @@
+# Procurement & Chain of Custody
+
+## Provisioning Chain of Custody
+
+Materials and devices which are used in the context of a high assurance system need to be monitored carefully from the moment they are purchased to ensure there are no single points of failure. Going back to the assumption that participants in the system are subject to [MICE](./glossary.md#MICE) and as such may pose a threat to the system, special care has to be taken that multiple individuals are involved in the whole lifecycle of provisioning a piece of equipment.
+
+All steps of the provisioning process need to be completed under the supervision of at least 2 individuals, but benefit from having even more individuals present to increase the number of witnesses and allow individuals to take washroom breaks, purchase food and take breaks.
+
+The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual.
+
+## Provisioning Hardware
+
+1. Selecting a Purchase Location
+
+    Select at least 3 stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method.
+
+    This is done in order to reduce the likelihood that a threat actor is able to plant a compromised computer in a store.
+
+2. Within the store, identify available adequate laptops from the list of [tested hardware](#tested-hardware-airgapos-compatibility). Alternatively bring an SD card with AirgapOS, and test booting to it on the device on the store floor before purchasing it.
+
+3. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which is ideally just a access controlled space. The bag MUST be a sealable see-through tamper evident bag.
+
+    * TODO: Add sources for suitable tamper evidence bags, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-897
+
+4. At the processing location, one of the individuals is responsible for observing while the other opens the back of the laptop and removes:
+
+* Radio cards (wifi, bluetooth)
+
+* Storage drive
+
+* Speakers
+
+* Microphone
+
+Each laptop model is laid out slightly differently so use an online reference and/or read the names of the components which are found in the laptop to determine which parts to remove.
+
+    * TODO: Add example online reference, per this discussion: https://git.distrust.co/public/docs/pulls/10#issuecomment-898
+
+5. Apply a [tamper proofing](./tamper-evidence-methods.md) method to the device depending on the [device designation](TODO)
+
+## Tested Hardware (AirgapOS Compatibility)
+
+* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
+    * [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D)
+
+* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
+
+To ensure that hardware is compatible, it can be tested by bringing an SD card with AirgapOS loaded on it, and testing booting to a floor model in the store.

quorum-key-management/src/hardware.md

@@ -0,0 +1,101 @@
+# Hardware
+
+This page describes different equipment which is required, and makes opinionated
+recommendations as well as alternatives. One may improve the overall security
+of their system by using a variety of hardware in order to benefit from their
+diversity, by reducing the likelihood that all hardware has suffered the same
+kind of hardware supply chain compromise, has the same vulnerability present, or
+has the same type of hardware failure issue.
+
+Based on the decided upon [Quorum](selecting-quorum.md), the amount of equipment
+required to set up a [QKM](glossary.md#quroum-kms-QKM) will
+vary. In order to figure out what equipment is required, decide on a Quorum,
+which is expressed as "N of M". Once you know your M, the required equipment list
+is the following:
+
+* M x 4 Smart Cards
+
+    * It is recommended to use two Smart Cards for storing each key pair
+
+    * Ideally two different types of hardware are used in order to reduce the
+    risk of simultaneous failure
+
+    * At least 1 Smart Card is required for each Operator Key and 1 Smart Card
+    for each Location Key
+
+    * The number of Operator Keys is M, and the number of Location Keys is also
+    M, hence the minimum of 2 x M Smart Cards, with the recommendation of using
+    two smart cards for each, resulting in 4 x M Smart Cards
+
+* 2 + X Storage Devices
+
+    * 1 Storage Device for [AirgapOS](repeat-use-airgapos.md)
+
+    * 1 Storage Device for storing [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+    * X, or *any* number of additional Storage Devices to duplicate the data, a
+    good measure would be to have at least 3 Storage Devices for the ceremony
+
+* Librem 14 Laptop
+
+    * Get as many laptops as desired to satisfy your operational needs
+
+    * For each Librem 14, get a Librem Smart Card used for [PureBoot](initialize-pureboot-smart-card.md)
+
+## Smart Cards
+
+Smart Cards are primarily used for storing OpenPGP cryptographic keys which are
+used as a building block for security controls. These smart cards hold OpenPGP
+keys which are derived in secure environments.
+
+There are three primary requirements for smart cards:
+
+* FIPS 140-2
+
+* Support for Ed25519 OpenPGP
+
+* Touch for enacting operations
+
+Some options include:
+
+* NitroKey 3 - because of its open source approach which allows for verification
+
+* YubiKey 5 - because of the widespread use and battle-tested reliability
+
+* Librem Key - because of the manufacturer's approach to hardware supply chain
+security and verifiable software
+
+## Air-Gapped Computer
+
+[Air-Gapped](glossary.md#Air-Gapped) computers are used for the lifecycle
+management of cryptographic material that is part of QKM.
+
+The primary hardware recommendation for an Air-Gapped Computer is the [Librem 14](https://puri.sm/products/librem-14/), manufactured by [Purism](puri.sm). Purism specializes in reducing hardware and
+firmware security risks, especially via their [Anti-Interdiction Service](https://puri.sm/posts/anti-interdiction-services/) and [PureBoot](https://docs.puri.sm/PureBoot.html)
+and as such is an excellent choice for hardware which high integrity assurance is
+required for.
+
+#### Alternative
+
+An alternative approach is to use an off-the-shelf computer that is randomly
+selected right before the ceremony, removing the storage drive(s), radio cards,
+microphone(s) and speakers from it to reduce side channel attack risks, using it
+to conduct a Ceremony, and then destroying the laptop using sufficiently
+adequate method to ensure that no data forensics can be used to recover the data
+from the drive, or memory. This can be achieved by using a combination of
+incineration, degaussing, shredding, smashing and drilling. Special care should
+be taken to completely destroy all components of the computer that are able to
+store data, even if it's only in ephemeral form as some forensic methods all
+extraction of data from components with "temporary memory".
+
+Three letter agencies are known to collect and exploit physical destroyed drives,
+as data can still be extracted from them using methods such as electron
+microscopy, therefore a combination of degaussing, shredding and burning should
+be used, and the remaining debris should be spread out across multiple disposal
+locations.
+
+## Storage Device
+
+Can be an SD Card (preferred due to smaller attack surface) or USB Drive but
+should be procured from a vendor with a good reputation, and ideally hardware of
+industrial grade should be prioritized for durability.

quorum-key-management/src/hybrid-key-provisioning.md

@@ -0,0 +1,77 @@
+# Hybrid Key Provisioning
+
+This document contains instructions on how Operators collaborate to set up
+QKM where the Operator Keys and Location Keys were generated before this
+ceremony and only the PGP Public Certificates of the Location keys are brought
+to the ceremony which are used to shard the Root Entropy. This is useful
+when conducting the ceremony in a lower trust environment, and where not all
+aspects of the ceremony can be controlled to the desired degree.
+
+## Steps
+
+1. Prior to the ceremony, set up a git repository with relevant artifacts in it,
+and create Ceremony Notes according to [this](one-time-repository-setup.md)
+guide.
+
+2. Ensure there are additional witnesses for the ceremony, outside of the
+operators to assist in monitoring and verifying the integrity of the process.
+
+    * Designate at least 1 individual to keep notes on the ceremony based
+    on the [Ceremony Log Template](ceremony-log-template.md)
+
+3. Ensure that no participants have brought digital devices other than ones
+necessary for the ceremony. A faraday bag may be used to hold any such devices
+for the duration of the ceremony.
+
+4. Procure a laptop and SD cards (3) from a randomly selected store and
+ensure at least 2 people are in line of sight of all the hardware until the
+ceremony is executed. It may be worthwhile to try booting from the SD card at
+the store. Dell laptops tend to support booting from SD cards while Lenovo
+don't. More notes on selecting hardware can be found [here](one-time-use-hardware-procurement.md)
+
+5. Secure a [Location](one-time-use-locations.md)
+
+6. Each member needs to bring their:
+
+    * Ceremony Notes
+
+    * Ceremony SD Card
+
+    * Airgap SD Card (only 1 member needs to bring this - set up according to
+    [One Time Use / AirgapOS Setup](one-time-use-airgapos.md)).
+
+7. Verify the SD card by either:
+
+    * Booting a separate AirgapOS to the machine used for the ceremony in order
+    to verify the SD card is not writeable and the hash matches using the steps
+    from the [One Time Use/ AirgapOS Setup](one-time-use-airgapos.md) guide.
+
+        OR
+
+    * Mounting the SD card to a separate machine and verifying it's not
+    writeable  and verify the hash matches using steps from the [One Time Use/AirgapOS Setup](one-time-use-airgapos.md) guide.
+
+    * NOTE: It is essential that the SD card remain in line of sight from the
+    moment it is verified to the moment is is used.
+
+8. Plug in and boot from Airgap SD card:
+
+    * Boot from internal SD card reader or USB device reader
+
+    * Verify the `sha256sum ceremony.sh` hash matches each of the Operator's
+    "Ceremony Notes"
+
+9. Button mash to ensure adequate entropy on the OS
+
+10. Set the system time as it has to be after the PGP
+public certificates were created, and before they expire:
+
+    * `date -s "YYYY-MM-DD HH:MM:SS"`
+
+10. Run `ceremony.sh`
+
+11. Back up the `shardfile`, and `pub.asc` to 3 separate SD cards,
+one for each operator
+
+12. Destroy the computer according to [Hardware Destruction](hardware-destruction.md)
+guide.

quorum-key-management/src/initialize-pureboot-smart-card.md

@@ -1,9 +1,5 @@
 # PureBoot Setup
 
-- [ ] TODO: fix this doc to use a different smart card for pureboot as the librem key, as the librem key doesn't have a physical switch
-
-- [ ] TODO update this to be hardware agnostic and use Heads / PureBoot
-
 This guide walks the user through setting up a machine which relies on
 [PureBoot](https://source.puri.sm/firmware/pureboot) to verify the authenticity
 of the `.iso` image which is being booted, as well to ensure that firmware of
@@ -15,7 +11,7 @@ This guide assumes the use of a Purism machine, with a Librem Key.
 
 * 1 Storage Device
 
-* 1 Smart Card
+* 1 Librem Smart Card
 
 * 1 Librem 14 Computer with [PureBoot firmware installed](flash-pureboot-firmware.md).
 

quorum-key-management/src/intro.md

@@ -1,13 +1,13 @@
 # Introduction
 
-Trove is an open source system of playbooks and
+Quorum Vaulting System (QVM) is an open source system of playbooks and
 tooling which facilitates the creation and maintenance of highly resilient
 [quorum](glossary.md#quorum)-based key management systems based on a strict
 [threat model](threat-model.md) which can be used for a variety of different
 cryptographic algorithms. The system was designed and developed by
 [Distrust](https://distrust.co), with the generous support of sponsors.
 
-The basic premise of Trove is that primary cryptographic material akin to a root
+The basic premise of QVS is that primary cryptographic material akin to a root
 certificate, called [Root Entropy (RE)](glossary.md#root-entropy-re), is generated
 during a secure key derivation ceremony, and then used to derive chosen
 cryptographic material via different algorithms such as PGP keys, digital asset
@@ -23,7 +23,7 @@ access controls in order to reconstruct the secret material, namely the RE.
 
 ## Use Cases
 
-Trove can be used for a wide range of use-cases which span but are not limited
+QVS can be used for a wide range of use-cases which span but are not limited
 to:
 
 * Deriving a PGP key pair whose public key can be used as a "one-way deposit
@@ -42,7 +42,7 @@ a cold signing setup.
 
 ## Playbooks
 
-Trove can be set up by using a set of highly opinionated playbooks which outline
+QVS can be set up by using a set of highly opinionated playbooks which outline
 the process. The base documentation should be read in its entirety by all
 participants of the ceremony in order to ensure that the system is well
 understood by all to ensure that the integrity of the process is preserved and

quorum-key-management/src/local-key-provisioning.md

@@ -0,0 +1,53 @@
+# Local Key Provisioning
+
+This document contains instructions on how Operators collaborate to set up
+QKM which requires an N-of-M quorum to be reconstituted. The encrypted shards
+which result from this ceremony are stored in separate physical
+[Locations](locations.md) which contain [Location Keys](glossary.md#location-key)
+to which shards are encrypted, and whose passphrases are protected using
+[Operator Keys](glossary#operator-key).
+
+
+### Requirements
+
+* [Smart Card](hardware.md#smart-cards): whatever number of smart
+cards you would like to have seeded for each Operator, usually 2 per Operator is
+recommended - one NitroKey 3 and 1 YubiKey Series 5.
+
+* [Storage Devices](hardware.md#storage-device): as many storage
+devices as you would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+* Storage Device loaded with
+	* [airgap.iso](repeat-use-airgapos.md)
+	* [airgap.iso.asc](repeat-use-airgapos.md)
+	* [autorun.sh](autorun-sh-setup.md)
+
+* All participants need Ceremony Notes which contain a record of which they
+verified and wrote down themselves:
+	* The SHA256 hash of airgap.iso
+	* The SHA256 hash of autorun.sh
+
+### Steps
+
+1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
+established [Location](locations.md)
+
+2. Ensure that no participants have brought digital devices other than ones
+necessary for the ceremony. A faraday bag may be used to hold any such devices
+for the duration of the ceremony.
+
+3. Plug in a new Storage Device
+
+4. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
+
+5. As prompted plug in new Smart Cards
+
+6. Once the ceremony is complete, make as many copies of the Storage Device
+from Step 3 as desired.
+
+7. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
+ for storage of the Operator Smart Cards and Location Smart Cards
+
+8. Follow the [Public Ceremony Artifacts Storage](public-ceremony-artifact-storage.md)
+guide for all public artifacts produced during the ceremony
+

quorum-key-management/src/location-key-provisioning.md

@@ -0,0 +1,119 @@
+# Location Key Provisioning
+
+## Description
+This ceremony is for generating Location Keys. Location Keys are typically
+stored in vaults as prescribed in the [Secure Storage Guidelines](secure-storage-guidelines.md).
+Location Keys are keypairs to which the Root Entropy of a QKM is sharded. The
+keypairs are stored exclusively on Smart Cards, and the PINs which protect the
+Smart Cards are encrypted to Operator Keys.
+
+## Requirements
+* Smart Card(s): whatever number of smart cards you would like to have seeded
+for each Operator, usually 2 per Operator is recommended - one NitroKey 3 and
+1 YubiKey Series 5.
+
+* [Storage Devices](equipment.md#storage-device): as many storage devices as you
+would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+## Steps
+
+1. Bring the Ceremony Machine and [Quorum Team](quorum-team.md) into the
+established [Location](locations.md)
+
+2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
+or the [One Time Use Airgap-OS](one-time-use-airgapos.md)
+
+3. Provision new key in the selected secure environment
+
+    * Set system time to date greater than operator key creation but less than
+    operator key expiry
+
+        * `date -s "YYYY-MM-DD HH:MM:SS"`
+
+    * Load your personal PGP certificate which will be used as the Operator
+    Key in to the local keyring
+
+        * `gpg --import /media/<operator_key_id>`
+
+    * Generate the mnemonic:
+
+        * `keyfork mnemonic generate --size 256 > mnemonic.txt`
+
+    * Write the mnemonic on a small piece of paper as you will need to enter the
+    words in the next step. After entering the words, set the piece of paper
+    on fire (that's why it should be small enough - to make burning it easy)
+
+    * In a new terminal window start `keyfork` daemon with the mnemonic:
+
+        * `export KEYFORKD_SOCKET_PATH=/tmp/keyforkd.socket`
+
+        * `keyfork recover mnemonic`
+
+        * ctrl + z
+
+        * `bg`
+
+    * Derive PGP keypair:
+
+        * `keyfork derive openpgp "Location Key: Distrust Disaster Recovery" > location.priv.asc`
+
+    * Provision two YubiKey:
+
+        * To get the `smart_card_id`: `oct list`
+
+        * `oct admin --card <smart_card_id> import location.priv.asc`
+
+        *  `keyfork mnemonic generate --size 256 | awk '{ print $1, $2, $3, $4, $5 }' > smart-card-pin.txt`
+
+        * `cat smart-card-pin.txt`
+
+        * `oct pin --card <smart_card_id> set-user`
+
+            * Enter the <smart_card_pin>
+
+        * `oct pin --card <smart_card_id> set-admin`
+
+            * Enter the <smart_card_pin>
+
+    * Import PGP key into keyring
+
+        * `gpg --import location.priv.asc`
+
+    * Encrypt and back up the `mnemonic.txt`
+
+        * `gpg -er <operator_key_id> mnemonic.txt`
+
+        * `cp mnemonic.txt.gpg /media`
+
+    * Encrypt and back up the `smart-card-pin`
+
+        * `gpg -er <operator_key_id> smart-card-pin.txt`
+
+        * `cp smart-card-pin.txt.gpg /media`
+
+    * Export and back up `location.pub.asc`
+
+        * `gpg --armor --export <location_key_id> > location.pub.asc`
+
+        * `cp location.pub.asc /media`
+
+    * Duplicate all backup files to a second SD card:
+
+        * `mnemonic.txt.gpg`, `smart-card-pin.gpg`, `location.pub.asc`
+
+    * Copy the `location.pub.asc` to the SD card that was used to bring over
+    the operator key. This will be used to bring the public key to the Hybrid
+    Ceremony Later on:
+
+        * `cp location.pub.asc /media`
+
+    * For posterity, delete all the generated assets before shutting down
+    computer:
+
+        * `rm -rf *`
+
+4. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
+ for storage of the Operator Smart Cards and Location Smart Cards
+
+5. Follow the [Public Ceremony Artifacts Storage](public-ceremony-artifact-storage.md)
+guide for all public artifacts produced during the ceremony

quorum-key-management/src/locations.md

@@ -30,7 +30,7 @@ This level of defenses is largely focused on remote attacks, and as such does no
 
 * Co-working space
 
-* Regular office (non specific to Trove)
+* Regular office (non specific to QVS)
 
 ### Reference Design 
 
@@ -44,7 +44,7 @@ This level of defenses is focused on insider threats and as such requires a cons
 
 ### Examples
 
-* Purpose specific facility for Trove
+* Purpose specific facility for QVS
 
 * Short term rental
 
@@ -82,7 +82,7 @@ This level of defenses is focused on insider threats and as such requires a cons
     locations simultaneously
 
 * SHOULD be facilities owned by different organizations to reduce the risk of
-collusion unless the organization who owns the Trove system has their own facility such
+collusion unless the organization who owns the QKM system has their own facility such
 as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
 
 ## Level 4 (SCIF)

quorum-key-management/src/one-time-repository-setup.md

@@ -0,0 +1,56 @@
+# Repository Setup
+
+Before the one time ceremony, a git repository should be set up which contains
+several items which will be relevant to the ceremony. Namely the following:
+
+* PGP public certificates of the Location Keys which will be used for the
+ceremony. The key ids of these certificates will be verified during the
+ceremony.
+
+* `ceremony.sh` a script which imports the PGP public certificates of the
+location keys, and displays their ids so that Operators can verify that they are
+the correct ones. This script will also execute the appropriate `keyfork`
+command with a desired threshold:
+    ```
+    #!/bin/sh
+
+    read -p "Generate hardware interrupt entropy by typing randomly on keyboard" entropy
+
+    mount
+
+    read -p "Provide the path to PGP certificates which will be used for the ceremony: " absolute_path
+
+    if [ ! -d "$absolute_path" ]; then
+    echo "Directory does not exist. Please enter a valid absolute path."
+    exit 1
+    fi
+
+    for file in "$absolute_path"/keys/*; do
+    if [ -f "$file" ]; then
+        echo "Processing file: $file"
+        gpg --import --import-options import-show $file
+    fi
+    done
+
+    read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation
+
+    if [ "$matches_expectation" != "y" ]; then
+    echo "Ceasing ceremony as PGP key IDs don't match"
+    exit 1
+    fi
+
+    keyfork wizard bottoms-up --threshold 2 --output-cert "$absolute_path"/cert --output-shardfile "$absolute_path"/shardfile --user-id "QKM Ceremony" "$absolute_path"/keys
+    ```
+
+* The `airgap.iso` which is to be used during the ceremony
+
+* Each operator should produce Ceremony Notes which contain:
+
+    * `sha256sum` of `airgap.iso`
+
+    * The AirgapOS commit and date for the version that was used
+
+    * `sha256sum` of `ceremony.sh`
+
+    * Key ID of each PGP Public Certificate located in `public-certificates`
+    in the ceremony repository

quorum-key-management/src/one-time-use-airgapos.md

@@ -0,0 +1,39 @@
+# Set up AirgapOS
+
+Because without a Librem 14 there is no easy way to have a secure boot sequence,
+instead the AirgapOS `.iso` image is flashed to an SD card, locked using
+`sdtool` and then verified using any machine.
+
+## Setup Steps
+
+* Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
+
+* Verify the software according to [this](verifying-signatures.md) guide
+
+* Flash `airgap.iso` to an SD Card:
+
+    * `dd if=out/airgap.iso of=/dev/<your_device> bs=4M status=progress oflag=direct`
+
+* Use the `sdtool` to lock the SD Card:
+
+    * TODO: update this to use stagex binary
+
+    * `git clone git@github.com:BertoldVdb/sdtool.git`
+
+    * `cd sdtool`
+
+    * `make`
+
+    * `./sdtool /dev/mmcblk permlock`
+
+    * Test that the card can't be written to:
+
+        * `dd if=out/airgap.iso of=/dev/sdb bs=1M conv=sync status=progress`
+
+* Verify that the hash of `airgap.iso` matches what's flashed on the SD card:
+
+    * `head -c $(stat -c '%s' out/airgap.iso) /dev/sdb | sha256sum`
+
+    * `sha256sum out/airgap.iso`
+
+* Commit the hash of airgap to a git repo, ensuring the commit is signed

quorum-key-management/src/one-time-use-laptop-coin-ceremony.md

@@ -0,0 +1,7 @@
+# One Time Use Laptop Ceremony
+
+## Threat Model
+
+One time use laptops are specially prepared for using in field operation but can also be used inside of a secure facility. The primary objective of this setup is that the laptop is provisioned ahead of time, and is considered to be secure for use, but is to be destroyed afterwards.
+
+This flow is the same as [portable reusable laptop ceremony](portable-reusable-laptop-ceremony.md) except instead of tamper proofing the hardware at the end of the ceremony, it is destroyed.

quorum-key-management/src/one-time-use-locations.md

@@ -0,0 +1,20 @@
+# Selecting Locations
+
+* MUST be selected at random right before the ceremony
+    
+* MUST have physical access control to prevent inflow and outflow of personnel during ceremony
+
+* SHOULD NOT have electronics in it as they can be used for side channel attacks
+
+* SHOULD NOT have windows to prevent exfiltration of data via light or observation of screen
+
+## Location Examples
+
+* A hotel room although it is relatively common to find spying devices in them so they are not a great choice
+
+* A moving vehicle such as car, bus, train, ferris wheel given that the operator is able to secure a space which can be locked and has no strangers in it
+
+* Open space with nobody around such as a forest, desert, large parking lot etc.
+
+
+Despite all these measures, the location may be compromised anyways, as a malicious actor may have done so with another target in mind, or a more broad campaign, for example in the case for three letter agencies may plant cameras and microphones in hotels for intel gathering. For this reason it is always highly preferred to perform cryptographic actions in a properly secured facility such as a SCIF.

quorum-key-management/src/operator-key-provisioning.md

@@ -0,0 +1,44 @@
+# Operator Key Provisioning
+
+## Description
+This guide can be used for provisioning Operator key pairs, and the output of
+the ceremony is a set of the following for each Operator:
+* Smart Card(s) seeded with PGP keys
+* Storage Device with a backup of:
+    * PGP key pair public key
+
+## Requirements
+* Smart Card(s): whatever number of smart cards you would like to have seeded
+for each Operator, usually 2 per Operator is recommended - one NitroKey 3 and
+1 YubiKey Series 5.
+
+* [Storage Devices](hardware.md#storage-device): as many storage devices as you
+would like for backing up [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+## Playbook
+
+### Steps
+This playbook allows the setup of any number of Operator Keys. For each Operator,
+the steps that follow need to be repeated.
+
+1. Bring the Ceremony Machine and [Quorum](selecting-quorum.md) team into the
+established [Location](locations.md)
+
+2. Boot your Ceremony Machine using [Secure Boot Sequence](secure-boot-sequence.md)
+
+3. Plug in a new Storage Device
+
+4. Run `keyfork wizard operator` TODO: this command is not part of `keyfork` yet
+
+5. As prompted plug in new Smart Cards
+
+6. Once the ceremony is complete, make as many copies of the Storage Device
+from Step 3 as desired.
+
+7. Follow the [Physical Artifact Storage](physical-artifact-storage.md) guide
+ for storage of the Operator Smart Cards and Location Smart Cards
+
+8. Follow the [Online Artifacts Storage](public-ceremony-artifact-storage.md)
+guide for all public artifacts produced during the ceremony
+
+

quorum-key-management/src/physical-artifact-storage.md

@@ -0,0 +1,44 @@
+# Physical Artifact Storage
+
+QKM requires that some of the hardware containing cryptographic material be
+securely stored in physical locations. The two primary cases where physical
+storage is necessary are the storage of Location Key Smart Cards, and Operator
+Key Smart Cards. These Smart Cards are necessary to successfully execute a
+ceremony.
+
+There are two primary physical artifacts which need to be stored properly:
+
+* Operator Smart Cards
+
+* Location Smart Cards
+
+## Operator Smart Cards
+
+These cards should be stored by Operators in personal vaults using a high
+quality hidden safe, or in a vaulting facility such as a bank vault, or a
+private vaulting provider.
+
+## Location Smart Cards
+
+These cards should only be stored in secure vaults which meet the criteria
+outlined for Storage Locations in the [Location](locations.md) document.
+
+## Additional Criteria
+
+* MUST apply glitter nail polish to screws/seams of hardware casing, and take
+photographs. It's best to use nail polish where the glitter is of different
+sizes and colors.
+
+* MAY put the hardware in a vacuum sealed bag with confetti, and take
+photographs.
+
+* MUST place smart cards in a tamper proof bag, whose picture is taken upon
+sealing, and stored along with other [Public Ceremony Artifacts](public-ceremony-artifact-storage.md)
+
+* SHOULD provision all GPG keys to at least two smart cards, ideally made
+by different manufacturers in order to decrease the likelihood that they both
+simultaneously experience a hardware failure.
+
+* SHOULD place the smart cards in anti-static bags
+
+* SHOULD place the smart cards in a faraday bag

quorum-key-management/src/portable-reusable-laptop-ceremony.md

@@ -0,0 +1,72 @@
+# Portable Reusable Laptop Ceremony
+
+## Security Level
+
+This process offers a Level 2 security mitigation, focusing on defending against remote adversaries and insider threats.
+
+## Requirements
+
+### Roles
+
+This setup does require the support of all [system roles](system-roles.md).
+
+* MUST use at least 1 [Proposer](system-roles.md#proposer)
+
+* MUST use at least 1 [Approver](system-roles.md#approver) different from Proposer
+
+* MUST have at least 2 [Witnesses](system-roles.md#witness)
+
+* MUST have at least 1 [Operator](system-roles.md#operator)
+
+### Location
+
+To conform to [Level 2](threat-model.md#level-2) security properties a location must be used according to the [Locations](locations.md) specification.
+
+### Equipment
+
+* Laptop procured according to [Hardware Procurement](hardware-procurement-and-chain-of-custody.md) guide
+
+* Polaroid camera + pack of polaroid film
+    - [] TODO update tamper rpoofing doc with polaroid camera models and film 
+
+* Digital camera
+    - [ ] TODO add recommendations
+
+* 10 SD cards
+    - [ ] TODO add which
+
+* [Vacuum sealer](tamper-evidence-methods.md#vacuum-sealers)
+
+* [Vacuum sealer roll](tamper-evidence-methods.md#vacuum-sealers)
+
+* Tamper evidence photographs:
+
+    * Printed digital photos
+
+    * Polaroid photos
+
+## Procedure
+
+1. The laptop and all hardware used SHOULD be kept on the person at all times
+
+    * MAY leave the laptop in a safe
+
+    * MAY (but not recommended) leave the laptop with full time supervision (such as bellhop)
+
+2. Once in a secure location - control access to the location. It is highly preferred that no individuals enter or leave the facility during the ceremony.
+
+3. Before starting the ceremony ensure that at least 1 Operator and 1 Witness are present
+
+4. Verify that the request from the Proposer is properly approved by an Approver
+
+### Unsealing
+{{ #include tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
+
+### Perform Operations
+
+Follow a [playbook](TODO)
+
+
+### Sealing
+{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing}}
+

quorum-key-management/src/public-ceremony-artifact-storage.md

@@ -0,0 +1,35 @@
+# Redundant Storage of Ceremony Artifacts
+
+Ceremony Artifacts consist of data which is not sensitive in nature, but
+essential to ongoing operation of a QKM.
+
+The primary artifacts which are produced during the ceremony are:
+
+* PGP Key Certificates
+
+* Shard Files
+
+* Pin Files
+
+* Pictures of tamper proof measures such as tamper proof bags, glitter applied
+to bags, or hardware, such as screws on the bottoms of laptops etc. Pictures
+should be cryptographically signed to prevent tampering.
+
+## Key Principles
+
+* MUST verify that all Public Artifacts generated during the Ceremonies are
+present in the Ceremony Artifacts bundle.
+
+* MUST store all Ceremony Artifacts in at least 2 different cloud storage
+systems. Some options are:
+
+    * AWS S3
+
+    * Google Cloud Platform Storage
+
+    * Azure Storage
+
+    * GitHub
+
+* The data SHOULD have proper access controls, and only be accessible to
+authorized personnel who are part of the organization.

quorum-key-management/src/q&a.md

@@ -1,4 +1,4 @@
-# Q&A
+# Q & A
 
 ## Is there a risk associated with deriving for different cryptographic algorithms from the same source of entropy?
 

quorum-key-management/src/quorum-team.md

@@ -0,0 +1,40 @@
+# Quorum Team
+
+The Quorum Team is a team of individuals who are selected to perform different
+roles related to a QKM. Some of the Quorum Team members have ongoing roles,
+while others may participate in a partial manner.
+
+Depending on the type of actions performed, some or all of the members of the
+Quorum may be required to participate. For example, it is recommended that there
+is at least 1 witness for all sensitive actions, but having 3 witnesses during
+the primary Key Derivation Ceremony can give better assurances that the most
+crucial part of the ceremony was properly conducted.
+
+The roles which are required for the Quorum Team are the following:
+
+## Operator
+Operators are individuals who protect [Smart Cards](equipment.md) which
+store a [GPG Key Certificate](glossary.md#gpg-certificate), which is used
+for encrypting information, such as the [Location Key](glossary.md#location-key)
+PINs as well as other [Ceremony Artifacts](reduntant-storage-of-ceremony-artifacts.md).
+They are also individuals who participate in Ceremonies in order to Reconstitute
+the key and perform actions with it.
+
+## Controller
+Controllers are an additional optional role which can be used to protect access
+to the physical locations which hold the Location Keys. Some vaulting solutions
+allow for requiring more than 1 individual in order to access a vault. Multiple
+Controllers may be used to protect access to physical locations - according to
+risk appetite.
+
+## Witness
+Witnesses are individuals who are familiar with the QKM specification, and can
+ensure that the different aspects of the system are set up correctly, and
+processes carried out as they should be. The main objective of the witnesses is
+to monitor and attest that processes such as the ceremonies are done according
+to the strictly prescribed rules.
+
+## Courier
+This role can be fulfilled by members of the Quorum Team and their main role is
+getting materials to their designated locations - the main task being getting
+the Location Keys securely to their physical location.

quorum-key-management/src/remote-key-provisioning.md

@@ -0,0 +1,3 @@
+# Remote Key Provisioning
+
+TODO

quorum-key-management/src/repeat-use-airgapos.md

@@ -1,16 +1,13 @@
-/* ANCHOR: all */
+# AirgapOS Setup
-# PureBoot Hash Verifying .iso Setup
-
-If the SD card with AirgapOS is stored as part of a Air-Gapped bundle, then doing this secure boot sequence is only necessary the first time. Of course, it doesn't hurt to use this method as an additional precaution, reducing the risk that one of the operators can swap out the SD card for a different one during a ceremony.
 
 This section can be completed on any machine.
 
-AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations such as key derivation and signing
+AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations such as key
+derivation and signing
 
-// ANCHOR: steps
 1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.Use the `make reproduce` command.
 
-2. Verify the software according to [this guide](./component-documents/verifying-signatures.md)
+2. Verify the software according to [this guide](verifying-signatures.md)
 
 3. Place signed .iso on a storage device
 
@@ -45,13 +42,10 @@ AirgapOS has `keyfork` and `icepick` built into it for cryptographic operations
 
 5. Lock the SD card using `sdtool`
 
-6. Make sure to note the `sha256sum` hash of the `airgap.iso` and write it
+5. Make sure to note the `sha256sum` hash of the `airgap.iso` and write it
 down on a piece of paper.
 
-7. Multiple members of your team should build the `airgap.iso` image
+6. Multiple members of your team should build the `airgap.iso` image
 independently and use `sha256sum airgap.iso` in order to hash it, then record
 the value for later use. This value will be checked during Ceremonies before
-booting the ISO image to ensure it can be trusted.
+booting the ISO image to ensure it can be trusted.
-
-// ANCHOR_END: steps
-/* ANCHOR_END: all */

quorum-key-management/src/root-entropy-ceremonies.md

@@ -0,0 +1,14 @@
+# Root Entropy Ceremonies
+
+There are 3 primary types of [Root Entropy](glossary.md#root-entropy-re)
+derivation ceremonies:
+
+* **Local**: where all cryptographic material, including the Operator Keys,
+Location Keys, and the Root Entropy are all generated during a single in-person
+ceremony
+
+* **Hybrid**: where the Operator Keys and Location Keys are generated separately
+prior to the in-person ceremony where the Root Entropy is generated
+
+* **Remote**: where all cryptographic material is generated in a decentralized
+manner, remotely.

quorum-key-management/src/selecting-quorum.md

@@ -1,6 +1,6 @@
 # Selecting a Quorum
 
-The backbone of Trove is a Quorum which is used to reconstitute or re-assemble
+The backbone of QKM is a Quorum which is used to reconstitute or re-assemble
 cryptographic material, and approve actions. Quorum is a general term referring
 to a system which requires the collaboration of multiple individuals in order to
 achieve something, and it is based on a Threshold which determines how many

quorum-key-management/src/software.md

@@ -1,5 +1,5 @@
 # Software
-This page outlines the software used for setting up Trove.
+This page outlines the software used for setting up QKM.
 
 ## [[Stageˣ]](https://codeberg.org/stagex/stagex)
 
@@ -39,7 +39,7 @@ BIP-0039 mnemonic phrase. BIP-0039 phrases are used to calculate a BIP-0032
 seed, which is used for hierarchical deterministic key derivation.
 
 This software is the backbone for all cryptographic actions performed as part
-of Trove. It was developed by [Distrust](https://distrust.co) and is included
+of QKM. It was developed by [Distrust](https://distrust.co) and is included
 with AirgapOS and has been audited by two firms, NCC and Cure53 with no
 significant vulnerabilities found.
 

quorum-key-management/src/storage-device-management.md

@@ -9,7 +9,8 @@ USB devices are assigned names when they are connected to a Linux operating
 system. The first storage device is assigned the name `sda` (storage device a),
 the second `sdb`, the third `sdc` and so on.
 
-One may use the `lsblk` to list the detected storage devices for a system, which will output something like this:
+One may use the `lsblk` to list the detected storage devices for a system, which
+will output something like this:
 ```
 NAME    MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
 xvda    202:0    1    50G  0 disk

quorum-key-management/src/system-roles.md

@@ -0,0 +1,35 @@
+# System Roles
+
+There are several roles which are required to properly operate the QVS system. While it is possible to have an individual perform multiple roles, typically they should only perform one role at a time. It is also recommended to have at least 2 individuals, or ideally the full quorum be used to make decisions pertaining to QVS. At least 2 individuals are required for [level 2](threat-model.md#adversary-1).
+
+To better understand why the different roles are required, refer to the [selecting a quorum](selecting-quorum.md) and [threat model](threat-model.md) sections which enumerate a number of assumptions around pertinent threats to the system as well as the use of a quorum. 
+
+## General Requirements
+
+Individuals who are selected for the roles:
+
+* MUST have background checks conducted
+
+* MUST have a clearly defined set of responsibilities
+
+* MUST be reinvestigated once a year to ensure they meet necessary standards to access restricted information
+
+## Proposer
+
+This is an individual who is a business owner or stakeholder, or a financial controller. Their role is to make fiduciary decisions which protect the financial interest of the organization and its clients. Their role is specifically to propose the movement of funds, specifying the amount, origin and destination.
+
+## Approver
+
+This is an administrative role which participates in the decision making capacity, typically as part of a quorum. Additional policies which are not for the QVS system but related decision making may be under the purview of an Approver. While there is 1 proposer per transaction, there may be an arbitrary number of Approvers, and they are required to sign proposed transactions according to a [policy](todo) which should be well defined.
+
+## Operator
+
+Trained on how the QVS(todo) system operates, with intimate knowledge of the processes which are required to maintain the integrity, confidentiality and availability (CIA triad) of the system.
+
+Operators conduct ceremonies and ensure that the controls around QVS are in tact. They verify instructions from [Approvers](#approver) and perform different actions which are part of the QVS system, ranging across hardware procurement, accessing SCIFs, preparing field kits, performing ceremonies and more.
+
+As a QVS grows, it may be prudent to create more highly specialized roles whose responsibilities are limited to a more narrow range, creating more isolation across the system, thus enforcing the principle of least privilege and separation of concerns.
+
+## Witness
+
+QVS relies of having individuals present to witness that processes which uphold the security of the system are properly followed. [Operators](#operator) make ideal witnesses as their familiarity with the QVS system allows them to detect any deviation from the processes which uphold the security of the system. While it is not required that a Witness be a trained Operator, it is highly preferred.

quorum-key-management/src/tamper-evidence-methods.md

@@ -42,7 +42,7 @@ This level of threat actors has a more extensive range of attacks which may incl
 
 * MUST combine [glitter on screws](#glitter-on-screws), [pureboot/heads](#pureboot--heads), and [vacuum sealing with filler](#vacuum-sealed-bags-with-filler)
 
-* MUST maintain 2 person [chain of custody](./hardware-procurement-and-chain-of-custody.md)
+* MUST maintain 2 person [chain of custody](hardware-procurement-and-chain-of-custody.md)
 
 #### Level 4
 
@@ -72,10 +72,8 @@ The reason this method is effective is because unlike with many other methods th
 To achieve the best level of randomness and difficulty of reproducing the arrangement of filler in a vacuum sealed bag, a variety of beads of different sizes and color should be used. They may be made of different materials as well but plastic is excellent because it doesn't change form when vacuum sealed - which can make it easier to reproduce patterns. Materials such as confetti and packing beans may be used, but because they can be flattened and retain the shape, arranging them in a given pattern is much easier. Other options like beans or lentils have less variety in color and shapes which makes it harder to detect differences.
 
 Examples of filler:
-// ANCHOR:vsbwf-filler
 * [B100B5LB – 5 Lb Mixed Craft Bead Bonanza Case](https://www.thebeadery.com/product/b100b5lb-5-lb-mixed-craft-bead-bonanza-case/)
 * [Plastic Beads - Multi Color & Size - 700ml](https://www.stockade.ca/Plastic-Beads--Multi-Colour-Size--700ml_p_8402.html)
-// ANCHOR_END:vsbwf-filler
 
 ### Vacuum Sealers
 
@@ -102,65 +100,38 @@ Sealing bags of standard size objects which need to be protected can fit in. The
 // ANCHOR: vsbwf-procedure
 
 #### Requirements
-// ANCHOR: vsbwf-equipment
+
 * [Vacuum sealer](tamper-evidence-methods.md#vacuum-sealers)
 
 * [Vacuum plastic roll](tamper-evidence-methods.md#vacuum-sealers)
 
-{{ #include tamper-evidence-methods.md:vsbwf-filler }}
+* [Filler](tamper-evidence-methods.md#adequate-filler)
-
-// ANCHOR_END: vsbwf-equipment
 
 #### Sealing
 // ANCHOR: vsbwf-procedure-sealing
 
-	<details>
+1. Insert object into plastic bag
-	<summary>Vacuum sealing based tamper proofing</summary>
 
-	1. Insert object(s) into plastic sealing bag
+2. Fill bag with enough plastic beads that all of the object is surrounded
 
-	1. Fill bag with enough plastic beads that most of the object is surrounded
+3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move
 
-	1. Use vacuum sealer to remove air from the bag until the beads are no longer able to move
+4. Use the [Tamper Proofing Station](tamper-evidence-methods#tamper-proofing-station) to take a photograph of both sides of the sealed object using both the digital and polaroid camera
-
-	1. Take photographs of both sides of the sealed object using both the digital and polaroid camera
-
-	1. Date and sign the polaroid photographs and store them in a local lock box
-
-	1. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.
-	</details>
-
-	<details>
-	<summary>Safe based tamper proofing</summary>
-
-	1. Place items into safe
-
-	1. Ensure the safe is properly locked
-	</details>
 
+5. Take the SD card to an online connected device and commit the photographs to a repository, ensuring the commit is signed
 // ANCHOR_END: vsbwf-procedure-sealing
 
 #### Unsealing
 // ANCHOR: vsbwf-procedure-unsealing
 
-	<details>
+1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object
-	<summary>Vacuum sealing based tamper proofing</summary>
 
-    a. Retrieve digital/physical photographs of both sides of sealed bundle
+3. Compare polaroid and printed photographs of digital record to the current state of the sealed object
 
-    b. Compare all photographs to object for differences
+4. Compare polaroid to printed photographs of digital record
 
-    c. Proceed with unsealing the object if no differences are detected
+2. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an [incident response process (todo)](TODO).
-	</details>
 
-	<details>
-	<summary>Safe based tamper proofing</summary>
-
-	1. Inspect the safe for any signs of tampering
-
-	1. Retrieve items from the safe
-
-	</details>
 // ANCHOR_END: vsbwf-procedure-unsealing
 
 // ANCHOR_END: vsbwf-procedure
@@ -180,15 +151,15 @@ Glitter can be used as an additional control to provide tamper evidence on speci
 
 1. Clean the surface the glitter will be applied to
 
-1. Apply a thin layer of the first type of glitter
+2. Apply a thin layer of the first type of glitter
 
-1. Wait for it to dry
+3. Wait for it to dry
 
-1. Repeat steps 2, 3 with the different types of glitter being used
+4. Repeat steps 2, 3 with the different types of glitter being used
 
-1. Take a photograph of the laptop, preferably using the [tamper proofing station](tamper-evidence-methods#tamper-proofing-station)
+5. Take a photograph of the laptop, preferably using the [tamper proofing station](tamper-evidence-methods#tamper-proofing-station)
 
-1. Ensure the SD card is in dual custody until its contents are uploaded to a repository, and signed by both parties (one creates a PR, the other creates a signed merge using the `git` CLI)
+6. Ensure the SD card is in dual custody until it's uploaded to a repository, and signed by both parties (one creates a PR, the other creates a signed merge using the `git` CLI)
 
 #### Verification
 
@@ -216,47 +187,36 @@ To construct an appropriate Tamper Proofing Station, the simplest setup consists
 
 * Powerful LED light which can be attached to the mounting rig
 
-## Polaroid camera
+    *
 
-* Can be attached to mounting rig
+* Camera which does not have radio cards in it and
 
-### Models
+    * Has >10MP
-// ANCHOR: polaroid-cameras
-* [Polaroid Now+](https://www.amazon.com/Polaroid-Generation-Bluetooth-Connected-Controlled/dp/B0BVNJHMVQ)
 
-* Preferred film: [Color I-Type Film](https://www.amazon.com/Polaroid-Originals-Instant-Color-I-Type/dp/B084GXXLM7)
+    * Uses SD cards for storing photographs
-// ANCHOR_END: polaroid-cameras
+
+    * Example models:
+
+        * Kodak PIXPRO Friendly Zoom FZ43-BK 16MP Digital Camera with 4X Optical Zoom and 2.7" LCD Screen
+
+        * Sony Cyber-Shot DSC-W800
+
+* Polaroid camera which can be attached to the mounting rig
+
+    * Example models:
+
+        * Polaroid Now+
+
+        * Polaroid I-2
+
+    * Preferred film: Color I-Type Film
 
 Pick a location for the station, and attach the LED light and the camera to the overhead camera mounting rig. Set up the camera so that when it's turned on, a 14" laptop is perfectly framed without having to zoom in or out if possible.
 
-## High Visibility Storage
-
-The purpose of high visibility storage is to provide a way to keep items which are used during a ceremony from risk of being swapped by one of the participants in the ceremony. As such, a high visibility storage should be a plastic container which is sealed, and which is only opened under the close supervision of a quorum of individuals.
-
-Some examples include:
-
-* Large glass jar
-
-* Plastic bag
-
 ## Safe
 
 Placing objects into a safe helps improve the security of objects, and introduces an additional layer of tamper evidence.
 
-## Safe Operations
-// ANCHOR: safe-sealing
-
-	1. Place items into safe
-
-	1. Ensure the safe is properly locked
-// ANCHOR_END: safe-sealing
-
-// ANCHOR: safe-unsealing
-
-	1. Inspect the safe for any signs of tampering
-
-	1. Retrieve items from the safe
-// ANCHOR_END: safe-unsealing
 ## References
 
 * [Blog About Tamper Evident Protection Methods](http://web.archive.org/web/20241130002204/https://dys2p.com/en/2021-12-tamper-evident-protection.html)
@@ -269,4 +229,5 @@ Placing objects into a safe helps improve the security of objects, and introduce
 
 * [Purism Liberty phone anti-interdiction](http://web.archive.org/web/20240903104700/https://puri.sm/posts/anti-interdiction-on-the-librem-5-usa/)
 // ANCHOR_END: entire-doc
-/* ANCHOR_END: all */
+
+/* ANCHOR_END: all */

quorum-key-management/src/threat-model.md

@@ -1,10 +1,10 @@
 # Threat Model
 
-Trove is designed according to a high-assurance threat model which ers on the
+QVS is designed according to a high-assurance threat model which ers on the
 side of making exaggerated, rather than conservative assumptions in order to
 build a resilient system.
 
-The assumption is made that attackers who target Trove are extremely
+The assumption is made that attackers who target QVS are extremely
 sophisticated, well funded and patient attackers, and as such, the full arsenal
 of attacks is on the table. This means that the attacker can purchase and
 weaponize multiple 0day vulnerabilities, execute physical attacks or deploy
@@ -18,7 +18,7 @@ whether it's maintainers of software used in the system, the firmware that's
 used, or the individuals or locations that hold secret material which is the
 backbone of the system.
 
-To achieve this, the Trove focuses on reducing the risk by:
+To achieve this, the QVS focuses on reducing the risk by:
 
 * Only using fully open source software and firmware to allow full verification
 of their security properties
@@ -26,17 +26,19 @@ of their security properties
 * Creating custom purpose specific tooling which eliminates dependencies in
 order to reduce supply chain attacks, and adds desirable security properties
 
-* Building as much of the software and firmware deterministically as possible - aiming for 100%
+* Using a fully bootstrapped and deterministically built compiler for building
+all software that's used
 
-  * The [StageX](https://codeberg.org/stagex/stagex) project is the effort towards this end
+* Building all of the software and firmware deterministically
 
-* Using computers which either have a hard switch for disabling networking or which had radio networking cards (bluetooth, wifi etc.) removed
+* Using computers which either have a hard switch for disabling networking or
+which had radio networking cards (bluetooth, wifi etc.) removed
 
 * Leveraging smart cards (personal HSMs) to protect cryptographic material
 
-* Leveraging cryptographic sharding in order to decentralize risk and physically separate cryptographic material
+* Leveraging sharding in order to physically separate cryptographic material
 
-* Leveraging tamper evident controls for equipment
+* Leveraging tamper evident controls for components related to the system
 
 * Leveraging frequency blocking methods such as TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) and soundproofing
 
@@ -64,16 +66,10 @@ Some additional assumptions are made to help contextualize the threat model:
 
 ## Threat Model Levels
 
-Different threat model levels allow an organization to start benefiting from the security properties of the Trove system immediately, with a clear path to upgrading over time as resources and time become available.
+Different threat model levels allow an organization to start benefiting from the security properties of the QVS system immediately, with a clear path to upgrading over time as resources and time become available.
 
 Each subsequent level assumes all threats and mitigations from the previous level, and introduces more sophisticated attacks and mitigations. As such, the levels should for the most part be adhered to one at a time, to ensure comprehensive defenses for all viable threats enumerated herein.
 
-* [Level 1](#level-1)
-* [Level 2](#level-2)
-* [Level 3](#level-3)
-* [Level 4](#level-4)
-
-
 ## Level 1
 
 ### Threat Model
@@ -140,7 +136,7 @@ This level focuses on defending against insider threats.
 
 * Exploit any vulnerability within 24h of public knowledge
 
-#### Requirements
+### Requirements
 
 * All production access:
 
@@ -156,7 +152,7 @@ This level focuses on defending against insider threats.
 
   * MUST be anchored to keys in dedicated HSMs held by each administrator
 
-    * Consider OpenPGP or PKCS#11 smart cards that support touch-approval for ssh
+    * Consider OpenPGP or PKSC#11 smart cards that support touch-approval for ssh
 
 * Any code in the transaction signing trust supply chain:
 
@@ -198,11 +194,11 @@ This level focuses on defending against insider threats.
 
       * App phone stores already anchor to developer held signing keys
 
-#### Reference Design
+### Reference Design
 
 * Create offline CA key(s)
 
-* Consider OpenPGP key generated on airgap using keyfork, backed up, and copies transmitted to a smart cards such as a Yubikey
+* Consider OpenGPG key generated on airgap using keyfork, backed up, and copies transmitted to a smart cards such as a Yubikey
 
 * CA key smart cards are stored in dual-access tamper evident locations
 
@@ -246,7 +242,7 @@ This level focuses on defending against insider threats.
 
   * SHOULD be stored in a neutral location only the primary and backup shard holder can access
 
-* Done in person on air-gapped laptop that has been in [dual witnessed custody](./component-documents/hardware-procurement-and-chain-of-custody.md) since procurement
+* Done in person on air-gapped laptop that has been in [dual witnessed custody](hardware-procurement-and-chain-of-custody.md) since procurement
 
   * Has hardware anchor that can make all parties confident the OS image it is running is expected (Heads, etc)
 
@@ -368,6 +364,7 @@ This level focuses on defending against adversaries who are nation states.
   * MUST ensure that individuals are scanned for devices before entering the vault
 
   * MUST only communicate with outside world via fiber optic serial terminal
+    - [ ] TODO do we even want this in the facility?
 
   * MUST be housed in Class III bank vault or better
 

trove/get-commit-hash.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-COMMIT_HASH=$(git rev-parse --short HEAD)
-
-echo "Commit Hash: $COMMIT_HASH" > src/commit_hash.md
-
-# Build the mdBook
-mdbook build

trove/src/SUMMARY.md

@@ -1,70 +0,0 @@
-# Summary
-* [Introduction](intro.md)
-    * [Threat Model](threat-model.md)
-    * [Selecting a Quorum](selecting-quorum.md)
-    * [System Roles](system-roles.md)
-    * [PGP Key Types](key-types.md)
-    * [Software](software.md)
-    * [Location](locations.md)
-    * [Q&A](questions-and-answers.md)
-    * [Glossary](glossary.md)
-* [Level 1](generated-documents/level-1/intro.md)
-	* [Procure Hardware](generated-documents/level-1/procure-hardware.md)
-	* [Provision Laptop](generated-documents/level-1/provision-laptop.md)
-	* [Provision AirgapOS](generated-documents/level-1/provision-airgapos.md)
-	* [Provision Trove Git Repository](generated-documents/level-1/create-vaults-repository.md)
-	* [Provision Entropy & PGP Keypair](generated-documents/level-1/provision-entropy-and-pgp.md)
-	* [Cryptographic Operations]()
-		* [Digital Assets]()
-			* [Solana]()
-				* [Generate Address](generated-documents/level-1/cryptographic-operations/digital-assets/solana/generate-address.md)
-				* [Create Payload](generated-documents/level-1/cryptographic-operations/digital-assets/solana/create-payload.md)
-				* [Sign and Broadcast Tx](generated-documents/level-1/cryptographic-operations/digital-assets/solana/sign-and-broadcast-tx.md)
-			* [Cosmos]()
-			* [Bitcoin - coming soon]()
-			* [Ethereum - coming soon]()
-* [Level 2]()
-	* [Personal PGP Key Generation](generated-documents/level-2/fixed-location/pgp-key-provisioning.md)
-	* [Procurer](generated-documents/level-2/fixed-location/procurer/index.md)
-		* [Procure Facility](generated-documents/level-2/fixed-location/procurer/procure-facility.md)
-		* [Create Inventory Repository](generated-documents/level-2/fixed-location/procurer/create-inventory-repository.md)
-		* [Procure Tamper Proofing Equipment](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md)
-		* [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md)
-		* [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md)
-	* [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
-		* [Provision Trove Git Repository](generated-documents/level-2/fixed-location/provisioner/create-vaults-repository.md)
-		* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
-		* [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
-		* [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)
-	* [Proposer]()
-		* [Solana: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/sol-create-transaction-payload.md)
-		* [Pyth: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/pyth-create-transaction-payload.md)
-		* [Cosmos: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/cosmos-create-transaction-payload.md)
-		* [Kyve: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/kyve-create-transaction-payload.md)
-		* [Seda: Create Transaction Payload](generated-documents/level-2/fixed-location/proposer/seda-create-transaction-payload.md)
-	* [Approver]()
-		* [Transaction Approval](generated-documents/level-2/fixed-location/approver/approve-transaction.md)
-	* [Operator](generated-documents/level-2/fixed-location/operator/index.md)
-		* [Quorum Entropy Ceremony](generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md)
-		* [Trove SD Card Provisioning](generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md)
-		* [Namespace Operations]()
-			* [Namespace Entropy Ceremony](generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md)
-			* [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md)
-			* [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)
-			* [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md)
-		* [Digital Assets]()
-			* [Solana]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md)
-			* [Pyth]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/pyth/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth/sign-and-broadcast-transaction.md)
-			* [Cosmos - General]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md)
-			* [Kyve]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/kyve/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/kyve/sign-and-broadcast-transaction.md)
-			* [Seda]()
-				* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/seda/generate-address.md)
-				* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/seda/sign-and-broadcast-transaction.md)

trove/src/component-documents/airgapos.md

@@ -1,68 +0,0 @@
-/* ANCHOR: all */
-
-// ANCHOR: requirements
-
-
-// ANCHOR-END: requirements
-
-// ANCHOR: procedure
-1. Turn on one of the computers - this one will be used for writing the SD cards
-
-1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository.
-
-1. Use the `make reproduce` command
-
-1. Unseal the SD Card Pack
-
-{{ #include tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
-
-1. Label each SD card that will be used "AirgapOS [date]"
-
-1. Place all the SD cards into High Visibility Storage
-
-1. Retrieve a labelled SD card from High Visibility Storage, and plug it into the computer where AirgapOS will be built
-
-1. {{ #include finding-device-name.md:content }}
-
-1. Hash the .iso file and make note of it (it will be required later)
-
-	* `sha256sum out/airgap.iso`
-
-1. Flash `airgap.iso` to an SD Card:
-
-    * `dd if=out/airgap.iso of=/dev/<device_name> bs=4M conv=fsync`
-
-1. Reset the computer, and boot the SD card
-
-1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`:
-
-    * Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk<num>
-
-1. `./sdtool /dev/<device_name> permlock`
-
-1. Once burned, unplug the SD card
-
-1. Plug the SD card into a different computer from the one that was used to write the SD card
-
-1. Boot the computer
-
-1. Open a terminal
-
-1. Verify the card can't be written to:
-
-    * `echo "42" | dd of=/dev/<device_name>`
-
-1. Verify the contents on the SD card match the recorded hash
-
-	* Build AirgapOS once more according to the [readme](https://git.distrust.co/public/airgap) in the repository.
-
-		* Ensure it's the same version as in the previous step
-
-	* `head -c $(stat -c '%s' out/airgap.iso) /dev/<device_name> | sha256sum`
-
-	* Additionally, the user can refer to the [StageX](https://codeberg.org/stagex/stagex) hashes of AirgapOS for a given version
-
-{{ #include tamper-evidence-methods.md:vsbwf-procedure-sealing }}
-// ANCHOR_END: procedure
-/* ANCHOR_END: all */
-

trove/src/component-documents/autorun-sh-setup.md

@@ -1,41 +0,0 @@
-# `autorun.sh` Setup
-
-This document describes how `autorun.sh`, a file that AirgapOS automatically boots and runs should be set up.
-
-This setup can be done on any machine.
-
-1. Create a file called `autorun.sh` 
-
-    * In your Terminal use this command: `vi autorun.sh`
-
-    * Once you are in the editor press "i" to enter "insert mode"
-
-    * Type in the contents, replacing <M>, <N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with your chosen threshold numbers according to your [Quorum](selecting-quorum.md):
-
-    ```sh
-    #!/bin/sh
-    keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smart_cards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'
-    ```
-
-    * Press "esc"
-    * Press ":"
-    * Press "x"
-    * Press Enter
-
-1. Hash the file
-    The file should be hashed by using the following command:
-
-    ```sh
-    sha256sum autorun.sh
-    ```
-    Make note of the hash on a piece of paper
-
-1. Copy the file to the Storage Device which contains AirgapOS.
-
-    a. If you don't have a Storage Device set up with AirgapOS use [this guide](repeat-use-airgapos.md) to do so.
-
-    b. Mount the AirgapOS Storage Device using [this guide](storage-device-management.md#mounting-a-storage-device)
-
-    c. Copy the `autorun.sh` file to the Storage Device
-
-1. Make note of this hash on a piece of paper or print it as you will need it to verify the file during Ceremonies.

trove/src/component-documents/create-vaults-repository.md

@@ -1,3 +0,0 @@
-# Create Trove Git Repository
-
-{{ #include ../../component-documents/vaults-repository.md:content }}

trove/src/component-documents/digital-assets/solana/create-payload.md

@@ -1,25 +0,0 @@
-# Solana: Create Transaction Payload
-/* ANCHOR: all */
-// ANCHOR: content
-
-{{ #include ../template-create-tx-0.md:content }}
-
-1. Use icepick to generate and sign the payload by running one of the following available workflows:
-	#### Transfer
-	Transfer native Solana asset - SOL.
-
-	`icepick workflow sol transfer --to-address <to-address> --from-address <from-address> --amount <amount> --export-for-quorum --sign`
-
-	#### Transfer Token
-	Transfer SPL tokens on Solana blockchain.
-
-	The following SPL tokens, provided to `--token-name`, are supported:
-
-	* [PYTH](https://www.pyth.network/)
-
-	`icepick workflow sol transfer-token --from-address <from-address> --to-address <to-address> --token-name <token-name> --token-amount <token-amount> --export-for-quorum --sign`
-
-{{ #include ../template-create-tx-1.md:content }}
-// ANCHOR_END: content
-/* ANCHOR_END: all */
-

trove/src/component-documents/digital-assets/solana/generate-address.md

@@ -1,62 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: generate-nonce-account
-
-1. {{ #include ../../finding-device-name.md:content }}
-
-1. Copy the `vaults` repository from the Trove SD card:
-	```
-    $ cp -r /media/trove ~/
-	```
-    * If the `~/trove/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/trove` before re-running the previous step
-
-1. Ensure `icepick` is available on system
-
-    * Follow steps from [installation guide](TODO)
-
-1. Change directory into the desired \<namespace>/\<coin> directory:
-	```
-    $ cd ~/trove/<namespace>/<coin>
-	```
-1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory:
-	```
-    $ ls -la .
-	```
-1. Once you have selected the appropriate account, set the account_id variable:
-	```
-    $ account_id=<num>
-	```
-1. Use `icepick` to generate nonce account:
-
-	* If using a non-`mainnet-beta` cluster, be sure to provide the `--cluster` argument
-
-    * Set `icepick` config file:
-	```
-    $ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
-	```
-	```
-    $ icepick workflow sol generate-nonce-account --input-file $account_id.json > $account_id-na.json
-	```
-    * Repeat command if returned message is "The transaction was possibly not received by the cluster."
-
-1. Fund the wallet displayed on-screen with 0.01 SOL
-
-    * Once the funding is done, the nonce account will be created
-
-1. Stage, commit, sign and push the changes:
-    ```
-    $ git add .
-    $ git commit -m -S "<message>"
-    $ git push origin HEAD
-    ```
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
-
-// ANCHOR_END: generate-nonce-account
-/* ANCHOR_END: all */

trove/src/component-documents/digital-assets/solana/sign-and-broadcast-tx.md

@@ -1,125 +0,0 @@
-# Solana: Sign and Broadcast Transaction
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Online Machine: Acquire Nonce
-
-1. Turn on online linux workstation
-
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
-
-// ANCHOR: acquire-nonce
-1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
-
-	* e.g `trove/<namespace>/<coin>/0-na.txt`
-
-	* Set the nonce address variable:
-	```
-	$ nonce_address="$(cat trove/<namespace>/<coin>/<account_id>-na.txt)"
-	```
-1. Set `ICEPICK_DATA_DIRECTORY`:
-
-	{{ #include ../../finding-device-name.md:content }}
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/external/
-	```
-
-1. set `ICEPICK_CONFIG_FILE`
-	```
-	$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
-	```
-1. Run the command:
-	```
-	$ icepick workflow sol broadcast --nonce-address=$nonce_address
-	```
-	* Await completion message before removing Trove SD card
-
-	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
-//ANCHOR_END: acquire-nonce
-
-### Offline Machine: Create and Sign Transaction
-//ANCHOR: create-and-sign-tx
-1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
-
-1. Boot the computer
-
-1. Unplug the AirgapOS SD card and place it in High Visibility Storage
-
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
-
-1. {{ #include ../../finding-device-name.md:content }}
-
-1. Start Keyfork using the relevant Shardfile:
-	```
-	$ keyfork recover shard --daemon /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-
-	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
-
-1. Follow on screen prompts
-
-1. Set `ICEPICK_DATA_DIRECTORY`:
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
-	```
-1. Run the `icepick` command with the transaction payload
-
-	* The payload is located in the appropriate vault location (e.g /media/<device_name>/trove/<namespace>/ceremonies/<date>...)
-	```
-	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* Follow on screen prompts
-//ANCHOR_END: create-and-sign-tx
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Broadcast Transaction: Online Machine
-1. Retrieve Trove SD from High Visibility Storage and plug it into online machine
-
-//ANCHOR: broadcast-tx
-1. The still running broadcast command on the online machine will broadcast the transaction automatically
-
-1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
-
-1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
-	```
-	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
-	$ rm $ICEPICK_DATA_DIRECTORY/nonce.json
-	```
-//ANCHOR_END: broadcast-tx
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-//ANCHOR: finalize
-### Repeat
-
-1. You may repeat previous steps as many times as necessary to process all workflow payloads
-
-## Finalization
-
-1. Shut down online machine
-
-1. Shut down the air gapped machine
-
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
-//ANCHOR_END: finalize

trove/src/component-documents/digital-assets/template-create-tx-0.md

@@ -1,51 +0,0 @@
-/* ANCHOR: all */
-
-## Procedure
-// ANCHOR: content
-1. Turn on online linux workstation
-
-1. Clone the `vaults` repository if it's not available locally and get the latest changes:
-	```
-	$ git clone <repository_git_url>
-	$ git pull origin main
-	```
-1. Unseal the SD Card Pack
-
-{{ #include ../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Plug a fresh SD card into the online linux workstation
-
-1. {{ #include ../finding-device-name.md:content }}
-
-1. Save the `vaults` repo to the SD card, referred to as the Trove SD card
-	```
-	$ cp -r ~/trove/ /media
-	```
-1. Unplug the Trove SD card
-
-1. Unseal the tamper proofed bundle
-
-{{ #include ../tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Insert the AirgapOS SD card into the airgapped machine and turn it on
-
-1. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage
-
-1. Plug in the Trove SD card
-
-1. Copy the git repo locally from the Trove SD card and change to it
-	```
-	$ cp -r /media/trove /root
-	$ cd /root/vaults
-	```
-1. Create a new payloads directory in the `vaults` repository for the date on which the ceremony for the transaction will take place if it doesn't already exist
-
-	* `mkdir -p <namespace>/ceremonies/<date>/payloads`
-
-	* e.g `mkdir -p acme-coin-01/ceremonies/2025-01-01/payloads`
-
-1. Use `icepick workflow --help` to list the available workflows and options
-
-1. Plug in the Operator smart card
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/digital-assets/template-create-tx-1.md

@@ -1,29 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-1. Copy the updated ceremonies repo to the SD card
-	```
-	$ cp -r /root/vaults /media
-	```
-1. Transfer the SD card from the air-gapped machine to the online machine
-
-1. {{ #include ../finding-device-name.md:content }}
-
-1. Copy the updated repository locally and switch to it:
-	```
-	$ cp -r /media/trove ~/
-	$ cd ~/trove
-	```
-1. Stage, sign, commit and push the changes to the ceremonies repository:
-	```
-    $ git add <namespace>/ceremonies/<date>/payloads/*
-	$ git commit -S -m "add payload signature for payload_<num>.json"
-	$ git push origin main
-	```
-
-1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.
-
-1. Tamper proof the AirgapOS and Air-gapped laptop
-
-{{ #include ../tamper-evidence-methods.md:vsbwf-procedure-sealing}}
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/finding-device-name.md

@@ -1,6 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-Look for the SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
-    * Mount the device using: `sudo mount /dev/<device_name> /media`
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/git-basics.md

@@ -1,18 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-1. Connect SD card to online linux workstation
-
-1. {{ #include finding-device-name.md:content }}
-
-1. If the `~/trove/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/trove` before re-running the previous step
-
-1. Copy the repository with updated files to an online linux workstation, sign, commit and push to the `vaults` repository:
-    ```
-    $ cp -r /media/trove ~/trove/
-    $ cd ~/trove
-    $ git add .
-    $ git commit -S -m "<message>"
-    $ git push origin HEAD
-    ```
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/git-commit-signing.md

@@ -1,27 +0,0 @@
-/* ANCHOR: all */
-# Git Commit Signing
-// ANCHOR: steps
-1. Retrieve the value of your PGP key ID from smartcard
-
-    ```
-    gpg --card-status
-    ```
-
-1. Configure git to sign commits with smartcard
-    ```
-    $ git config --global user.name <name>
-    $ git config --global user.email <email>
-    $ git config --global user.signingKey <pgp_key_id>
-    $ git config --global commit.gpgsign true
-    $ git config --global commit.merge true
-    ```
-
-1. Configure ssh to authenticate with smartcard
-
-    ```
-    $ echo 'export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"' > ~/.bashrc
-    $ source ~/.bashrc
-    ```
-    Note: If you use another shell such as zsh, adjust acccordingly
-// ANCHOR_END: steps
-/* ANCHOR: all */

trove/src/component-documents/git-repository-initialization.md

@@ -1,19 +0,0 @@
-/* ANCHOR: all */
-# Git Repository Initialization
-
-This document explains how a git repository should be set up in order to guarantee authenticity and non-repudiation of data.
-
-Git is used because it permits cryptographic singing of commits using PGP, as well as historical changes to a set of data.
-
-## Procedure: Setting up Repository
-// ANCHOR: procedure
-1. Create a git repository using a git system such as Forgejo, GitLab, GitHub etc.
-
-1. Set appropriate permissions to limit who can write to the repository.
-
-    * Require that all commits are signed using well known PGP keys
-
-1. Optionally set up a cron job that periodically pulls the data from the repository as a backup.
-// ANCHOR_END: procedure
-/* ANCHOR_END: all */
-

trove/src/component-documents/hardware-models.md

@@ -1,78 +0,0 @@
-/* ANCHOR: all */
-# Hardware Models
-
-## Computers
-
-* Laptops with chargers over ports which don't allow data transfer is preferred (non USB etc.)
-
-// ANCHOR: computer-models
-
-* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
-    * [Illustrated Parts Catalog](https://h10032.www1.hp.com/ctg/Manual/c04501162.pdf#%5B%7B%22num%22%3A3160%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2C732%2Cnull%5D)
-
-* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
-
-* Purism Librem 14
-// ANCHOR_END: computer-models
-
-## SD Cards
-// ANCHOR: sd-models
-
-1 GB is sufficient space for all Trove purposes.
-
-* [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb)
-
-* [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248)
-
-* microSD to SD adapter
-
-    * [64GB Kingston Canvas Select Plus Class 10 MicroSDXC Memory Card with SD Adapter (SDCS2/64GB)](https://bulkmemorycards.com/shop/microsd-cards/microsd-64gb/microsd-64gb-class-10/microsd-64gb-class-10-w-sd-adapter/64gb-kingston-canvas-select-class-10-microsdxc-memory-card-with-sd-adapter-sdcs-64gb/?_gl=1*1r3cz3m*_up*MQ..*_gs*MQ..&gclid=Cj0KCQiAvvO7BhC-ARIsAGFyToVLF285A59zXpHQEDA0sc7NML5JQohdIOPnS1o-6IfjqClWWZdMruUaAupkEALw_wcB)
-
-* SD Card USB Adapters
-
-    * SD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-sd-reader
-
-    * microSD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-microsd-reader
-
-    * Workflow station hub (may prove helpful with workflows): https://www.kingston.com/en/memory-card-readers/workflow-station-hub
-
-// ANCHOR_END: sd-models
-
-## Smart Cards
-
-Smart Cards are primarily used for storing OpenPGP cryptographic keys which are
-used as a building block for security controls. These smart cards hold OpenPGP
-keys which are derived in secure environments.
-
-There are three primary requirements for smart cards:
-
-* FIPS 140-2
-
-* Support for Ed25519 OpenPGP
-
-* Touch for enacting operations
-
-### Notes
-
-* Librem smartcards are not recommended because they don't have touch capabilities
-
-* NitroKey and SoloKey are favored due to their fully open nature and therefore verifiability
-
-* YubiKey has the advantage of being the most battle tested but is not verifiable and has had issues in the past (Infineon bug)
-
-Some options include:
-// ANCHOR: smart-cards
-
-* NitroKey 3
-
-* YubiKey 5
-
-// ANCHOR_END: smart-cards
-
-## Tamper Proofing
-
-// ANCHOR: sealable-plastic-bags
-[Alert Security bag](https://shop.alertsecurityproducts.com/clear-alert-bank-deposit-bag-15-x-20-250cs?affiliate=ppc12&gad_source=1&gclid=CjwKCAiAgoq7BhBxEiwAVcW0LJoCVUqYI1s4RGoctHxMwtmNlwenDhgP_0x4gjB9W2e4f_7tzdJ_rxoCOwMQAvD_BwE)
-// ANCHOR_END: sealable-plastic-bags
-
-/* ANCHOR_END: all */

trove/src/component-documents/hardware-procurement-and-chain-of-custody.md

@@ -1,29 +0,0 @@
-/* ANCHOR: all */
-# Procurement & Chain of Custody
-
-## Provisioning Chain of Custody
-
-Materials and devices which are used in the context of a high assurance system need to be monitored carefully from the moment they are purchased to ensure there are no single points of failure. Going back to the assumption that participants in the system are subject to [MICE](../glossary.md#MICE) and as such may pose a threat to the system, special care has to be taken that multiple individuals are involved in the whole lifecycle of provisioning a piece of equipment.
-
-All steps of the provisioning process need to be completed under the supervision of at least 2 individuals, but benefit from having even more individuals present to increase the number of witnesses and allow individuals to take washroom breaks, eat etc.
-
-The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual.
-
-## Provisioning Equipment
-// ANCHOR: steps
-
-1. Selecting a Purchase Location
-
-    * Select at multiple stores which carry the type of equipment being purchased, then randomly select one using the roll of a die, or other random method. This is done in order to reduce the likelihood that an insider threat is able to plant a compromised computer in a store ahead of time.
-
-1. Within the store, identify available adequate device
-
-1. Purchase the device and place it in a see-through plastic bag which will be used to transport it to a "processing location", which SHOULD be an access controlled space. 
-    * The bag MUST be a sealable see-through tamper evident bag. It may be necessary to remove the device from it's original packaging to fit it into the sealable bag.
-
-1. If the equipment does not have to be tamper proofed, simply deliver it to its storage location, and update the inventory repository with the serial number of the device.
-
-1. If the equipment does require tamper proofing, apply the appropriate level of tamper proofing for the security level you are performing the procurement for. 
-
-// ANCHOR_END:steps
-/* ANCHOR_END: all */

trove/src/component-documents/inventory-repository.md

@@ -1,31 +0,0 @@
-
-/* ANCHOR: all */
-# Inventory Repository
-// ANCHOR: content
-
-This repository is used to keep track of available inventory and tamper proofing evidence
-
-## Repository Structure
-
-```
-computers/
-    <num>/
-        description.txt
-        tamper_evidence_front.jpeg
-        tamper_evidence_back.jpeg
-bundles/
-    <num>/
-        description.txt
-        tamper_evidence_front.jpeg
-        tamper_evidence_back.jpeg
-sd_cards/
-    <num>
-        ...
-```
-
-## Procedure: Setting up Repository
-
-{{ #include ./git-repository-initialization.md:procedure}}
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/linux-workstation.md

@@ -1,7 +0,0 @@
-/* ANCHOR: all */
-# Linux Workstation (Online Machine)
-// ANCHOR: content
-* Linux Workstation (online machine)
-  * Any internet connected computer with a Linux shell will suffice
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/component-documents/openpgp-setup.md

@@ -1,88 +0,0 @@
-/* ANCHOR: all */
-# OpenPGP Setup
-
-## Generating Keys using `keyfork`
-// ANCHOR: steps-keyfork
-
-1. Insert an SD card into the system
-
-1. Change working directory to SD card mount location
-    ```
-    $ cd /media/TRANSFER
-    ```
-
-1. Insert all smartcards to be provisioned into the system.
-
-1. Set expiry time via environment variable - you can update 2y to desired value:
-
-    ```
-    $ export KEYFORK_OPENPGP_EXPIRE=2y
-    ```
-
-1. Generate a mnemonic, and shard (encrypt) it to the newly-generated key:
-
-	Ensure the User ID is your name and your email.
-
-    ```
-	$ keyfork mnemonic generate --encrypt-to-self encrypted.asc --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"'
-    ```
-
-	The `--provision-count` option can be provided to ensure the correct amount
-	of smartcards is provisioned - the program will error if the amount of
-	smartcards available is not equal to the count requested.
-
-	Note: The PIN can't use sequential numbers, characters or repeated patterns.
-
-	---
-
-	Alternatively, if the user wants to see the mnemonic, and encrypt it in a
-	different manner, the `--encrypt-to-self encrypted.asc` portion of the
-	command can be ommited and the command piped into a file by appending
-	`> mnemonic.txt` to the end of the command.
-
-    ```
-	$ keyfork mnemonic generate --provision openpgp-card --derive='openpgp --public "Your Name <your@email.co>"' > mnemonic.txt
-    ```
-
-// ANCHOR_END: steps-keyfork
-
-## Generating Keys on Smartcard
-// ANCHOR: steps-on-key-gen
-
-1. Insert the smart card into the USB port if it is not already plugged in.
-
-1. Open Command Prompt (Windows) or Terminal (macOS / Linux).
-
-1. Enter the GPG command:
-
-	* `gpg --card-edit`
-
-1. At the gpg/card> prompt, enter the command: admin
-
-1. If you want to use keys larger than 2048 bits, run: key-attr
-
-1. Enter the command: generate
-
-1. When prompted, specify if you want to make an off-card backup of your encryption key.
-
-    * Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore the key.
-
-1. Specify how long the key should be valid for (specify the number in days, weeks, months, or years).
-
-1. Confirm the expiration day.
-
-1. When prompted, enter your name.
-
-1. Enter your email address.
-
-1. If needed, enter a comment.
-
-1. Review the name and email, and accept or make changes.
-
-1. Enter the default admin PIN again. The green light on the smart card will flash while the keys are being written.
-
-1. Enter a Passphrase as the key will not allow you to pass without having a passphrase. If you do not enter a Passphrase generation will fail.
-
-// ANCHOR_END: steps-on-key-gen
-
-/* ANCHOR_END: all */

trove/src/component-documents/sd-formatting.md

@@ -1,26 +0,0 @@
-# SD Formatting
-// ANCHOR: steps
-1. Insert a fresh SD card into the SD card slot or connect it via a USB card reader to your computer
-
-    * microSD or standard SD card can be used
-
-1. Launch a terminal 
-
-1. {{ #include finding-device-name.md: content }}  
-
-1. Before formatting, you need to unmount the SD card. Replace `/dev/sdX1` with the actual partition name you identified in the previous step:
-
-    * `sudo umount /dev/sdX1`
-
-1. Use the mkfs command to format the SD card. You can choose the file system type (e.g., vfat for FAT32, ext4, etc.). Replace /dev/sdX with the actual device name (without the partition number):
-
-    * `sudo mkfs.vfat /dev/sdX`
-
-1. You can verify that the SD card has been formatted by running lsblk again or by checking the file system type:
-
-    * `lsblk -f`
-
-1. Once formatting is complete, you can safely remove physically or eject the SD card:
-
-    * `sudo eject /dev/sdX`
-//ANCHOR_END:steps

trove/src/component-documents/vaults-repository.md

@@ -1,58 +0,0 @@
-/* ANCHOR: all */
-# Vaults Repository
-
-// ANCHOR: data
-This repository holds data pertaining to vaults. The primary data consists of:
-
-* Operation proposals
-
-* Operation approvals
-
-* Payloads
-
-* Trusted PGP keyring
-
-* Shardfiles
-
-* Blockchain metadata
-
-* Policies (such as spending rules)
-
-* Ceremony logs
-// ANCHOR_END: data
-
-// ANCHOR: content
-## Directives
-
-* MUST be a private repository
-
-* MUST require signed commits
-
-## Repository Structure
-
-```
-keys/
-    all/
-        fingerprint.asc
-<namespace>/
-    ceremonies/
-        <date>/
-            log.txt
-            payloads/
-                payload_<num>.json
-                payload_<num>.json.sig
-    blockchain_metadata/
-        sol_nonce_address.txt
-    policies/
-        spending-policy.json [NOT IMPLEMENTED]
-    keyring.asc
-    shardfile.asc
-```
-
-## Procedure: Setting up Repository
-
-{{ #include ./git-repository-initialization.md:procedure}}
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */
-

trove/src/generated-documents/all-levels/create-vaults-repository.md

@@ -1,3 +0,0 @@
-# Create Ceremony Repository
-
-{{ #include ../../component-documents/vaults-repository.md:content }}

trove/src/generated-documents/all-levels/pgp-key-provisioning.md

@@ -1,77 +0,0 @@
-# Personal PGP Key Provisioning
-
-## Requirements
-
-* [AirgapOS SD card](../level-2/fixed-location/provisioner/provision-airgapos.md)
-  * Provided by [Air-Gapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
-  * Alternative: Create your own from documentation in [AirgapOS Repository](https://git.distrust.co/public/airgap)
-
-* AirgapOS Laptop
-  * Provided by [Air-Gapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
-  * Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
-
-{{ #include ../../component-documents/linux-workstation.md:content }}
-
-* 1+ Smart Card
-  * At least 1 primary smart card
-  * Any number of backup smart cards
-
-* 1 Transfer SD card
-  * Document will assume the card is labelled as "TRANSFER"
-
-##  Process
-
-1. If using pre-sealed Cold Bundle unseal as follows:
-
-{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
-
-1. Boot AirgapOS Laptop
-
-{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
-
-1. Power down AirgapOS Laptop
-
-1. Switch to Linux Workstation
-
-1. Attach SD card from AirgapOS machine
-
-1. Attach smartcard provisioned with AirgapOS machine
-
-1. Import newly generated public key into local keychain
-
-    ```
-    $ gpg --import /media/TRANSFER/*.pub.asc
-    ```
-
-{{ #include ../../component-documents/git-commit-signing.md:steps }}
-
-1. Push new key material to Vaults repository
-
-	a. Clone repository (if not done previously)
-    ```
-    $ git clone <vaults_repository_url> ~/trove
-    ```
-	b. Checkout main branch
-    ```
-    $ cd ~/trove
-    $ git checkout main
-    $ git pull origin main
-    ```
-	c. Commit and push modifications
-    ```
-    $ cp /media/TRANSFER/*.asc keys/all
-    $ git add .
-    $ git commit -S -m "add <name> pgp key"
-    $ git push origin main
-    ```
-
-1. Communicate your new key fingerprint to all other participants:
-
-    * Preferred: In person
-
-    * Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
-
-1. Get confirmation they have imported your key to their keychains
-
-    * e.g. `gpg --import <your_key_id>.asc`
-    * Confirm this is done for keyrings on workstations used to interact with the Vaults repository

trove/src/generated-documents/level-1/create-vaults-repository.md

@@ -1,11 +0,0 @@
-# Provision Trove Git Repository
-
-This repository is meant for storing data pertaining to vaults. The primary data consists of:
-
-* Shardfiles
-
-* Blockchain metadata (addresses, nonces etc.)
-
-* Ceremony logs
-
-{{ #include ../../component-documents/vaults-repository.md:content }}

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/create-payload-requirements-template.md

@@ -1,10 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-{{ #include ../../../../component-documents/linux-workstation.md:content }}
-
-* Air-gapped machine
-
-* Trove SD Card
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/generate-address-requirements-template.md

@@ -1,12 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-{{ #include ../../../../component-documents/linux-workstation.md:content }}
-
-* [Air-gapped machine]()
-
-* Air-gapped machine
-
-* Trove SD Card
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/generate-address-template-0.md

@@ -1,44 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-
-1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
-
-1. Turn on air-gapped machine
-
-1. Unplug the AirgapOS SD card
-
-1. Retrieve Trove SD card and plug it into the air-gapped machine
-
-1. Copy the `trove` repository to the machine and switch to it
-    ```
-	$ cp -r /media/trove /root/
-	$ cd /root/vaults
-    ```
-1. Start Keyfork using the relevant Shardfile:
-	```
-	$ keyfork recover shard --daemon <namespace>/shardfile.asc
-	```
-    * Follow on screen prompts
-1. If the desired `<coin>` directory doesn't exist for the namespace, create it:
-	```
-    $ mkdir -p <namespace>/<coin>
-	```
-1. Connect to the appropriate coin directory:
-	```
-    $ cd <namespace>/<coin>/
-	```
-1. Check what the latest address account is:
-	```
-	$ ls -la .
-	```
-1. Find what the latest number for the address is, and add 1 to it. This will be the new address account.
-
-	* For example if the latest address file is 42, the new account_id would be 43. The addresses should start at `0`
-
-	* Set an environment variable with the new account_id:
-		```
-		$ account_id=<num>
-		```
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */%

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/sign-and-broadcast-tx-requirements.md

@@ -1,12 +0,0 @@
-/* ANCHOR: all */
-// ANCHOR: content
-{{ #include ../../../../component-documents/linux-workstation.md:content }}
-
-* [Air-gapped machine]()
-
-* Air-gapped machine
-
-* Trove SD Card
-
-// ANCHOR_END: content
-/* ANCHOR_END: all */

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/solana/create-payload.md

@@ -1,7 +0,0 @@
-# Create Payload
-
-## Requirements
-{{ #include ../create-payload-requirements-template.md:content }}
-
-## Procedure
-{{ #include ../../../../../component-documents/digital-assets/solana/create-payload.md:content }}

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/solana/generate-address.md

@@ -1,19 +0,0 @@
-# Generate Address
-
-## Requirements
-
-{{ #include ../generate-address-requirements-template.md:content }}
-
-## Procedure
-
-### Offline Machine: Generate Address
-
-{{ #include ../generate-address-template-0.md:content }}
-
-### Online Machine: Generate Nonce Account
-
-1. Turn on online machine
-
-1. Retrieve Trove SD card and plug it into the computer
-
-{{ #include ../../../../../component-documents/digital-assets/solana/generate-address.md:generate-nonce-account }}

trove/src/generated-documents/level-1/cryptographic-operations/digital-assets/solana/sign-and-broadcast-tx.md

@@ -1,31 +0,0 @@
-# Sign and Broadcast Tx
-
-## Requirements
-
-{{ #include ../sign-and-broadcast-tx-requirements.md:content }}
-
-## Procedure
-
-### Online Machine: Acquire Nonce
-
-1.Turn on online linux workstation
-
-1. Retreive Trove SD card
-
-{{ #include ../../../../../component-documents/digital-assets/solana/sign-and-broadcast-tx.md:acquire-nonce }}
-
-### Offline Machine: Create and Sign Transaction
-
-{{ #include ../../../../../component-documents/digital-assets/solana/sign-and-broadcast-tx.md:create-and-sign-tx }}
-
-1. Unplug Trove SD card
-
-### Broadcast Transaction: Online Machine
-1. Plug Trove SD card into online machine
-
-{{ #include ../../../../../component-documents/digital-assets/solana/sign-and-broadcast-tx.md:broadcast-tx }}
-
-1. Unplug Trove SD card
-
-
-{{ #include ../../../../../component-documents/digital-assets/solana/sign-and-broadcast-tx.md:finalize }}

trove/src/generated-documents/level-1/intro.md

@@ -1,49 +0,0 @@
-# Personal Vaulting
-
-The Level 1 vaulting threat model is meant for systems where an individual wants
-to manage the vault independently. This of course means a lower level of security,
-but according to a given threat model this may be appropriate for individuals.
-The system still provides guarantees around supply chain security, and creating
-offline systems for secure management of cryptographic material.
-
-## Steps
-
-1. [Procure hardware](./procure-hardware.md)
-
-1. [Provision laptop](./provision-laptop.md)
-
-1. [Provision AirgapOS](./provision-airgapos.md)
-
-1. [Provision Entropy & PGP Keypair](./provision-entropy-and-pgp.md)
-
-## Cryptographic Operations
-
-Once the entropy is generated, it can be used to derive for different
-cryptographic alogrithms.
-
-### Digital Assets
-
-#### Solana
-
-* [Generate Address](./cryptographic-operations/digital-assets/solana/generate-address.md)
-
-* [Create Payload](./cryptographic-operations/digital-assets/solana/create-payload.md)
-
-* [Sign and Broadcast Tx](./cryptographic-operations/digital-assets/solana/sign-and-broadcast-tx.md)
-
-
-#### Cosmos
-
-TODO
-
-#### Bitcoin
-
-Coming soon ([contact us to fund this work](https://distrust.co/contact.html))
-
-#### Ethereum
-
-Coming soon ([contact us to fund this work](https://distrust.co/contact.html))
-
-### PGP
-
-TODO

trove/src/generated-documents/level-1/procure-hardware.md

@@ -1,57 +0,0 @@
-# Procure Hardware
-
-The final list of minimal items to set up Trove is:
-
-* Tamper proofing equipment
-
-* Computer
-
-* 3 SD cards
-
-* 1 Smart Card
-
-For redundancy, more SD cards and multiple smart cards should be used.
-
-All hardware needs to be tamper proofed when not in view of the owner of the
-setup. This means that once it's brought home, if the user is not going straight
-into [Provisioning](provision-hardware.md) steps, all hardware should be tamper
-proofed using a chosen method below (vacuum sealer or put in a vault).
-
-## 1. Procure Tamper Proofing Equipment
-
-Choose one of or a combination of:
-
-* Tamper proofed safe
-
-* Vacuum sealing with filler
-
-### Tamper Proofed Safes
-
-{{ #include ../../hardware.md:safes }}
-
-### Vacuum Sealer Setup
-
-{{ #include ../../hardware.md:vacuum-sealing }}
-
-
-## 2. Procure Computer
-
-### Computer
-
-{{ #include ../../hardware.md:computer-models }}
-
-## 3. Procure SD Card + Reader
-
-If the laptop you buy doesn't have an SD card reader, you will need to buy an
-external SD card reader adapter.
-
-Minimum of 5 SD cards is recommended to start.
-
-{{ #include ../../component-documents/hardware-models.md:sd-models }}
-
-## 4. Smart Cards
-
-At least 2 smart cards are recommended. Using two different manufacturers
-decreases the likelihood of both having a catastrofic failure at the same time.
-
-{{ #include ../../component-documents/hardware-models.md:smart-cards }}

trove/src/generated-documents/level-1/provision-airgapos.md

@@ -1,11 +0,0 @@
-# Provision AirgapOS
-
-## Requirements
-* Tamper proofing equipment
-
-* SD card(s)
-
-* 2 Computers
-
-## Procedure
-{{ #include ../../component-documents/airgapos.md:procedure }}

trove/src/generated-documents/level-1/provision-entropy-and-pgp.md

@@ -1,35 +0,0 @@
-# Provision Entropy & PGP Keypair
-
-This step does two things:
-
-1. Establishes the root entropy
-
-1. Derives a PGP key which is used for protecting data
-
-## Requirements
-
-* Airgapped bundle consisting of:
-
-	* [Provisioned laptop](./provision-laptop.md)
-
-	* [Provisioned AirgapOS](./provision-airgapos.md)
-
-	* Smart Card(s): at least 1 - but 2 or 3 is recommended
-
-	* SD Cards(s): at least 1 but 2 or 3 is recommended
-
-## Procedure
-
-1. Boot AirgapOS Laptop
-
-{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
-
-1. Plug in fresh SD card and save data you wish to store (encrypted.asc,
-<key_id>.asc, mnenmonic.txt.asc, mnemonic.txt etc.)
-
-	* WARNING: If you store your mnemonic in plaintext, if someone gains access
-	to it, your Trove system will be fully compromised.
-
-1. Power down AirgapOS Laptop
-
-

trove/src/generated-documents/level-1/provision-laptop.md

@@ -1,12 +0,0 @@
-# Provision Laptop
-
-If performing multiple provisioning steps, you may skip the tamper proofing steps,
-as long as you retain continued supervision of the hardware.
-
-1. If tamper proofed, unseal tamper proofed equipment
-{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
-
-1. Remove all radio cards, storage drive, speakers, and microphone using standard industry laptop repair tactics
-
-1. Re-apply tamper proofing
-{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing }}

trove/src/generated-documents/level-2/basic-requirements.md

@@ -1,14 +0,0 @@
-/* ANCHOR: all */
-# Basic Requirements
-
-## For Quorum Based Operations
-// ANCHOR: requirements
-
-* 2 individuals with appropriate role 
-
-    * Each needs a [Personal PGP key pair](/generated-documents/all-levels/pgp-key-provisioning.html) 
-
-* [Tamper-proofing equipment](/generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html)
-
-// ANCHOR_END: requirements
-/* ANCHOR_END: all */

trove/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md

@@ -1,85 +0,0 @@
-# Approver - Approve Transaction
-
-The approver is responsible for verifying a transaction proposed by a [proposer](../../../../system-roles.md).
-
-## Requirements
-
-* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
-
-{{ #include ../../../../component-documents/linux-workstation.md:content }}
-
-* [SD Card Pack](../provisioner/provision-sd-card.md)
-
-* [Air-Gapped Bundle](../provisioner/air-gapped-bundle.md)
-
-	* The approver should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
-
-	* The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the `vaults` repo
-
-* Clone the [Vaults Repository](../../../all-levels/create-vaults-repository.md) for your organization to the machine
-
-## Procedure
-
-1. Turn on online linux workstation
-
-1. Pull the latest changes from the `vaults` repository
-
-1. Unseal the SD Card Pack
-
-{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Plug a fresh SD card into the online linux workstation
-
-1. Save the `vaults` repository to the SD card, referred to as the Trove SD card
-
-1. Unplug the Trove SD card
-
-1. Unseal the tamper proofed bundle
-
-{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Insert the AirgapOS SD card into the airgapped machine and turn it on
-
-1. Once booted, unplug the AirgapOS SD card
-
-1. Plug in the Trove SD card
-
-1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
-
-1. Copy the git repo locally from the Trove SD card and change into it
-	```
-	$ cp -r /media/trove /root/vaults
-	$ cd /root/vaults
-	```
-1. Plug in the Operator smart card
-
-1. Verify the existing signatures and add your own signature:
-
-	* `icepick workflow --add-signature-to-quorum <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc`
-
-1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
-
-1. Copy the updated vaults repo to the SD card
-
-	* `cp -r /root/vaults /media`
-
-1. Unplug the SD card from the air-gapped machine
-
-1. Plug in the SD card into the online linux workstation
-
-1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
-
-1. Copy the updated repository locally and change into it:
-	```
-	$ cp -r /media/trove ~/
-	$ cd ~/trove
-	```
-1. Stage, sign, commit and push changes to the ceremonies repository:
-	```
-    $ git add <namespace>/ceremonies/<date>/payloads/*
-	$ git commit -S -m "add payload signature for payload_<num>.json"
-	$ git push origin main
-	```
-1. Tamper proof the AirgapOS and Air-gapped laptop
-
-{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

trove/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md

@@ -1,31 +0,0 @@
-# Trove SD Card Provisioning
-
-## Requirements
-
-* [SD Card Pack](../procurer/procure-sd-card-pack.md)
-
-* [Personal PGP Keys](/key-types.html#personal-pgp-keypair)
-
-{{ #include ../../../../component-documents/linux-workstation.md:content }}
-
-## Procedure
-
-1. Turn on the computer
-
-1. Open the SD Card Pack 
-
-{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
-
-1. Plug in a fresh SD card into computer
-
-1. Navigate to the ceremony repository for the ceremony being executed
-
-* {{ #include ../../../../component-documents/finding-device-name.md:content }}
-
-1. Write the ceremony repo data to the SD card:
-
-    `sudo cp -r trove/ /media`
-
-1. Unplug the SD card 
-
-1. Turn off the computer

trove/src/generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md

@@ -1,43 +0,0 @@
-# Cosmos: Generate Address
-
-## Requirements
-
-{{ #include ../../../../operator-requirements.md:requirements }}
-
-{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
-
-* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
-
-* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
-
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Offline Machine: Generate Address
-
-{{ #include ../template-gen-address-0.md:content }}
-
-1. Generate a new address:
-
-    * `icepick workflow cosmos generate-address --chain-name <chain-name> --account $account_id > $account_id.json`
-
-{{ #include ../template-gen-address-1.md:content }}
-
-### Online Machine: Updating Vaults Repository
-
-1. Turn on online linux workstation
-
-{{ #include ../../../../../../component-documents/git-basics.md:content }}

trove/src/generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md

@@ -1,130 +0,0 @@
-# Solana: Sign and Broadcast Transaction
-
-## Requirements
-
-{{ #include ../../../../operator-requirements.md:requirements }}
-
-{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
-
-* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
-
-* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
-
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Online Machine: Acquire Nonce
-
-1. Turn on online linux workstation
-
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
-
-1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
-
-	* e.g `trove/<namespace>/<coin>/0-na.txt`
-
-	* Set the nonce address variable:
-	```
-	$ nonce_address="$(cat trove/<namespace>/<coin>/<account_id>-na.txt)"
-	```
-1. Set `ICEPICK_DATA_DIRECTORY`:
-
-	{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/external/
-	```
-
-1. set `ICEPICK_CONFIG_FILE`
-	```
-	$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
-	```
-1. Run the command:
-	```
-	$ icepick workflow cosmos broadcast --chain-name <chain-name> --nonce-address=$nonce_address
-	```
-	* Await completion message before removing Trove SD card
-
-	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
-
-### Offline Machine: Create and Sign Transaction
-
-1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
-
-1. Boot the computer
-
-1. Unplug the AirgapOS SD card and place it in High Visibility Storage
-
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
-
-1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-
-1. Start Keyfork using the relevant Shardfile:
-	```
-	$ keyfork recover shard --daemon /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
-
-1. Follow on screen prompts
-
-1. Set `ICEPICK_DATA_DIRECTORY`:
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
-	```
-1. Run the `icepick` command with the transaction payload
-
-	* The payload is located in the appropriate vault location (e.g /media/<device_name>/trove/<namespace>/ceremonies/<date>...)
-	```
-	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* Follow on screen prompts
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Broadcast Transaction: Online Machine
-
-1. Retrieve Trove SD from High Visibility Storage and plug it into online machine
-
-1. The still running broadcast command on the online machine will broadcast the transaction automatically
-
-1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
-
-1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
-	```
-	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
-	$ rm $ICEPICK_DATA_DIRECTORY/account_info.json
-	```
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Repeat
-
-1. You may repeat previous steps as many times as necessary to process all workflow payloads
-
-## Finalization
-
-1. Shut down online linux workstation
-
-1. Shut down the air gapped machine
-
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

trove/src/generated-documents/level-2/fixed-location/operator/coins/kyve/generate-address.md

@@ -1,45 +0,0 @@
-# Kyve: Generate Address
-
-## Requirements
-
-{{ #include ../../../../operator-requirements.md:requirements }}
-
-{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
-
-* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
-
-* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
-
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Offline Machine: Generate Address
-
-{{ #include ../template-gen-address-0.md:content }}
-
-1. Generate a new address:
-
-    * `icepick workflow cosmos generate-address --chain-name kyve --account $account_id > $account_id.json`
-
-	The option `--chain-name` can use `kyve`, `kaon` (testnet), and `korellia` (devnet)
-
-{{ #include ../template-gen-address-1.md:content }}
-
-### Online Machine: Updating Vaults Repository
-
-1. Turn on online linux workstation
-
-{{ #include ../../../../../../component-documents/git-basics.md:content }}

trove/src/generated-documents/level-2/fixed-location/operator/coins/kyve/sign-and-broadcast-transaction.md

@@ -1,132 +0,0 @@
-# Kyve: Sign and Broadcast Transaction
-
-## Requirements
-{{ #include ../../../../operator-requirements.md:requirements }}
-
-{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
-
-* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
-
-* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
-
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Online Machine: Acquire Nonce
-
-1. Turn on online linux workstation
-
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
-
-1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
-
-	* e.g `trove/<namespace>/<coin>/0-na.txt`
-
-	* Set the nonce address variable:
-	```
-	$ nonce_address="$(cat trove/<namespace>/<coin>/<account_id>-na.txt)"
-	```
-1. Set `ICEPICK_DATA_DIRECTORY`:
-
-	{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/external/
-	```
-
-1. set `ICEPICK_CONFIG_FILE`
-	```
-	$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
-	```
-1. Run the command:
-	```
-	$ icepick workflow cosmos broadcast --chain-name kyve  --nonce-address=$nonce_address
-	```
-
-	The option `--chain-name` can use `kyve`, `kaon` (testnet), and `korellia` (devnet)
-
-	* Await completion message before removing Trove SD card
-
-	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
-
-### Offline Machine: Create and Sign Transaction
-
-1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
-
-1. Boot the computer
-
-1. Unplug the AirgapOS SD card and place it in High Visibility Storage
-
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
-
-1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-
-1. Start Keyfork using the relevant Shardfile:
-	```
-	$ keyfork recover shard --daemon /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
-
-1. Follow on screen prompts
-
-1. Set `ICEPICK_DATA_DIRECTORY`:
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
-	```
-1. Run the `icepick` command with the transaction payload
-
-	* The payload is located in the appropriate vault location (e.g /media/<device_name>/trove/<namespace>/ceremonies/<date>...)
-	```
-	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* Follow on screen prompts
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Broadcast Transaction: Online Machine
-
-1. Retrieve Trove SD from High Visibility Storage and plug it into online machine
-
-1. The still running broadcast command on the online machine will broadcast the transaction automatically
-
-1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
-
-1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
-	```
-	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
-	$ rm $ICEPICK_DATA_DIRECTORY/account_info.json
-	```
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Repeat
-
-1. You may repeat previous steps as many times as necessary to process all workflow payloads
-
-## Finalization
-
-1. Shut down online linux workstation
-
-1. Shut down the air gapped machine
-
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

trove/src/generated-documents/level-2/fixed-location/operator/coins/pyth/generate-address.md

@@ -1,102 +0,0 @@
-# Pyth: Generate Address
-
-## Requirements
-
-{{ #include ../../../../operator-requirements.md:requirements }}
-
-{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
-
-* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
-
-* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
-
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Offline Machine: Generate Address
-
-{{ #include ../template-gen-address-0.md:content }}
-
-1. Generate a new address:
-	```
-    $ icepick workflow sol generate-address --account $account_id > $account_id.json
-	```
-
-{{ #include ../template-gen-address-1.md:content }}
-
-### Online Machine: Generate Nonce Account
-
-1. Turn on online machine
-
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
-
-1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-
-1. Copy the `vaults` repository from the Trove SD card:
-	```
-    $ cp -r /media/trove ~/
-	```
-    * If the `~/trove/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/trove` before re-running the previous step
-
-1. Ensure `icepick` is available on system
-
-    * Follow steps from [installation guide](TODO)
-
-1. Change directory into the desired \<namespace>/\<coin> directory:
-	```
-    $ cd ~/trove/<namespace>/<coin>
-	```
-1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory:
-	```
-    $ ls -la .
-	```
-1. Once you have selected the appropriate account, set the account_id variable:
-	```
-    $ account_id=<num>
-	```
-1. Use `icepick` to generate nonce account:
-
-	* If using a non-`mainnet-beta` cluster, be sure to provide the `--cluster` argument
-
-    * Set `icepick` config file:
-	```
-    $ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
-	```
-	```
-    $ icepick workflow sol generate-nonce-account --input-file $account_id.json > $account_id-na.json
-	```
-    * Repeat command if returned message is "The transaction was possibly not received by the cluster."
-
-1. Fund the wallet displayed on-screen with 0.01 SOL
-
-    * Once the funding is done, the nonce account will be created
-
-1. Stage, commit, sign and push the changes:
-    ```
-    $ git add .
-    $ git commit -m -S "<message>"
-    $ git push origin HEAD
-    ```
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
-

trove/src/generated-documents/level-2/fixed-location/operator/coins/pyth/sign-and-broadcast-transaction.md

@@ -1 +0,0 @@
-# Sign and Broadcast Transaction

trove/src/generated-documents/level-2/fixed-location/operator/coins/seda/generate-address.md

@@ -1,45 +0,0 @@
-# Seda: Generate Address
-
-## Requirements
-
-{{ #include ../../../../operator-requirements.md:requirements }}
-
-{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
-
-* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
-
-* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
-
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Offline Machine: Generate Address
-
-{{ #include ../template-gen-address-0.md:content }}
-
-1. Generate a new address:
-
-    * `icepick workflow cosmos generate-address --chain-name seda --account $account_id > $account_id.json`
-
-	The option `--chain-name` can use `seda` or `seda-devnet`.
-
-{{ #include ../template-gen-address-1.md:content }}
-
-### Online Machine: Updating Vaults Repository
-
-1. Turn on online linux workstation
-
-{{ #include ../../../../../../component-documents/git-basics.md:content }}

trove/src/generated-documents/level-2/fixed-location/operator/coins/seda/sign-and-broadcast-transaction.md

@@ -1,132 +0,0 @@
-# Seda: Sign and Broadcast Transaction
-
-## Requirements
-{{ #include ../../../../operator-requirements.md:requirements }}
-
-{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
-
-* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
-
-* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
-
-* [Trove SD card](../../../ceremony-sd-card-provisioning.md)
-
-## Procedure
-
-1. Enter the designated location with the quorum of operators and all required equipment
-
-1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
-
-1. Place Trove SD card in High Visibility Storage
-
-1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
-
-1. Place all contents except for the laptop into High Visibility Storage
-
-### Online Machine: Acquire Nonce
-
-1. Turn on online linux workstation
-
-1. Retrieve the Trove SD card from High Visibility Storage and plug it into the computer
-
-1. Get the nonce address for the address you are sending from by checking the appropriate \<namespace>/\<coin>/ directory.
-
-	* e.g `trove/<namespace>/<coin>/0-na.txt`
-
-	* Set the nonce address variable:
-	```
-	$ nonce_address="$(cat trove/<namespace>/<coin>/<account_id>-na.txt)"
-	```
-1. Set `ICEPICK_DATA_DIRECTORY`:
-
-	{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/external/
-	```
-
-1. set `ICEPICK_CONFIG_FILE`
-	```
-	$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
-	```
-1. Run the command:
-	```
-	$ icepick workflow cosmos broadcast --chain-name seda  --nonce-address=$nonce_address
-	```
-
-	The option `--chain-name` can use `seda` or `seda-devnet`.
-
-	* Await completion message before removing Trove SD card
-
-	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
-
-### Offline Machine: Create and Sign Transaction
-
-1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
-
-1. Boot the computer
-
-1. Unplug the AirgapOS SD card and place it in High Visibility Storage
-
-1. Retrieve Trove SD card from High Visibility Storage and plug it into the air-gapped machine
-
-1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
-
-1. Start Keyfork using the relevant Shardfile:
-	```
-	$ keyfork recover shard --daemon /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
-
-1. Follow on screen prompts
-
-1. Set `ICEPICK_DATA_DIRECTORY`:
-	```
-	$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
-	```
-1. Run the `icepick` command with the transaction payload
-
-	* The payload is located in the appropriate vault location (e.g /media/<device_name>/trove/<namespace>/ceremonies/<date>...)
-	```
-	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/trove/<namespace>/shardfile.asc
-	```
-	* Follow on screen prompts
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Broadcast Transaction: Online Machine
-
-1. Retrieve Trove SD from High Visibility Storage and plug it into online machine
-
-1. The still running broadcast command on the online machine will broadcast the transaction automatically
-
-1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
-
-1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
-	```
-	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
-	$ rm $ICEPICK_DATA_DIRECTORY/account_info.json
-	```
-
-1. Unplug the Trove SD card and place it in High Visibility Storage
-
-### Repeat
-
-1. You may repeat previous steps as many times as necessary to process all workflow payloads
-
-## Finalization
-
-1. Shut down online linux workstation
-
-1. Shut down the air gapped machine
-
-### Sealing
-
-1. Gather all the original items that were in the air-gapped bundle:
-
-    * Air-gapped computer
-
-    * AirgapOS SD card
-
-{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}