Document how to bootstrap keychain for an organization #23

New Issue

Open

opened 2024-12-19 19:54:03 +00:00 by scjudd · 6 comments

scjudd commented 2024-12-19 19:54:03 +00:00

Member

Copy Link

From the "Trusted Keys" section of the provisioner docs:

3. Navigate the the official Keychain repository of your organization

Setting up this repository and, more importantly, creating and distributing these keys is something that could definitely be spelled out more. I'm certain there's some documentation around for getting PGP + YubiKeys set up, but we should make sure that this documentation doesn't assume that each individual user is equipped to provision a key on their own, unless that can be made very simple/mechanical.

If necessary, part of this could be a ceremony where technical users are to help less-technical users get their keys set up. There are at least two technical people who could provide some sort of oversight over each other.

From the ["Trusted Keys" section of the provisioner docs](https://git.distrust.co/public/docs/src/commit/578e46a1bc16bd7b6e560c006742675b5fa41c9d/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md#trusted-keys): > 3. Navigate the the official Keychain repository of your organization Setting up this repository and, more importantly, creating and distributing these keys is something that could definitely be spelled out more. I'm certain there's some documentation around for getting PGP + YubiKeys set up, but we should make sure that this documentation doesn't assume that each individual user is equipped to provision a key on their own, unless that can be made very simple/mechanical. If necessary, part of this could be a ceremony where technical users are to help less-technical users get their keys set up. There are at least two technical people who could provide some sort of oversight over each other.

👍 1

scjudd commented 2024-12-19 20:29:54 +00:00

Author

Member

Copy Link

Maybe this can happen simultaneously to a Root Entropy derivation ceremony? That documentation is also TODO in the provisioner doc currently; but if that involves operators being together with an airgap machine ready, maybe it makes sense to use that opportunity to build a keychain and distribute YubiKeys.

Maybe this can happen simultaneously to a Root Entropy derivation ceremony? That documentation is also `TODO` in the provisioner doc currently; but if that involves operators being together with an airgap machine ready, maybe it makes sense to use that opportunity to build a keychain and distribute YubiKeys.

anton commented 2024-12-23 22:14:31 +00:00

Owner

Copy Link

The keychain repository is just a git repo which has rules around how keys can be added to it. The derivation of the keys themselves is a separate concern. There are now documents for both:

• keychain repo
• pgp key setup

The keychain repository is just a git repo which has rules around how keys can be added to it. The derivation of the keys themselves is a separate concern. There are now documents for both: * [keychain repo](https://git.distrust.co/public/docs/src/branch/main/quorum-key-management/src/component-documents/keychain-repository.md) * [pgp key setup](https://git.distrust.co/public/docs/src/branch/main/quorum-key-management/src/component-documents/openpgp-setup.md)

anton commented 2024-12-23 22:15:40 +00:00

Owner

Copy Link

Meeting in person to verify each others keys is ideal, but if necessary it can be done remotely. I wrote initial drafts for the docs above, but we can expand them as you see fit.

Meeting in person to verify each others keys is ideal, but if necessary it can be done remotely. I wrote initial drafts for the docs above, but we can expand them as you see fit.

anton commented 2024-12-23 22:24:08 +00:00

Owner

Copy Link

Just as a side not, if you want to derive all your PGP keys for the org using the same root entropy, you can do that, and I'm happy to write out docs for that, but as of right now I wrote out guides for generating keypairs on a YubiKey, and generating a keyfork mnemonic backed-up PGP keypair, seeded to multiple smart cards. Let me know what path you would prefer to take please.

Just as a side not, if you want to derive all your PGP keys for the org using the same root entropy, you can do that, and I'm happy to write out docs for that, but as of right now I wrote out guides for generating keypairs on a YubiKey, and generating a keyfork mnemonic backed-up PGP keypair, seeded to multiple smart cards. Let me know what path you would prefer to take please.

anton commented 2025-01-03 16:42:57 +00:00

Owner

Copy Link

@scjudd waiting for your feedack on this, otherwise feel free to close.

@scjudd waiting for your feedack on this, otherwise feel free to close.

scjudd was assigned by anton 2025-01-03 16:43:06 +00:00

anton added the

qvs

label 2025-01-04 15:38:05 +00:00

anton commented 2025-01-04 15:38:48 +00:00

Owner

Copy Link

I'm working on a doc that specifies steps on how to go from nothing to initial set of PGP keys, along with a airgapped machine bundle (laptop, sd card, etc.)

I'm working on a doc that specifies steps on how to go from nothing to initial set of PGP keys, along with a airgapped machine bundle (laptop, sd card, etc.)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/tamper-proofing-chain-of-custody

coding-standards

feat/quorum-kms

Labels

Clear labels   

level-2

  

level-3

  

level-4

  

qvs

Quorum Vaulting System

No Label

level-2

level-3

level-4

qvs

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

scjudd

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/docs#23

No description provided.