WIP: expand documents to support playbooks for managing specific digital assets #10
|
@ -7,18 +7,23 @@
|
|||
* [Glossary](glossary.md)
|
||||
|
||||
* [Preparations]()
|
||||
* [Verifying Signatures](verifying-signatures.md)
|
||||
* [Tamper Evidence Methods](tamper-evidence-methods.md)
|
||||
* [Chain of Custody Methods](hardware-procurement-and-chain-of-custody.md)
|
||||
* [Selecting Locations](locations.md)
|
||||
|
||||
* [Repeat Use]()
|
||||
* [Flash PureBoot to Librem](flash-pureboot-firmware.md)
|
||||
* [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
|
||||
* [Change Smart Card PINs](setting-smart-card-pins.md)
|
||||
* [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
|
||||
* [AirgapOS Setup](repeat-use-airgapos.md)
|
||||
* [`autorun.sh` Setup](autorun-sh-setup.md)
|
||||
* [Secure Boot Sequence](secure-boot-sequence.md)
|
||||
* [Selecting Locations](locations.md)
|
||||
* [Fixed Location Reusable Laptop]()
|
||||
* [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
|
||||
* [PureBoot]()
|
||||
* [Flash PureBoot to Librem](flash-pureboot-firmware.md)
|
||||
* [Initialize PureBoot Smart Card](initialize-pureboot-smart-card.md)
|
||||
* [Change Smart Card PINs](setting-smart-card-pins.md)
|
||||
* [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
|
||||
* [PureBoot Boot Sequence](secure-boot-sequence.md)
|
||||
|
||||
* [AirgapOS Setup]()
|
||||
* [AirgapOS Setup](repeat-use-airgapos.md)
|
||||
* [`autorun.sh` Setup](autorun-sh-setup.md)
|
||||
|
||||
* [One Time Use]()
|
||||
* [Procure Hardware](one-time-use-hardware-procurement.md)
|
||||
|
@ -41,6 +46,11 @@
|
|||
* [Online Artifact Storage](public-ceremony-artifact-storage.md)
|
||||
* [Physical Artifact Storage](physical-artifact-storage.md)
|
||||
|
||||
* [Coin Ceremonies]()
|
||||
* [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md)
|
||||
* [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md)
|
||||
* [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md)
|
||||
|
||||
* [Lifecycle Management]()
|
||||
* [Destroying Hardware](hardware-destruction.md)
|
||||
* [Storage Device Management](storage-device-management.md)
|
|
@ -0,0 +1,41 @@
|
|||
# Procure Hardware
|
||||
|
||||
1. Select a librem 14 laptop from https://puri.sm, and ensure:
|
||||
|
||||
* Memory: 8GB
|
||||
|
||||
* Storage: 250GB
|
||||
|
||||
* Power Adapter Plug: US
|
||||
|
||||
* Wireless: No wireless
|
||||
|
||||
* Firmware: PureBoot Bundle Anti-Interdiction (PureBoot Bundle Plus + Anti-interdiction services)
|
||||
|
||||
* Operating System: PureOS
|
||||
|
||||
* Warranty: 1 Year
|
||||
|
||||
* Privacy Screen: Privacy Screen for Librem 14
|
||||
|
||||
* USB Flash Drive: No USB Flash Drive
|
||||
|
||||
2. Purism will reach out via email and establish secure communications using PGP, so ensure that the individual who is in charge of procurement has a PGP key that's been set up securely. Purism will:
|
||||
|
||||
* Modify the laptop as per order specifications, in this case removing radio cards.
|
||||
|
||||
* Seal the screws on the bottom of the laptop using glitter of chosen color
|
||||
|
||||
* Take photographs of the inside of the laptop, then of the outside after it's sealed
|
||||
|
||||
* The photographs will be signed by Purism and encrypted to the PGP key used for communications to protect the integrity of the images
|
||||
|
||||
* The firmware verification hardware token can be sent to a separate location from the laptop, and will be tamper sealed using tamper proofing tape
|
||||
|
||||
* TODO: find out if we can have vacuum sealing with filler as a tamper proofing method be provided by Purism
|
||||
|
||||
* The laptop will be sealed in a box using tamper proofing tape
|
||||
|
||||
3. Once the laptop is received, it should not be opened until at least 2 parties are present and principles of [chain of custody](hardware-procurement-and-chain-of-custody.md) can be upheld. The images of tamper proofing provided by Purism should be used to ensure that the hardware had not been tampered, and the hardware token to verify firmware is in tact.
|
||||
|
||||
4. Once the hardware is properly verified to not have been tampered in transit, a [tamper evidence method](tamper-evidence-methods.md) should be applied to the laptop before it's stored.
|
|
@ -0,0 +1,45 @@
|
|||
# Fixed Location Reusable Laptop Ceremony
|
||||
|
||||
1. Select at least two authorized operators who will be participating in the ceremony
|
||||
|
||||
2. Print photographs of tamper proofing of the laptop which will be used for the ceremony
|
||||
|
||||
3. Make an entry into the access log, specifying the:
|
||||
|
||||
* Individuals involved
|
||||
|
||||
* Approximate time of entry
|
||||
|
||||
4. Enter the SCIF, ensuring to lock the door behind you from the inside. The room should not be accessible from the outside during a ceremony.
|
||||
|
||||
5. Access the laptop safe, and move the laptop, its hardware token, and polaroid to the Tamper Proofing Workstation
|
||||
|
||||
* Compare the polaroid and digital photographs for any differences
|
||||
|
||||
* Then compare the photographs to the actual object
|
||||
|
||||
* If there are any issues detected, initiate incident response
|
||||
|
||||
6. Initiate the [Secure Boot Sequence](secure-boot-sequence.md)
|
||||
|
||||
7. Use one of the [Coin Playbooks]() to perform actions for a given coin
|
||||
|
||||
* TODO...
|
||||
|
||||
8. Once the ceremony is completed, use the [Sealing Procedure](tamper-evidence-methods.md#procedure) to reseal and photograph the laptop
|
||||
|
||||
* Use a new SD card for taking photographs of the sealed laptop
|
||||
|
||||
9. Remove the SD card from the camera and use chain of custody principles to ensure the integrity of the data
|
||||
|
||||
10. Place the sealed laptop and signed polaroids, as well as the hardware token back in the safe
|
||||
|
||||
11. Exit the SCIF and lock it
|
||||
|
||||
12. Update the log with the exit time
|
||||
|
||||
13. Upload the photos to a git repository, ensuring the commit is signed using PGP
|
||||
|
||||
* TODO: add more details around how the storage of images should work
|
||||
|
||||
* TODO: ensure there is a pgp doc that can be linked to (for setup and use)
|
|
@ -60,6 +60,9 @@ which is set at the time of initial sharding, expressed as M of N, or in other
|
|||
words M shards of the total N shards in existence are required to reveal the
|
||||
secret.
|
||||
|
||||
## Secure Compartmentalized Information Facility (SCIF)
|
||||
|
||||
|
||||
## Workstation
|
||||
|
||||
Highly secure computer which is used for sensitive operations, typically in the
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Location
|
||||
|
||||
Locations refer to physical points in space which are used for storing
|
||||
cryptographic material or performing actions related to the DRK lifecycle and
|
||||
cryptographic material or performing actions using the cryptographic material and
|
||||
adhere to a set of criteria which focus on achieving a high level of security -
|
||||
specifically with respect to:
|
||||
|
||||
|
@ -66,7 +66,7 @@ standard NATO SDIP-27 Level A
|
|||
locations simultaneously
|
||||
|
||||
* SHOULD be facilities owned by different organizations to reduce the risk of
|
||||
collusion unless the organization who owns the DRK has their own facility such
|
||||
as a SCIF (Secure Compartmentalized Information Facility)
|
||||
collusion unless the organization who owns the QKM system has their own facility such
|
||||
as a [SCIF](glossary.md#secure-compartmentalized-information-facility-scif).
|
||||
|
||||
* SHOULD have seismic detectors
|
||||
|
|
|
@ -6,18 +6,9 @@ instead the AirgapOS `.iso` image is flashed to an SD card, locked using
|
|||
|
||||
## Setup Steps
|
||||
|
||||
* Clone the latest AirgapOS version:
|
||||
|
||||
* `git clone git@distrust.co:public/airgap.git`
|
||||
|
||||
* Build the image:
|
||||
|
||||
* `cd airgap && make`
|
||||
|
||||
* Verify `sha256sum` of airgap matches hashes in `/dist`
|
||||
|
||||
* Verify signatures on the hashes in `/dist`. The maintainer pgp keys can be found on the [Distrust contact page](https://distrust.co/contact.html) page.
|
||||
* Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
|
||||
|
||||
* Verify the software according to [this](verifying-signatures.md) guide
|
||||
|
||||
* Flash `airgap.iso` to an SD Card:
|
||||
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
# One Time Use Laptop Ceremony
|
|
@ -0,0 +1 @@
|
|||
# Portable Reusable Laptop Ceremony
|
|
@ -4,23 +4,9 @@ This section can be completed on any machine.
|
|||
AirgapOS has `keyfork` built into it for cryptographic operations such as key
|
||||
derivation.
|
||||
|
||||
1. Clone the `AirgapOS` repository locally or download it as a zip
|
||||
1. Build the software according to the [readme](https://git.distrust.co/public/airgap) in the repository. Use the `make reproduce` command.
|
||||
|
||||
To clone use the following command in the terminal:
|
||||
```
|
||||
cd ~
|
||||
git clone git@distrust.co:public/airgap.git
|
||||
```
|
||||
|
||||
To download as a ZIP from https://git.distrust.co/public/airgap:
|
||||
![Downloading AirgapOS as ZIP](img/download-airgap-os.png)
|
||||
|
||||
2. Navigate into the `airgap` repository locally, and build the iso image.
|
||||
```
|
||||
cd ~/airgap
|
||||
make reproduce
|
||||
```
|
||||
The resulting iso will be located in `airgap/out/`
|
||||
2. Verify the software according to [this](verifying-signatures.md) guide
|
||||
|
||||
3. Place signed .iso on a storage device
|
||||
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
# Verifying Signatures
|
||||
|
||||
When building and downloading software it is essential to verify signatures to ensure its integrity.
|
||||
|
||||
Verification of software depends on two primary aspects:
|
||||
|
||||
* Ensuring that the hash of a binary matches some point of reference, for example the same binary previously built by a trusted team member, or a hash hosted alongside the software in the download location.
|
||||
|
||||
* Ensuring that signatures alongside hashes are from trusted asymmetric keys (e.g PGP keys)
|
||||
|
||||
In order to achieve this, one must establish that specific keys are "well known" and can be trusted - that is, that they belong to a given individual. To achieve this, the best method is to exchange keys in person, but a combination of the following methods gives even higher confidence thresholds:
|
||||
|
||||
* Verifying the key in person
|
||||
|
||||
* Finding a reference to a public key on the individual's personal website
|
||||
|
||||
* Finding a reference to a public key on the individual's social media platforms
|
||||
|
||||
* Finding a keyoxide profile for a given public key
|
||||
|
||||
* Finding a reference to a public key on a company website
|
||||
|
||||
* Looking up popular key servers to see if a given individual is associated with it
|
||||
|
||||
Each point of reference allows us to build confidence that the key is indeed owned by an individual.
|
||||
|
||||
One other consideration is how the key is protected. If possible, find out how the individual manages their key. If the key is stored on a local machine, the trust level for that key should be low. If the individual always manages their keys in airgapped environments, and on HSMs, then a higher level of trust can be ascribed - although ultimately in most cases it's impossible to verify that the individual followed a given policy around key management.
|
||||
|
||||
One favorable method for ensuring that a key never got exposed is using built in cryptographic attestation that a key never left a TPM, such as the one offered by YubiKey. While this type of key setup has the downside of not being able to back it up, one could use a master key to sign such a key, authorizing it for use, while giving the flexibility to rotate if the hardware token is damaged or lost.
|
Loading…
Reference in New Issue