public
/
docs
5
0
Fork 0
Code Issues 14 Pull Requests 5 Packages Projects Releases Wiki Activity

add instructions for generating encryption keys #45

Open
anton wants to merge 4 commits from feat/encryption-key-generation into main
pull from: feat/encryption-key-generation
merge into: public:main
Conversation 3 Commits 4 Files Changed 3 +30 -20
anton commented 2025-01-29 10:39:32 +00:00
Owner
Copy Link
No description provided.
anton added 1 commit 2025-01-29 10:39:33 +00:00
anton added 1 commit 2025-01-29 10:46:53 +00:00
anton added 1 commit 2025-01-29 10:52:35 +00:00
ryan reviewed 2025-01-29 12:33:25 +00:00
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md Outdated
@ -35,1 +35,3 @@
* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile>`
* Replace the values: <path_to_input_shard>, <pgp_cert_id>
* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=output_shardfile.asc --output-cert root_pgp_cert.asc --user-id <pgp_cert_id>`
ryan commented 2025-01-29 12:33:25 +00:00
Owner
Copy Link

they would need to do the old flow of recover the mnemonic, derive the key, and extract the certificate. mnemonic generate is for the sole purpose of generating a mnemonic and creating backups of that mnemonic, not for generating storage encryption keys of the mnemonic. the fact --encrypt-to-self does so is a requirement of GnuPG and is considered a hack.

they would need to do the old flow of recover the mnemonic, derive the key, and extract the certificate. `mnemonic generate` is for the sole purpose of generating a mnemonic and creating backups of that mnemonic, not for generating storage encryption keys of the mnemonic. the fact `--encrypt-to-self` does so is a requirement of GnuPG and is considered a hack.
👍 1
ryan commented 2025-01-29 12:46:51 +00:00
Owner
Copy Link

I think in this case it would be reasonable for us to extend the generate-shard-secret wizard, since generating keys is out of scope for keyfork mnemonic generate, and is only used for --encrypt-to-self when used in combination with --provision.

# For generating new keys
keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc --derive-openpgp-cert encryption_cert.asc,userid="Whatever"

# For generating based on an existing Shardfile
keyfork wizard generate-shard-secret --shard-to shardfile.asc --output shardfile.new.asc --cert-output keyring.new.asc --derive-openpgp-cert encryption_cert.new.asc,userid="Whatever"

This covers both ceremonies by adding the --shard-to functionality from keyfork mnemonic generate. Because wizards are bastard hodgepodges of hell, I'm not removing the functionality from keyfork mnemonic generate, since that interface is likely to remain stable.

I think in this case it would be reasonable for us to extend the `generate-shard-secret` wizard, since generating keys is out of scope for `keyfork mnemonic generate`, and is _only_ used for `--encrypt-to-self` when used in combination with `--provision`. ```sh # For generating new keys keyfork wizard generate-shard-secret --threshold <M> --max <N> --keys-per-shard=<number_of_smartcards_per_operator> --output shardfile.asc --cert-output keyring.asc --derive-openpgp-cert encryption_cert.asc,userid="Whatever" # For generating based on an existing Shardfile keyfork wizard generate-shard-secret --shard-to shardfile.asc --output shardfile.new.asc --cert-output keyring.new.asc --derive-openpgp-cert encryption_cert.new.asc,userid="Whatever" ``` This covers both ceremonies by adding the `--shard-to` functionality from `keyfork mnemonic generate`. Because wizards are bastard hodgepodges of hell, I'm not removing the functionality from `keyfork mnemonic generate`, since that interface is likely to remain stable.
anton commented 2025-01-30 05:42:16 +00:00
Author
Owner
Copy Link

Okay that makes sense. I'll update the docs with the commands you described above and include "NOT IMPLEMENTED" notes for now. I created the issues in the keyfork repository to help track this work:

Okay that makes sense. I'll update the docs with the commands you described above and include "NOT IMPLEMENTED" notes for now. I created the issues in the `keyfork` repository to help track this work: * [keyfork wizard generate-shard-secret extension](https://git.distrust.co/public/keyfork/issues/64)
anton added 1 commit 2025-01-30 05:57:51 +00:00
anton commented 2025-01-30 05:58:30 +00:00
Author
Owner
Copy Link

OK I made the updates, will remove the "TODO: NOT IMPLEMENTED" notes when the keyfork updates are ready.

OK I made the updates, will remove the "TODO: NOT IMPLEMENTED" notes when the `keyfork` updates are ready.
This pull request can be merged automatically.
You are not authorized to merge this pull request.
You can also view command line instructions.

Step 1:

From your project repository, check out a new branch and test the changes.
git checkout -b feat/encryption-key-generation main
git pull origin feat/encryption-key-generation

Step 2:

Merge the changes and update on Forgejo.
git checkout main
git merge --no-ff feat/encryption-key-generation
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
level-2

   
level-3

   
level-4

   
qvs

Quorum Vaulting System

No Label
level-2
level-3
level-4
qvs
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/docs#45
No description provided.
Delete Branch "feat/encryption-key-generation"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?