# Personal PGP Key Provisioning

## Requirements

* Computer
    * Preferred: [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
    
    * Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))

* [AirgapOS SD card](../level-2/fixed-location/provisioner/provision-airgapos.md)

* 2+ new smart cards

* 2+ SD cards

##  Generate OpenPGP Key

1. If using AirGapped Bundle unseal first, otherwise proceed to step where AirgapOS SD card is inserted into computer

{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}

1. Insert AirgapOS SD card into computer

1. Boot to AirgapOS

    * Boot from the SD card by modifying the Boot Menu

    * [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary

{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}

## Adding a OpenPGP Public Certificate to the Ceremony Repository

1. Switch to online machine

1. Open a terminal and navigate to the `vaults` repository or clone it:

    * If already cloned: `cd ~/vaults`

    * If not, clone using: `cd ~ && git clone <vaults_repository_url>`

1. Ensure you are on the correct branch:

    * `git checkout main`

1. Pull the latest ceremony repo changes

    * `git pull origin main`

1. Ensure you have the certificate copied locally. If on an SD card, plug in the SD card and use the following steps to copy certificate to online machine:

    * To copy from SD card:

        {{ #include ../../component-documents/finding-device-name.md:content }}

    * `cp /media/cert.asc ~/vaults`

1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html):


	1. Obtain the fingerprint for the certificate:

		* `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"`

	1. Copy the certificate to a name based on the keyring:

		* `cp cert.asc "${fingerprint}.asc"`

1. If exporting a certificate from GnuPG:

	1. Find your key fingerprint:

		* `gpg --list-keys`

	1. Export your OpenPGP public certificate:

		* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc`

1. Place the file in `keys/all/<key_fingerprint>.asc`

    * `mv <key_fingerprint>.asc keys/all/`

1. Stage the modified file:

    * `git add keys/all/<key_fingerprint>.asc`

1. Create signed git commit:

    * `git commit -S -m "add <name> pgp key"`

1. Push to the commit:

    * `git push origin main`

1. Communicate your new key fingerprint to all other participants:

    * Preferred: In person 
    
    * Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)

1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo

## Local Configurations for OpenPGP
This configuration enables the use of smart cards for OpenPGP operations, and enforces git commit signing.

{{ #include ../../component-documents/git-commit-signing.md:steps }}