# Provisioner - Procure Hardware The provisioner is responsible for: * Procuring equipment * Setting up the Location * Maintaining stock of supplies in the [Location]() * Minimizing hardware supply chain security risks * Ensuring availability of necessary equipment ## Directives * MUST maintain chain of custody for all hardware until after it's properly tamper-proofed - [ ] do we need to tamper proof usb equipment? * no because we verify hashes of data on the ceremony machines ## Laptops * [Purism Librem 14](../../../../hardware.md#air-gapped-computer) * ChromeBook or a computer capable of running QubesOS according to [this guide](../../../../online-machine-provisioning.md) ## Provisioning AirgapOS Provision AirgapOS using [this guide](../../../../one-time-use-airgapos.md) ## Tamper Proofing Equipment This guide contains specific equipment models: [guide](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) * Vacuum Sealer * Vacuum sealer roll * Colored beads * Digital camera * Polaroid camera ## Other Equipment * SD cards * [Kingston Industrial 8GB SD Memory Card](https://www.kingston.com/en/memory-cards/industrial-grade-sd-uhs-i-u3?capacity=8gb) * [Kingston Indsutrial 8GB microSD Memory Card](https://shop.kingston.com/products/industrial-microsd-card-memory-card?variant=40558543405248) * microSD to SD adapter * TODO find specific products * SD Card USB Adapter * SD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-sd-reader * microSD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-microsd-reader * Workflow station hub (may prove helpful with workflows): https://www.kingston.com/en/memory-card-readers/workflow-station-hub * PureBoot smart card (TODO) * [Online machine](../../../../../../online-machine-provisioning.md) used for fetching transaction data ## Preparing SD Cards ### Freshly Formatted Cards * The location should always be well stocked with freshly formatted SD cards * There should be at least 20 microSD and 20 SD cards available for use * It is the provisioner's responsibility to keep track of the number of ceremonies and replenish stock as needed * Both microSD and regular SD cards should be available * They should be formatted to `ext4` format - [ ] consider renaming location ot vault/facility - [ ] TODO find a way to format many cards at once * Usage of these SD cards: * Transferring transaction data from online to air-gapped machine * Storing tamper proofing evidence produced at the end of the ceremony ### Shardfile There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a [Root Entropy](todo) derivation ceremony. * Label: "Shardfile" * This should be write-locked and stored in tamper proofing along with air-gapped machine ### Trusted Keys * Label: Trusted Keys * 1 SD card with "trusted keys" for proposers and approvers, both signed by each operator using their operator key * This should be write-locked and stored in tamper proofing along with air-gapped machine ### AirgapOS * Label: "AirgapOS " * This should be write-locked and stored in tamper proofing along with air-gapped machine ## Preparing The Location ### Locker / Safe * establish a means of locking up equipment ### Air-gapped bundle * tamper proof together: Apply [vacuum sealing + filler tamper proofing](../../../../tamper-evidence-methods.md#vacuum-sealed-bags-with-filler) to the laptop and the AirgapOS SD card * air-gapped machine * airgapos sd card