docs/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md

Personal PGP Key Provisioning

Requirements

• Computer that can load AirgapOS (compatibility reference)

• AirgapOS SD card

• 2+ new smart cards

• 2+ SD cards

Generate OpenPGP Key

1. Insert AirgapOS SD card into computer

2. Boot to AirgapOS

   • Boot from the SD card by modifying the Boot Menu

   • Disabling secure boot may be necessary

{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}

Adding a OpenPGP Public Certificate to the Ceremony Repository

1. Ensure you are on the correct branch:

   • git checkout main

2. Pull the latest ceremony repo changes

   • git pull origin main

3. If using a certificate from Personal PGP Key Provisioning:

   1. Obtain the fingerprint for the certificate:

      • fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"

   2. Copy the certificate to a name based on the keyring:

      • cp cert.asc "${fingerprint}.asc"

4. If exporting a certificate from GnuPG:

   1. Find your key fingerprint:

      • gpg --list-keys

   2. Export your OpenPGP public certificate:

      • gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc

5. Place the file in keys/all/<key_fingerprint>.asc

6. Create signed git commit:

   • git commit -S -m "add <name> pgp key"

7. Push to the commit:

   • git push origin main

8. Communicate your new key fingerprint to all other participants:

   • Preferred: In person

   • Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)

9. Get confirmation they have used gpg --import <your_key_id>.asc to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo