docs/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md

Personal PGP Key Provisioning

Requirements

• Computer

  • Preferred: AirGapped Bundle

  • Alternative: Computer that can load AirgapOS (compatibility reference)

• AirgapOS SD card

• 2+ new smart cards

• 2+ SD cards

Generate OpenPGP Key

1. If using AirGapped Bundle unseal first, otherwise proceed to step where AirgapOS SD card is inserted into computer

{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}

1. Insert AirgapOS SD card into computer

2. Boot to AirgapOS

   • Boot from the SD card by modifying the Boot Menu

   • Disabling secure boot may be necessary

{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}

Adding a OpenPGP Public Certificate to the Ceremony Repository

1. Switch to online machine

2. Open a terminal and navigate to the vaults repository or clone it:

   • If already cloned: cd ~/vaults

   • If not, clone using: cd ~ && git clone <vaults_repository_url>

3. Ensure you are on the correct branch:

   • git checkout main

4. Pull the latest ceremony repo changes

   • git pull origin main

5. Ensure you have the certificate copied locally. If on an SD card, plug in the SD card and use the following steps to copy certificate to online machine:

   • To copy from SD card:

     {{ #include ../../component-documents/finding-device-name.md:content }}

   • cp /media/cert.asc ~/vaults

6. If using a certificate from Personal PGP Key Provisioning:

   1. Obtain the fingerprint for the certificate:

      • fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"

   2. Copy the certificate to a name based on the keyring:

      • cp cert.asc "${fingerprint}.asc"

7. If exporting a certificate from GnuPG:

   1. Find your key fingerprint:

      • gpg --list-keys

   2. Export your OpenPGP public certificate:

      • gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc

8. Place the file in keys/all/<key_fingerprint>.asc

   • mv <key_fingerprint>.asc keys/all/

9. Stage the modified file:

   • git add keys/all/<key_fingerprint>.asc

10. Create signed git commit:

    • git commit -S -m "add <name> pgp key"

11. Push to the commit:

    • git push origin main

12. Communicate your new key fingerprint to all other participants:

    • Preferred: In person

    • Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)

13. Get confirmation they have used gpg --import <your_key_id>.asc to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo

Local Configurations for OpenPGP

This configuration enables the use of smart cards for OpenPGP operations, and enforces git commit signing.

{{ #include ../../component-documents/git-commit-signing.md:steps }}