106 lines
3.1 KiB
Markdown
106 lines
3.1 KiB
Markdown
# Personal PGP Key Provisioning
|
|
|
|
## Requirements
|
|
|
|
* Computer
|
|
* Preferred: [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
|
|
|
|
* Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
|
|
|
|
* [AirgapOS SD card](../level-2/fixed-location/provisioner/provision-airgapos.md)
|
|
|
|
* 2+ new smart cards
|
|
|
|
* 2+ SD cards
|
|
|
|
## Generate OpenPGP Key
|
|
|
|
1. If using AirGapped Bundle unseal first, otherwise proceed to step where AirgapOS SD card is inserted into computer
|
|
|
|
{{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
|
|
|
|
1. Insert AirgapOS SD card into computer
|
|
|
|
1. Boot to AirgapOS
|
|
|
|
* Boot from the SD card by modifying the Boot Menu
|
|
|
|
* [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary
|
|
|
|
{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
|
|
|
|
## Adding a OpenPGP Public Certificate to the Ceremony Repository
|
|
|
|
1. Switch to online machine
|
|
|
|
1. Open a terminal and navigate to the `vaults` repository or clone it:
|
|
|
|
* If already cloned: `cd ~/vaults`
|
|
|
|
* If not, clone using: `cd ~ && git clone <vaults_repository_url>`
|
|
|
|
1. Ensure you are on the correct branch:
|
|
|
|
* `git checkout main`
|
|
|
|
1. Pull the latest ceremony repo changes
|
|
|
|
* `git pull origin main`
|
|
|
|
1. Ensure you have the certificate copied locally. If on an SD card, plug in the SD card and use the following steps to copy certificate to online machine:
|
|
|
|
* To copy from SD card:
|
|
|
|
{{ #include ../../component-documents/finding-device-name.md:content }}
|
|
|
|
* `cp /media/cert.asc ~/vaults`
|
|
|
|
1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html):
|
|
|
|
|
|
1. Obtain the fingerprint for the certificate:
|
|
|
|
* `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"`
|
|
|
|
1. Copy the certificate to a name based on the keyring:
|
|
|
|
* `cp cert.asc "${fingerprint}.asc"`
|
|
|
|
1. If exporting a certificate from GnuPG:
|
|
|
|
1. Find your key fingerprint:
|
|
|
|
* `gpg --list-keys`
|
|
|
|
1. Export your OpenPGP public certificate:
|
|
|
|
* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc`
|
|
|
|
1. Place the file in `keys/all/<key_fingerprint>.asc`
|
|
|
|
* `mv <key_fingerprint>.asc keys/all/`
|
|
|
|
1. Stage the modified file:
|
|
|
|
* `git add keys/all/<key_fingerprint>.asc`
|
|
|
|
1. Create signed git commit:
|
|
|
|
* `git commit -S -m "add <name> pgp key"`
|
|
|
|
1. Push to the commit:
|
|
|
|
* `git push origin main`
|
|
|
|
1. Communicate your new key fingerprint to all other participants:
|
|
|
|
* Preferred: In person
|
|
|
|
* Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
|
|
|
|
1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo
|
|
|
|
## Local Configurations for OpenPGP
|
|
This configuration enables the use of smart cards for OpenPGP operations, and enforces git commit signing.
|
|
|
|
{{ #include ../../component-documents/git-commit-signing.md:steps }} |