docs/quorum-key-management/src/generated-documents/level-2/fixed-location/provisioner/procure-hardware.md

Provisioner - Procure Hardware

The provisioner is responsible for:

• Procuring equipment

• Setting up the Location

• Maintaining stock of supplies in the Location

• Minimizing hardware supply chain security risks

• Ensuring availability of necessary equipment

Directives

• MUST maintain chain of custody for all hardware until after it's properly tamper-proofed

• do we need to tamper proof usb equipment?
  • no because we verify hashes of data on the ceremony machines

Laptops

• Purism Librem 14

• ChromeBook or a computer capable of running QubesOS according to this guide

Provisioning AirgapOS

Provision AirgapOS using this guide

Tamper Proofing Equipment

This guide contains specific equipment models: guide

• Vacuum Sealer

• Vacuum sealer roll

• Colored beads

• Digital camera

• Polaroid camera

Other Equipment

• SD cards

  • Kingston Industrial 8GB SD Memory Card

  • Kingston Indsutrial 8GB microSD Memory Card

• microSD to SD adapter

  • TODO find specific products

• SD Card USB Adapter

  • SD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-sd-reader

  • microSD card reader: https://www.kingston.com/en/memory-card-readers/mobilelite-plus-microsd-reader

  • Workflow station hub (may prove helpful with workflows): https://www.kingston.com/en/memory-card-readers/workflow-station-hub

• PureBoot smart card (TODO)

• Online machine used for fetching transaction data

Preparing SD Cards

Freshly Formatted Cards

• The location should always be well stocked with freshly formatted SD cards

  • There should be at least 20 microSD and 20 SD cards available for use

    • It is the provisioner's responsibility to keep track of the number of ceremonies and replenish stock as needed

  • Both microSD and regular SD cards should be available

  • They should be formatted to ext4 format

  • consider renaming location ot vault/facility

• TODO find a way to format many cards at once

• Usage of these SD cards:

  • Transferring transaction data from online to air-gapped machine

  • Storing tamper proofing evidence produced at the end of the ceremony

Shardfile

There should be multiple SD cards containing the shardfile data. Shardfile data is produced during a Root Entropy derivation ceremony.

• Label: "Shardfile"

• This should be write-locked and stored in tamper proofing along with air-gapped machine

Trusted Keys

• Label: Trusted Keys

• 1 SD card with "trusted keys" for proposers and approvers, both signed by each operator using their operator key

• This should be write-locked and stored in tamper proofing along with air-gapped machine

AirgapOS

• Label: "AirgapOS "

• This should be write-locked and stored in tamper proofing along with air-gapped machine

Preparing The Location

Locker / Safe

• establish a means of locking up equipment

Air-gapped bundle

• tamper proof together: Apply vacuum sealing + filler tamper proofing to the laptop and the AirgapOS SD card
  • air-gapped machine
  • airgapos sd card