keyfork-user-guide: tidy up more docs
This commit is contained in:
parent
155de0ce31
commit
09c3e1bda8
|
@ -37,6 +37,28 @@ provisioned to, avoiding ambiguities when (for example) multiple devices are
|
||||||
plugged into a host. A plumbing crate may provide a binary to list identifiers
|
plugged into a host. A plumbing crate may provide a binary to list identifiers
|
||||||
for potential targets, if possible.
|
for potential targets, if possible.
|
||||||
|
|
||||||
|
### Deriving Data
|
||||||
|
|
||||||
|
A quick example is provided to show how data can be requested from the Keyfork
|
||||||
|
server. The response contains the bytes representing the private key; the chain
|
||||||
|
code, depth, and algorithm are also included in the response, and can be used
|
||||||
|
for further derivation if required.
|
||||||
|
|
||||||
|
```rs
|
||||||
|
use keyfork_derive_util::{
|
||||||
|
request::{DerivationAlgorithm, DerivationRequest, DerivationResponse},
|
||||||
|
DerivationIndex, DerivationPath,
|
||||||
|
};
|
||||||
|
use keyforkd_client::Client;
|
||||||
|
|
||||||
|
let path = DerivationPath::from_str("m/44'/0'/0'")?;
|
||||||
|
let request = DerivationRequest::new(DerivationAlgorithm::Secp256k1, &path);
|
||||||
|
let response: DerivationResponse = Client::discover_socket()?
|
||||||
|
.request(&request.into())?
|
||||||
|
.try_into()?;
|
||||||
|
let derived_key = response.data;
|
||||||
|
```
|
||||||
|
|
||||||
## Porcelain
|
## Porcelain
|
||||||
|
|
||||||
Once the plumbing crates have been written, porcelain subcommands should be
|
Once the plumbing crates have been written, porcelain subcommands should be
|
||||||
|
|
|
@ -1,4 +1,11 @@
|
||||||
# Creating a Seed and Shard File
|
# Keyfork Shard Commands
|
||||||
|
|
||||||
|
Sharding a seed allows "M-of-N" recovery of the seed, which is useful for
|
||||||
|
disaster recovery situations, avoiding the case where a single person may be
|
||||||
|
left in charge of the seed. Keyfork provides utilities to help with the
|
||||||
|
management of seeds through sharding.
|
||||||
|
|
||||||
|
## Creating a Seed and Shard File
|
||||||
|
|
||||||
If using smartcards dedicated to this use case, Keyfork offers a wizard to
|
If using smartcards dedicated to this use case, Keyfork offers a wizard to
|
||||||
generate a seed and encrypt it to multiple factory-reset smartcards. Assuming
|
generate a seed and encrypt it to multiple factory-reset smartcards. Assuming
|
||||||
|
@ -13,7 +20,7 @@ Keyfork will prompt for keys to be inserted and for PINs to be configured for
|
||||||
the smartcards. The shards file should be copied to every system intended to
|
the smartcards. The shards file should be copied to every system intended to
|
||||||
decrypt shards.
|
decrypt shards.
|
||||||
|
|
||||||
# Starting Keyfork using a single system
|
## Starting Keyfork using a single system
|
||||||
|
|
||||||
If all shardholders are present, the following command can be run to start the
|
If all shardholders are present, the following command can be run to start the
|
||||||
Keyfork server process:
|
Keyfork server process:
|
||||||
|
@ -25,7 +32,7 @@ keyfork recover shard shards.pgp
|
||||||
Keyfork will prompt for keys to be inserted and for the User PINs for the keys
|
Keyfork will prompt for keys to be inserted and for the User PINs for the keys
|
||||||
to be entered. Once the shard is decrypted, the Keyfork server will start.
|
to be entered. Once the shard is decrypted, the Keyfork server will start.
|
||||||
|
|
||||||
# Starting Keyfork using remote systems
|
## Starting Keyfork using remote systems
|
||||||
|
|
||||||
A line of communication should be established with the shardholders, but can be
|
A line of communication should be established with the shardholders, but can be
|
||||||
public and/or insecure. On the system intended to run the Keyfork server, the
|
public and/or insecure. On the system intended to run the Keyfork server, the
|
||||||
|
@ -47,17 +54,21 @@ keyfork shard transport < shards.pgp
|
||||||
This command will read in 33 words, prompt for a smartcard PIN, and prompt 72
|
This command will read in 33 words, prompt for a smartcard PIN, and prompt 72
|
||||||
words, followed by a QR code containing the words.
|
words, followed by a QR code containing the words.
|
||||||
|
|
||||||
# Deriving an OpenPGP key
|
## Example: Deriving an OpenPGP key for Encryption
|
||||||
|
|
||||||
This command should be run on a system without persistent storage to avoid
|
|
||||||
persisting the cold storage key to disk.
|
|
||||||
|
|
||||||
Once the Keyfork server has started, Keyfork can be used to derive an OpenPGP
|
Once the Keyfork server has started, Keyfork can be used to derive an OpenPGP
|
||||||
key:
|
key, and [Sequoia] can be used to extract the public portions:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
keyfork derive openpgp "Cold Storage Key" > cold_storage.pgp
|
keyfork derive openpgp "Storage Key" | sq key extract-cert > storage.pgp
|
||||||
```
|
```
|
||||||
|
|
||||||
The final argument should be a descriptive name for the key, as that name will
|
The final argument should be a descriptive name for the key, as that name will
|
||||||
likely be used by any program encrypting data to the public key.
|
likely be used by any program encrypting data to the public key.
|
||||||
|
|
||||||
|
The key, including the secret portions, can be retrieved by running the command
|
||||||
|
without the `sq` portion, but should not be run on a system with a persistent
|
||||||
|
filesystem, to avoid keeping the key on written memory for longer than
|
||||||
|
necessary.
|
||||||
|
|
||||||
|
[Sequoia]: https://sequoia-pgp.org
|
||||||
|
|
Loading…
Reference in New Issue