Introduction

Quorum Key Management (QKM) is an open source system of playbooks and tooling which facilitates the creation and maintenance of highly resilient Quorum-based Key Management Systems based on a strict threat model which can be used for a variety of different cryptographic algorithms. The system was designed and developed by Distrust, with the generous support of the following sponsors: TODO.

The basic premise of QKM is that primary cryptographic material akin to a root certificate, called Root Entropy, is derived during a secure key derivation ceremony, and then used to derive chosen cryptographic material via different algorithms such as PGP keys, digital asset wallets, web certificates and more. The system was designed with extensibility in mind.

The Root Entropy is sharded using Shamir's Secret Sharing to a Quorum in order to protect it from single points of failure, requiring cooperation of multiple individuals - a quorum, and use of cryptographic material stored in separate physical locations with significant access controls in order to reconstruct the secret material, namely the Root Entropy.

Use Cases

QKM can be used for a wide range of use-cases which span but are not limited to:

  • Deriving a PGP key pair whose public key can be used as a "one-way deposit box" - for example a company can back up keys for their digital asset wallets by encrypting them to the public key and storing the encrypted ciphertext blobs on multiple cloud storage platforms, or on offline hard drives for redundancy.

  • Deriving PGP keys for multiple individual users in a deterministic manner.

  • Deriving wallets for digital assets using BIP-0032 style derivation as part of a cold signing setup.

  • Decrypting data in a secure, quorum protected, air-gapped environment.

  • Generating digital certificates

Playbooks

QKM can be set up by using a set of highly opinionated playbooks which outline the process. The documentation should be read in its entirety by all participants in the ceremony in order to ensure that the system is well understood by all in order to ensure that the integrity of the process is preserved and enforced by all participants.

Directives

The documentation provides directives in order to specify the importance of adhering to parts of the specification as follows to achieve high levels of security:

  • MUST - not adhering to this will result in significant deterioration of security properties of the system

  • SHOULD - is recommended and may impact the security of the system depending on the context

  • MAY - is typically a design decision with no significant impact to the overall security of the system

Method

The reader is encouraged to read through the entire body of documents which should not take more than 30 minutes. If any parts are unclear, they may contact Distrust for clarification, which is welcomed as it will aid improving the documentation.