Hardware

This page describes different equipment which is required, and makes opinionated recommendations as well as alternatives. One may improve the overall security of their system by using a variety of hardware in order to benefit from their diversity, by reducing the likelihood that all hardware has suffered the same kind of hardware supply chain compromise, has the same vulnerability present, or has the same type of hardware failure issue.

Based on the decided upon Quorum, the amount of equipment required to set up a QKM will vary. In order to figure out what equipment is required, decide on a Quorum, which is expressed as "N of M". Once you know your M, the required equipment list is the following:

  • M x 4 Smart Cards

    • It is recommended to use two Smart Cards for storing each key pair

    • Ideally two different types of hardware are used in order to reduce the risk of simultaneous failure

    • At least 1 Smart Card is required for each Operator Key and 1 Smart Card for each Location Key

    • The number of Operator Keys is M, and the number of Location Keys is also M, hence the minimum of 2 x M Smart Cards, with the recommendation of using two smart cards for each, resulting in 4 x M Smart Cards

  • 2 + X Storage Devices

    • 1 Storage Device for AirgapOS

    • 1 Storage Device for storing Public Ceremony Artifacts

    • X, or any number of additional Storage Devices to duplicate the data, a good measure would be to have at least 3 Storage Devices for the ceremony

  • Librem 14 Laptop

    • Get as many laptops as desired to satisfy your operational needs

    • For each Librem 14, get a Librem Smart Card used for PureBoot

Smart Cards

Smart Cards are primarily used for storing OpenPGP cryptographic keys which are used as a building block for security controls. These smart cards hold OpenPGP keys which are derived in secure environments.

There are two primary requirements for smart cards:

  • FIPS 140-2

  • Support for Ed25519 OpenPGP

  • Touch for enacting operations

Some options include:

  • NitroKey 3 - because of its open source approach which helps improve the overall security of the products

  • YubiKey 5 - because of the widespread use and battle-tested reliability

  • Librem Key - because of the manufacturer's approach to hardware supply chain security and verifiable software

Air-Gapped Computer

Air-Gapped computers are used for the lifecycle management of cryptographic material that is part of QKM.

The primary hardware recommendation for a Air-Gapped Computer is the Librem 14, manufactured by Purism. Purism specializes in reducing hardware and firmware security risks, especially via their Anti-Interdiction Service and PureBoot and as such is an excellent choice for hardware which high integrity assurance is required for.

Alternative

An alternative approach is to use an off-the-shelf computer that is randomly selected right before the ceremony, removing the radio cards from it, using it to conduct a Ceremony, and then destroying the laptop using sufficiently adequate method to ensure that no data forensics can be used to recover the data from the drive, or memory. This can be achieved by using a combination of incineration, degaussing, shredding and drilling. Special care should be taken to completely destroy all components of the computer that are able to store data, even if it's only in ephemeral form as some forensic methods all extraction of data from components with "temporary memory".

Three letter agencies are known to collect and exploit physical destroyed drives, as data can still be extracted from them using methods such as electron microscopy, therefore a combination of degaussing, shredding and burning should be used, and the remaining debris should be spread out across multiple disposal locations.

Storage Device

Can be an SD Card or USB Drive but should be procured from a vendor with a good reputation, and ideally hardware of industrial grade should be prioritized.