Local Key Provisioning

This document contains instructions on how Operators collaborate to set up QKM which requires an N-of-M quorum to be reconstituted. The encrypted shards which result from this ceremony are stored in separate physical Locations which contain Location Keys to which shards are encrypted, and whose passphrases are protected using Operator Keys.

Requirements

• Smart Card: whatever number of smart cards you would like to have seeded for each Operator, usually 2 per Operator is recommended - one NitroKey 3 and 1 YubiKey Series 5.

• Storage Devices: as many storage devices as you would like for backing up Public Ceremony Artifacts

• Storage Device loaded with

  • airgap.iso
  • airgap.iso.asc
  • autorun.sh

• All participants need Ceremony Notes which contain a record of which they verified and wrote down themselves:

  • The SHA256 hash of airgap.iso
  • The SHA256 hash of autorun.sh

Steps

1. Bring the Ceremony Machine and Quorum Team into the established Location

2. Ensure that no participants have brought digital devices other than ones necessary for the ceremony. A faraday bag may be used to hold any such devices for the duration of the ceremony.

3. Plug in a new Storage Device

4. Boot your Ceremony Machine using Secure Boot Sequence

5. As prompted plug in new Smart Cards

6. Once the ceremony is complete, make as many copies of the Storage Device from Step 3 as desired.

7. Follow the Physical Artifact Storage guide for storage of the Operator Smart Cards and Location Smart Cards

8. Follow the Public Ceremony Artifacts Storage guide for all public artifacts produced during the ceremony