Decrypt Namespace Secret

Requirements

• For ALL tamper proofed hardware used in the ceremony, both operators MUST print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.

  • The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo

• AirgapOS SD card

  • Provided by Air-Gapped Bundle
  • Alternative: Create your own from documentation in AirgapOS Repository

• AirgapOS Laptop

  • Provided by Air-Gapped Bundle
  • Alternative: Computer that can load AirgapOS (compatibility reference)

• Minimum of 1 Operator and 1 Witness

  • Personal PGP key pair for each operator

• Tamper-proofing equipment

• Ceremony SD Card

• High Visibility Storage: plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.

Procedure

1. Enter the designated location with required personnel and equipment

2. Lock access to the location - there should be no inflow or outflow of people during the ceremony

3. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage

   a. Retrieve digital/physical photographs of both sides of sealed bundle

   b. Compare all photographs to object for differences

   c. Proceed with unsealing the object if no differences are detected

4. Place all materials except for the laptop into High Visibility Storage

5. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop

6. Turn on the machine

7. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage

8. Retrieve Ceremony SD Card from High Visibility Storage and plug it into the machine

9. Copy the Ceremony SD Card contents to machine

   • cp -r /media/vaults /root/

10. Start keyfork using the relevant Shardfile:

    $ keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc
    

    • Follow on screen prompts

11. Derive the OpenPGP root certificate:

    $ keyfork derive openpgp > secret_key.asc
    

12. Decrypt the secret material:

    • sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted

13. Proceed to transfer the secret (decrypted) to desired location such as hardware wallet, power washed chromebook (via SD card) etc.

14. Shut down the air gapped machine

15. Gather all the original items that were in the air-gapped bundle:

    • Air-gapped computer

    • AirgapOS SD card

16. Insert object(s) into plastic sealing bag

17. Fill bag with enough plastic beads that most of the object is surrounded

18. Use vacuum sealer to remove air from the bag until the beads are no longer able to move

19. Take photographs of both sides of the sealed object using both the digital and polaroid camera

20. Date and sign the polaroid photographs and store them in a local lock box

21. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.