From 16b57fb7732e0b14490a8be4be4d72679c651d8e Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 3 Jun 2026 00:50:23 +0200 Subject: [PATCH] Complete OpenBao emergency drill gate --- ...7-it-security-readiness-for-user-onboarding.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md index 1cd0f4d..6d78409 100644 --- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md +++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md @@ -127,7 +127,7 @@ revoked or allowed to expire after the check. ```task id: NET-WP-0017-T02 -status: in_progress +status: done priority: high state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88" ``` @@ -277,6 +277,19 @@ and non-secret evidence remain under `/tmp/netkingdom-openbao-restore-drill/`. `make security-bootstrap-validate-t02` now shows the restore evidence gate as done. T02 remains open only for emergency seal/unseal metadata and evidence. +**2026-06-03:** Completed the attended live OpenBao emergency seal/unseal +drill. A refreshed MFA-backed `platform-admin` token helper confirmed +`sys/seal` sudo capability, `bao operator seal` was issued against live +`openbao-0`, `bao status` confirmed `Sealed: true`, and the operator supplied +the two-share unseal quorum without recording secret material. Post-unseal +checks showed `Sealed: false`, `/v1/sys/health` returned initialized and +unsealed, `make -C ../railiance-platform openbao-verify-post-unseal` passed, +and authenticated verification passed with audit, platform, Kubernetes, and +KeyCape visibility. Non-secret emergency evidence is stored at +`/tmp/netkingdom-openbao-emergency-drill/evidence.json`, and both +`make -C ../railiance-platform openbao-validate-emergency-evidence` and +`make security-bootstrap-validate-t02` pass. NET-WP-0017-T02 is complete. + ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths ```task