Record OpenBao restore drill evidence

This commit is contained in:
2026-06-02 17:23:20 +02:00
parent eb973621e1
commit c7bbdac03b

View File

@@ -266,6 +266,17 @@ placeholder values, so T02 cannot be closed by copying example evidence files.
Remaining T02 blockers are the real restore evidence file and an attended Remaining T02 blockers are the real restore evidence file and an attended
emergency seal/unseal drill with validated evidence. emergency seal/unseal drill with validated evidence.
**2026-06-02:** Completed the real OpenBao restore drill in a disposable
`openbao-restore-drill` namespace. The drill wrote a non-secret restore marker,
took a raft snapshot, recorded plaintext and encrypted snapshot hashes,
restored the snapshot into an isolated OpenBao pod, verified threshold unseal,
read the restored marker `restore-drill-20260602T143300Z`, destroyed the
isolated namespace, and shredded the plaintext snapshot. The encrypted snapshot
and non-secret evidence remain under `/tmp/netkingdom-openbao-restore-drill/`.
`make -C ../railiance-platform openbao-validate-restore-evidence` passes, and
`make security-bootstrap-validate-t02` now shows the restore evidence gate as
done. T02 remains open only for emergency seal/unseal metadata and evidence.
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
```task ```task