generated from coulomb/repo-seed
Guide OpenBao custody ceremony order
This commit is contained in:
@@ -193,10 +193,13 @@ Before OpenBao initialization:
|
||||
1. Use the guided bootstrap UX or checklist to decide the current trust stage.
|
||||
2. Record `tegwick` as setup operator/contact, not as final root custodian.
|
||||
3. Create or import the dedicated king credential and verify its second factor.
|
||||
4. Prepare offline recovery bundle locations.
|
||||
5. Choose whether this is temporary single-custodian king custody or preferred
|
||||
4. Choose whether this is temporary single-custodian king custody or preferred
|
||||
independent escrow.
|
||||
6. Run Railiance `make openbao-status` and `make openbao-verify`.
|
||||
5. Prepare offline recovery bundle locations for that strategy.
|
||||
6. Prepare the OpenBao custody packet for that strategy, including share
|
||||
assignment rows, quorum plan, root-token disposition, and signoff line.
|
||||
7. Approve the selected custody strategy in the NetKingdom control surface.
|
||||
8. Run Railiance `make openbao-status` and `make openbao-verify`.
|
||||
|
||||
During initialization:
|
||||
|
||||
|
||||
@@ -30,7 +30,9 @@ Live initialization is blocked unless:
|
||||
|
||||
- king credential kit is complete;
|
||||
- custody mode is selected;
|
||||
- offline custody packet is prepared;
|
||||
- recovery material is prepared for the selected custody mode;
|
||||
- offline custody packet is prepared for the selected custody mode;
|
||||
- selected custody mode is explicitly approved;
|
||||
- OpenBao pod and PVC preflight passes;
|
||||
- OpenBao reports `Initialized: false` and `Sealed: true`;
|
||||
- operator has acknowledged no secret output enters unsafe channels;
|
||||
|
||||
Reference in New Issue
Block a user