Guide OpenBao custody ceremony order

This commit is contained in:
2026-05-25 02:02:14 +02:00
parent 83cf2111c1
commit e45dd4f9eb
5 changed files with 115 additions and 27 deletions

View File

@@ -193,10 +193,13 @@ Before OpenBao initialization:
1. Use the guided bootstrap UX or checklist to decide the current trust stage.
2. Record `tegwick` as setup operator/contact, not as final root custodian.
3. Create or import the dedicated king credential and verify its second factor.
4. Prepare offline recovery bundle locations.
5. Choose whether this is temporary single-custodian king custody or preferred
4. Choose whether this is temporary single-custodian king custody or preferred
independent escrow.
6. Run Railiance `make openbao-status` and `make openbao-verify`.
5. Prepare offline recovery bundle locations for that strategy.
6. Prepare the OpenBao custody packet for that strategy, including share
assignment rows, quorum plan, root-token disposition, and signoff line.
7. Approve the selected custody strategy in the NetKingdom control surface.
8. Run Railiance `make openbao-status` and `make openbao-verify`.
During initialization:

View File

@@ -30,7 +30,9 @@ Live initialization is blocked unless:
- king credential kit is complete;
- custody mode is selected;
- offline custody packet is prepared;
- recovery material is prepared for the selected custody mode;
- offline custody packet is prepared for the selected custody mode;
- selected custody mode is explicitly approved;
- OpenBao pod and PVC preflight passes;
- OpenBao reports `Initialized: false` and `Sealed: true`;
- operator has acknowledged no secret output enters unsafe channels;