generated from coulomb/repo-seed
98 lines
2.7 KiB
Markdown
98 lines
2.7 KiB
Markdown
# Security Bootstrap Console
|
|
|
|
Local console and localhost web UI for the NetKingdom guided security bootstrap
|
|
experience.
|
|
|
|
The console prints trust stage, gates, checklists, non-secret templates, and can
|
|
write an explicit custody-mode approval record. It does not collect secret
|
|
values and refuses live OpenBao initialization.
|
|
|
|
Run:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py status
|
|
```
|
|
|
|
Print the king credential kit checklist:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py king-kit
|
|
```
|
|
|
|
Validate non-secret kit metadata:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
|
--metadata /tmp/security-bootstrap.json \
|
|
validate-king-kit
|
|
```
|
|
|
|
Approve custody mode from the CLI:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
|
--metadata /tmp/security-bootstrap.json \
|
|
approve-custody-mode \
|
|
--mode temporary-single-king \
|
|
--mfa-enrolled-confirmed \
|
|
--mfa-enrollment-source identity-provider \
|
|
--recovery-confirmed \
|
|
--custody-packet-prepared \
|
|
--no-secret-capture-confirmed
|
|
```
|
|
|
|
The command asks for the phrase `approve custody mode` unless `--yes` is passed.
|
|
`two-of-three-planned` can be recorded in metadata but cannot approve live
|
|
OpenBao init.
|
|
|
|
For TOTP, use the QR code or setup key from the identity provider or other
|
|
authority that will verify the login. This tool records only the non-secret
|
|
enrollment confirmation and source.
|
|
|
|
Serve the local approval UI:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
|
--metadata /tmp/security-bootstrap.json \
|
|
web-ui
|
|
```
|
|
|
|
Open `http://127.0.0.1:8765`.
|
|
|
|
Print a blank offline custody packet template:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-packet
|
|
```
|
|
|
|
Show safe OpenBao preflight commands:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
|
|
--railiance-path ../railiance-platform
|
|
```
|
|
|
|
Run safe OpenBao preflight targets:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
|
|
--railiance-path ../railiance-platform \
|
|
--run
|
|
```
|
|
|
|
This still does not run `bao operator init`.
|
|
|
|
Optional non-secret metadata can be supplied:
|
|
|
|
```bash
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py metadata-template \
|
|
> /tmp/security-bootstrap.json
|
|
|
|
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
|
--metadata /tmp/security-bootstrap.json \
|
|
status
|
|
```
|
|
|
|
Do not put passwords, OTP seeds, OpenBao root tokens, unseal shares, recovery
|
|
codes, private keys, or screenshots of secret output into the metadata file.
|