Reject placeholder OpenBao drill evidence

This commit is contained in:
2026-06-02 02:02:09 +02:00
parent 606a5f3e1e
commit 18c1b86498
4 changed files with 37 additions and 4 deletions

View File

@@ -272,8 +272,8 @@ Before any live application secrets move into OpenBao:
custody. The drill must prove that a fresh OpenBao instance can restore the
snapshot, unseal, and read a test secret.
Record only non-secret evidence using
`docs/openbao-restore-drill-evidence.example.json` as a template, then
validate it with:
`docs/openbao-restore-drill-evidence.example.json` as a template, replace
every placeholder with real drill evidence, then validate it with:
```bash
make openbao-validate-restore-evidence \
@@ -324,8 +324,8 @@ Audit Core archive exists.
Emergency seal/unseal drills are disruptive and must only run in an attended
window with threshold unseal shares available. Record non-secret drill evidence
using `docs/openbao-emergency-drill-evidence.example.json` as a template, then
validate it with:
using `docs/openbao-emergency-drill-evidence.example.json` as a template,
replace every placeholder with real drill evidence, then validate it with:
```bash
make openbao-validate-emergency-evidence \