Deploying and maintaining Rugged securely in a production environment requires careful planning and execution of a series of ceremonies that ensure the system is trustworthy.
The Keyholder must perform certain ceremonies in a secure environment. In particular, keyholders need to generate root keypairs such that the signing key is kept secure and offline, and subsequently signing root metadata with this signing key. The integrity of these root private keys establishes the basis of trust for the Rugged TUF repository.
This section explains the preparation and execution of these ceremonies, and serves as a supplement to the Rugged Runbook Template, which details the specific steps to perform each of the ceremonies.
In a typical Rugged deployment, there are 2 key roles required to perform these ceremonies:
The template repository is organized around these roles, so each can see a complete set of instructions and checklists for performing their part in the ceremony.
The Coordinator of ceremonies will need to have prepared a secure environment, and will be involved in all major operations of the Rugged TUF repository:
root.json
) for the repository.root.json
from KeyholdersThe Keyholder is primarily responsible for securely generating a keypair (and keeping the signing key secure and private), and then producing a signature using that keypair for the root metadata prepared by the coordinator.
In preparation for a new Rugged deployment, a project team should first:
rugged-runbook-template
git repository, and tailor it to suit their deployment.For each ceremony, the process will typically proceed as follows:
When preparing to deploy a Rugged TUF repository, you should carefully prepare detailed steps to perform the ceremonies involved. We recommend making a fork of our Rugged Runbook Template, and then tailoring it to suit your needs. The steps detailed in this repository template represent best practice for securely initializing, deploying, and maintaining a Rugged TUF repository.
The Ceremonies described in the runbooks encompass the lifecycle of a Rugged TUF repository:
In each stage of the ceremonies, the coordinator typically initiates the process, then instructs each keyholder to perform the corresponding steps for their role. In some cases the coordinator also takes some final steps after the keyholders have finished in order to complete the stage.
Note: The ceremonies are designed to be performed asynchronously and with the parties involved distributed physically. This does not preclude performing the ceremonies in the same physical space at the same time, of course.
As a best practice, it is highly recommended to perform these security ceremonies on a specially prepared and air-gapped computer, to ensure there is no risk of compromising signing keys in the process. Rugged is designed to allow the root signing keys to remain offline and inaccessible to the system during normal operation, and only used during the initial deployment ceremonies and for rotating root keys for regular maintenance or in the event of a compromise.
While it is simpler to use a regular workstation to perform these ceremonies, you should consider carefully the security implications of doing so. In particular, the root signing keys are literally the “keys to the kingdom” in a TUF deployment. They form the root of trust for the whole system, and if their security is ever in doubt, the entire TUF repository becomes effectively useless, and you would need to re-initialize from scratch.
We recommend using a low-cost Raspberry Pi computer to create an airgapped workstations for each of the root keyholders. This process consists of:
Typically the coordinator will prepare the OS image and distribute it to the root keyholders, who would prepare their own airgapped computer and verify it
Over the lifecycle of your TUF repository, you will perform security ceremonies many times. Capturing the artifacts resulting from these ceremonies in one place allows for transparency and auditing of the repository, should its integrity ever be compromised or called into question.
We recommend using your forked Rugged runbooks as a place to hold these artifacts as documentation of each ceremony you perform. The recommended approach is to create a new branch in preparation for any ceremony, collect the artifacts (pictures, signatures, verification keys, etc) on that branch (within a dated sub-folder of the ceremony directory.
The keyholders and coordinator will check out this branch and commit the results of their parts of the ceremony within the ceremony sub-folder, which also makes it easy to share these results between the parties involved in the ceremony. When the entire ceremony process is finished, the coordinator will merge the ceremony branch back into the main branch of your git repository, which becomes the historical record of what happened.
As a final preparation step before performing a Rugged ceremony, the root keyholders will verify the ceremony computer that was previously prepared, to validate that it contains only trusted binaries for use during the ceremony. This is a straightforward matter of computing crypographic hashes for each of the key software binaries involved in the ceremony, and validating these against known-good values for those binaries. This measure ensures that the software being used to generate keys or cryptographic signatures is not compromised and their results can be trusted.