Security ceremonies > Initial Deployment Ceremony

Initial Deployment Ceremony

Establishing a TUF repository is conceptually simple, but requires careful planning and coordination to ensure the security of the resulting system.

Before you begin this process, ensure you have reviewed and executed the Ceremony preparation steps to ensure the resulting TUF repository is trustworthy.

Overview

Once you have prepared a secure environment and created a place to hold ceremony artifacts, the process of initializing and deploying your TUF repository breaks down into 3 steps:

Generate root keys
Prepare root metadata
Initialize TUF repository

Generate root keys

Having prepared a secure environment in which to operate, the keyholders will:

Prepare to generate a root keypair, provisioning the HSM, pre-generating an authentication password, and testing the communication computer that will document and share the results of the ceremony.
Generate a keypair (a verification key and a signing key, sometimes known as a public key and private key).

We recommend using a Hardware Security Module (HSM) to generate and store the root keys securely. If this approach is not feasible for your deployment, you can also generate keys directly on your ceremony computer using OpenSSL. In this case, you need to take extra care to keep the ceremony computer itself intact and secure from compromise.

This process involves:

Gathering and inspecting tamper-evident bags and other materials to physically secure the ceremony computer and/or HSM once the ceremony is complete.
Pre-generating an authentication password to secure the generate key itself.
(on camera) Generate a root keypair, including provisioning a new HSM if you’re using one.
Saving the verification key from the new root keypair, as well as the other artifacts generated, onto a USB stick to share with the ceremony coordinator.

We recommend livestreaming or video-recording the key generation and signing ceremonies as a further security measure to enhance trust in the process and its results. The runbooks indicate when to begin streaming to capture these steps.

Prepare root metadata

Once the coordinator has collected root verification keys from all keyholders, they can proceed to prepare the root metadata for the new TUF repository.

This process involves:

Initializing partial root metadata generating the online keys for the snapshot, targets, and timestamp roles to create “signable” root metadata JSON which the coordinator will distribute to the keyholders for signing.
Signing root metadata, where the keyholders use their signing key to create a cryptographic signature for the “signable” root metadata JSON, which they will then share back to the ceremony coordinator.
Completing root metadata, where the coordinator collects and incorporates each keyholder’s signature to create a complete (signed) root metadata JSON file (1.root.json).

Initialize TUF repository

With the signed root metadata JSON file in hand, the ceremony coordinator can initialize the TUF repo.

This process is a simple matter of deploying 1.root.json into the TUF repository, and running the rugged initialize command to trigger Rugged to use the root metadata to create and sign the other roles’ metadata files to form a complete and valid TUF repository.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.