Generate Root Keypairs

@TODO: Fill in “generate root keypairs” usage howto

  • generate root keys (keyholder prep and generation)
    • using openssl as quick and easy
    • using an HSM

This HOWTO describes the process of generating root keypairs for a Rugged repository. There are two main methods for generating keypairs:

  1. Using a Hardware Security Module (HSM), which is the most secure option as since the signing key material never leaves the hardware.
  2. Using openssl, which is quick and readily available, and can be used provided extra care is taken to protect the private key material from compromise.

Using a Hardware Security Module (HSM)

Using OpenSSL

Generate keys

Now we need to generate keypairs for each of the roles. The root keys are by far the most important, as they form the root of trust for the whole system.

Under standard Rugged operation, the root keys would be generated offline and kept secure to ensure the trustworthiness of the TUF repository. Typically this is done with OpenSSL or a Hardware Security Module (HSM) (@TODO: LINK).

In this case, we’ll generate our root keys in a tmp directory under the tuf_repo in the DDEV container:

export RUGGED_TMP=/var/rugged/tuf_repo/tmp; ddev exec sudo mkdir -p $RUGGED_TMP

Using typical OpenSSL commands, we generate a keypair for each of the root, root1, and myroot2 root keys we’ve configured:

for x in root root1 myroot2; do
  echo "Generating $x keypair.."
  ddev exec sudo /usr/local/ssl/bin/openssl genpkey -algorithm ED25519 -out $RUGGED_TMP/${x}_private.pem
  ddev exec sudo /usr/local/ssl/bin/openssl pkey -in $RUGGED_TMP/${x}_private.pem -pubout -out $RUGGED_TMP/${x}_public.pem
  echo "done."
done

We also need keypairs for the other roles. These are the online keys, typically generated by Rugged as part of initializing a TUF repository. Let’s generate keys for each of the Snapshot, Targets, and Timestamp roles in turn:

ddev rugged generate-keys --local --role=snapshot
ddev rugged generate-keys --local --role=targets
ddev rugged generate-keys --local --role=timestamp

Now add the verification key for the root keypairs we generated:

ddev rugged add-verification-key root /var/rugged/tuf_repo/tmp/root_public.pem --key-type=pem
ddev rugged add-verification-key root /var/rugged/tuf_repo/tmp/root_public.pem --key-type=pem
ddev rugged add-verification-key root /var/rugged/tuf_repo/tmp/root_public.pem --key-type=pem
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.