stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

fix tests. new product advisories enhancements

Browse Source
This commit is contained in:
master
2026-01-25 19:11:36 +02:00
parent c70e83719e
commit 6e687b523a
504 changed files with 40610 additions and 3785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
docs/operations/key-rotation-runbook.md
View File

@@ -421,9 +421,111 @@ groups:
---
## TUF-Based Key Rotation
> Sprint: SPRINT_20260125_003 - WORKFLOW-007
For organizations using TUF-based trust distribution, additional key rotation
procedures apply to Rekor public keys and TUF metadata signing keys.
### Rekor Public Key Rotation
Rekor public keys verify transparency log signatures. Rotation uses a dual-key
grace period to ensure all clients sync the new key before removing the old one.
**Recommended rotation interval:** Annually
**Grace period:** 7-14 days
#### Phase 1: Add New Key
```bash
# Add new Rekor key to TUF repository
./devops/scripts/rotate-rekor-key.sh add-key \
--repo /path/to/tuf \
--new-key rekor-key-v2.pub
# Sign and publish TUF metadata
cd /path/to/tuf
./scripts/sign-metadata.sh
./scripts/publish.sh
```
#### Phase 2: Grace Period
During the grace period (7-14 days):
- Monitor client sync logs
- Verify both keys work for verification
- Confirm all clients have updated
```bash
# Check client trust status
stella trust status --show-keys
# Should show both rekor-key-v1 and rekor-key-v2
```
#### Phase 3: Remove Old Key
```bash
# Remove old key after grace period
./devops/scripts/rotate-rekor-key.sh remove-old \
--repo /path/to/tuf \
--old-key-name rekor-key-v1
# Sign and publish
cd /path/to/tuf
./scripts/sign-metadata.sh
./scripts/publish.sh
```
### TUF Root Key Rotation
TUF root keys are the ultimate trust anchor. Rotation is a high-ceremony
operation requiring M-of-N key holders.
**Recommended rotation interval:** 2-3 years
**Requires:** Key ceremony with multiple signers
See [Disaster Recovery](disaster-recovery.md#scenario-5-root-key-ceremony-required)
for full root key ceremony procedures.
### TUF Metadata Signing Key Rotation
For targets, snapshot, and timestamp keys:
```bash
# Generate new metadata signing key
openssl ecparam -name prime256v1 -genkey -noout \
-out /secure/targets-key-v2.pem
# Update root.json to include new key
tuf update-root --add-targets-key /secure/targets-key-v2.pem
# Sign with both old and new keys during transition
tuf sign targets --key /secure/targets-key-v1.pem
tuf sign targets --key /secure/targets-key-v2.pem
# After grace period, remove old key from root.json
tuf update-root --remove-targets-key /secure/targets-key-v1.pem
```
### Automated Scripts
Use the provided automation scripts:
| Script | Purpose |
|--------|---------|
| `devops/scripts/rotate-rekor-key.sh` | Rekor public key rotation |
| `devops/scripts/rotate-signing-key.sh` | Organization signing key rotation |
| `devops/trust-repo-template/scripts/revoke-target.sh` | Remove target from TUF |
---
## Related Documentation
- [Proof Chain API](../api/proofs.md)
- [Attestor Architecture](../modules/attestor/architecture.md)
- [Signer Architecture](../modules/signer/architecture.md)
- [TUF Integration Guide](../modules/attestor/tuf-integration.md)
- [Bootstrap Guide](bootstrap-guide.md)
- [Disaster Recovery](disaster-recovery.md)
- [NIST SP 800-57](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final) - Key Management Guidelines