Glossary
Certificate : Digital identifier for a machine or a service. The certificat is public but can only be used when in possesion of the associated private key.
PKI : Public-key infrastructure
CSR/Certificate Signing Request : Certificate proposed to a CA for signature
Secret Sharing : an algorithm to split a secret between multiple people
SSS : Shamir Secret Sharing
GPG/GnuPG : GNU Privacy Guard. This tool can sign and cypher messages and files thus ensuring their authenticity, integrity and/or confidentiality.
Digital signature/Cryptographic signature : Verifiable signature of a digital document, ensuring the authenticity and integrity of the document.
GPG keyring : database containing all the known public keys, and possible associated private keys known from GPG, together with the related level of trust.
Checksum : In this documentation, we use the sha256 cryptographic hashing function as a secure checksum. A secure checksum is necessary to ensure that the input is not tampered.
Hardware Token/Security token : a physical device that can securely store secrets (like private keys). This is useful to securely use a secret on any computer.
Yubikey : Affordable hardware token that can be plugged on a USB port and is compatible with GPG.
Vault/Hashicorp Vault : Web service to handle secrets and use cryptographic primitives (like CA automation).
Vault Private Data : Database of Hashicorp Vault at rest. This data contains the state of the Vault and must be backed up to ensure the vault and the managed PKI is not lost.
Unseal share : A part of a secret that allows unsealing a Hashicorp Vault. Multiple shares are necessary in order to unseal a vault. Reaching that threshold is called reaching a quorum.
Unseal a Hashicorp Vault : A sealed vault cannot be used because it doesn't know the key to decypher the private data. To get that secret, a quorum is necessary and the vault is then unsealed.
Seal a Hashicorp Vault : An unsealed vault can be sealed by anyone having the corresponding right in Vault.
Token : An access token generated after a proof of identity (via login or certificate).
Root token : A token with every rights on Hashicorp Vault.
Ephemeral Vault : A Hashicorp Vault started for a one-time usage on a machine. Private data may be given when starting the vault and are saved one the vault is stopped. This is used to handle the Offline part of the PKI, thus the machine running the ephemeral vault should also be offline.
Ceremony : An event during which operations are performed on the offline part of the PKI. This event is formalized, planned and produce an auditable report.
Ceremony report : Auditable document, cryptographically signed, describing the context, the people involved and the actions that occured during a ceremony.
Trusted commit : The sha of a git commit which has been audited and that can be trusted.
ISO/ISO9660 : file system format for optical disc (extended for bootable USB sticks). For an ephemeral vault, that image contains the whole operating system and script. It is thus umutable and self contained.
Bootable live media : Mass storage with a ISO9660 image loaded.
Vault writable partition : secondary partition on the ephemeral vault bootable live media. Unlike the ISO partition, this partition is in read/write mode. It contains everything that changes during a ceremony (e.g. the vault private data, logs, certificates…)