# Root Key Ceremony Runbook

**Date:** Friday, December 5, 2025, 10:00–13:00 PT  
**Location:** Secure facility (air‑gapped room), dual‑control entry  
**Status:** Scheduled

---

## Roles & Responsibilities

### Ceremony Officer
* Leads the ceremony
* Ensures all steps are followed
* Documents all actions
* Coordinates with witnesses

### Key Custodians (3)
* Multi-party control (2-of-3)
* Participate in HSM initialization
* Witness key generation
* Verify backup procedures

### Auditor
* Independent verification
* Reviews all procedures
* Validates artifacts
* Signs off on completion

### Witnesses (2)
* External observers
* Verify procedures
* Sign witness statements
* Maintain independence

### Video Scribe
* Records the ceremony
* Documents all actions
* Creates tamper-evident archive
* Provides notarization support

---

## Pre-Ceremony Checklist

### Week Before
- [ ] Confirm all participants
- [ ] Verify secure facility access
- [ ] Test HSM equipment
- [ ] Prepare tamper-evident bags
- [ ] Schedule notary
- [ ] Prepare ceremony scripts

### Day Before
- [ ] Room sweep & security check
- [ ] Device inventory
- [ ] Hash baseline of all equipment
- [ ] Verify air-gap status
- [ ] Test recording equipment
- [ ] Prepare backup media

### Day Of (Pre-Ceremony)
- [ ] Final room sweep
- [ ] Verify all participants present
- [ ] Check recording equipment
- [ ] Verify HSM status
- [ ] Confirm air-gap maintained
- [ ] Begin video recording

---

## Ceremony Steps

### 1. Room Sweep & Hash Baseline

**Duration:** 15 minutes

**Actions:**
1. Verify room is secure and air-gapped
2. Inventory all devices and equipment
3. Create hash baseline of all equipment
4. Document all serial numbers
5. Verify no unauthorized devices

**Artifacts:**
* Device inventory list
* Hash baseline document
* Room security checklist

### 2. HSM Initialization (M of N)

**Duration:** 30 minutes

**Actions:**
1. Initialize Thales Luna HSM
2. Configure multi-party control (2-of-3)
3. Verify key custodian access
4. Test HSM functionality
5. Document HSM configuration

**Artifacts:**
* HSM configuration document
* Key custodian access logs
* HSM test results

### 3. Generate Root Key

**Duration:** 45 minutes

**Actions:**
1. Generate root key pair in HSM
2. Verify key generation
3. Extract public key
4. Create Certificate Signing Request (CSR)
5. Document key parameters

**Artifacts:**
* Root key generation log
* Public key certificate
* CSR document
* Key parameters document

### 4. Seal Backups

**Duration:** 30 minutes

**Actions:**
1. Create encrypted backups
2. Seal backups in tamper-evident bags
3. Label all backups
4. Verify backup integrity
5. Store backups in secure location

**Artifacts:**
* Backup inventory
* Tamper-evident bag log
* Backup integrity checks
* Storage location record

### 5. Sign Issuing CA

**Duration:** 30 minutes

**Actions:**
1. Generate Issuing CA certificate
2. Sign with root key
3. Verify certificate signature
4. Publish certificate
5. Document certificate details

**Artifacts:**
* Issuing CA certificate
* Certificate signature verification
* Certificate publication record
* Certificate details document

### 6. Publish Fingerprints

**Duration:** 20 minutes

**Actions:**
1. Calculate certificate fingerprints
2. Publish fingerprints publicly
3. Create DID documents (offline)
4. Prepare for online publication
5. Document publication process

**Artifacts:**
* Fingerprint document
* DID documents
* Publication record
* Online bridge preparation

### 7. Record & Notarize Minutes

**Duration:** 30 minutes

**Actions:**
1. Compile ceremony minutes
2. Have all participants sign
3. Notarize minutes
4. Create tamper-evident archive
5. Store original minutes

**Artifacts:**
* Ceremony minutes
* Participant signatures
* Notarized document
* Tamper-evident archive
* Storage record

---

## Artifacts Checklist

### Required Artifacts
- [ ] Root CSR
- [ ] CP/CPS v1.0
- [ ] Offline DID documents
- [ ] Hash manifest
- [ ] Sealed tamper-evident bags
- [ ] Ceremony minutes
- [ ] Participant signatures
- [ ] Notarized document
- [ ] Video recording
- [ ] Backup media

### Verification
- [ ] All artifacts present
- [ ] All signatures collected
- [ ] Video recording complete
- [ ] Backups verified
- [ ] Certificates published
- [ ] DID documents prepared

---

## Post-Ceremony Tasks

### Immediate (Day Of)
- [ ] Secure all artifacts
- [ ] Verify backup storage
- [ ] Publish fingerprints
- [ ] Notarize minutes
- [ ] Archive video recording

### Week After
- [ ] Publish DID documents online
- [ ] Update certificate registry
- [ ] Distribute artifacts to custodians
- [ ] Create ceremony report
- [ ] Schedule audit review

### Month After
- [ ] External audit review
- [ ] Update CP/CPS if needed
- [ ] Publish ceremony report
- [ ] Schedule next ceremony review
- [ ] Update procedures based on lessons learned

---

## Security Measures

### Physical Security
* Air-gapped room
* Dual-control entry
* No unauthorized devices
* Continuous video recording
* Witnessed procedures

### Cryptographic Security
* HSM-protected keys
* Multi-party control
* Encrypted backups
* Tamper-evident seals
* Hash verification

### Procedural Security
* Scripted procedures
* Independent verification
* Witnessed actions
* Documented steps
* Notarized records

---

## Incident Response

### Key Compromise
1. Immediately halt ceremony
2. Document incident
3. Notify all participants
4. Secure all artifacts
5. Begin investigation
6. Reschedule ceremony

### Equipment Failure
1. Document failure
2. Verify no key exposure
3. Replace equipment
4. Resume from last verified step
5. Update procedures

### Procedural Error
1. Document error
2. Assess impact
3. Correct if possible
4. Restart affected step
5. Update procedures

---

## Contacts

### Ceremony Officer
* Name: [TBD]
* Email: [TBD]
* Phone: [TBD]

### Key Custodians
* Custodian 1: [TBD]
* Custodian 2: [TBD]
* Custodian 3: [TBD]

### Auditor
* Name: [TBD]
* Email: [TBD]
* Phone: [TBD]

### Witnesses
* Witness 1: [TBD]
* Witness 2: [TBD]

### Video Scribe
* Name: [TBD]
* Email: [TBD]
* Phone: [TBD]

---

## Revision History

| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2025-11-10 | Ceremony Officer | Initial runbook |

---

## Approval

**Ceremony Officer:** _________________ Date: _________

**CISO:** _________________ Date: _________

**Founding Council:** _________________ Date: _________