# Ceremony Live USB — Preparation Guide > **Scope.** How to prepare the two USB sticks used in the offline root > ceremony (Phase 2 of CA commissioning). Keep the boot USB ephemeral, > put all software on a second USB, verify hashes at both ends. > > Related: > - `COMMISSIONING-TODO.md` — overall Phase 2 checklist > - `playbook.md` — the executable ceremony itself > - `../background/ca-architecture.md` — design context for the CA > the ceremony is producing > - `prepare-ceremony-usb.sh` — scripted supplies-USB build ## Why two USBs instead of one persistent stick A persistent Live USB keeps state across boots. That is exactly the property we do not want: any pre-ceremony online session could have tampered with installed tooling. The split is: - **USB #1 (boot)** — vanilla Ubuntu LTS Live, no persistence. Fresh RAM-only environment every boot. - **USB #2 (supplies)** — `.deb` packages and the Smallstep binaries, each individually hashed. Verified against a manifest at ceremony time. If USB #2 is tampered with between preparation and the ceremony, the manifest check catches it. If USB #1 is tampered with, the Ubuntu SHA256 + GPG verification catches it. Both checks happen independently. ## Threat model this setup addresses - **PIN capture** via keylogger or tampered `opensc`/`step` binary running on the ceremony device. Neutralised by using an ephemeral Live USB boot and air-gapped operation. - **"Sign extra things while unlocked" attacks** from a compromised signing tool. Neutralised by using binaries whose hashes match a pre-verified manifest. - **Exfiltration** of the ceremony transcript, CSR, or PINs over the network during the ceremony. Neutralised by air-gap. - **Persistent compromise surviving to later sessions.** Neutralised by the Live USB being RAM-only and the ceremony SSD never being mounted. See `../background/certificate-authority-threat-model.md` for the broader CA threat model this slots into. ## USB #1 — Ubuntu LTS Live (boot media) Prepare on any internet-connected machine. ``` wget https://releases.ubuntu.com/24.04/ubuntu-24.04.1-desktop-amd64.iso wget https://releases.ubuntu.com/24.04/SHA256SUMS wget https://releases.ubuntu.com/24.04/SHA256SUMS.gpg # Ubuntu release signing keys (current as of 2026) gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com \ --recv-keys 0xD94AA3F0EFE21092 0x843938DF228D22F7 gpg --verify SHA256SUMS.gpg SHA256SUMS sha256sum -c SHA256SUMS --ignore-missing ``` Both checks must pass. Then flash: ``` sudo dd if=ubuntu-24.04.1-desktop-amd64.iso of=/dev/sdX bs=4M status=progress conv=fsync && sync ``` Replace `/dev/sdX` with the USB device node. **Do not** enable persistence in any flashing tool — Rufus, balenaEtcher, etc. default to no persistence, which is what we want. Label the stick physically (`CCAT CA BOOT — 2026-MM-DD`) and set it aside. ## USB #2 — Ceremony supplies Build with the helper script. Prerequisites on the prep machine: Ubuntu 24.04 LTS (same release as the ISO, so ABI matches), working `apt`, `wget`, `gpg`, `jq`. ``` cd step-ca ./prepare-ceremony-usb.sh ~/ceremony-supplies ``` The script populates `~/ceremony-supplies/` with: ``` ceremony-supplies/ ├── README.md # "start here" entry point placed on the USB ├── VERSIONS.txt # pinned versions of Smallstep binaries ├── MANIFEST.sha256 # SHA256 of every file in debs/, step/, docs/ ├── debs/ # opensc, pcscd, and transitive dependencies │ ├── opensc_*.deb │ ├── opensc-pkcs11_*.deb │ ├── pcscd_*.deb │ ├── libccid_*.deb │ └── … ├── step/ │ ├── step-cli_*.deb │ ├── step-kms-plugin_*.deb │ └── *_checksums.txt # Smallstep's upstream checksums, re-verified └── docs/ # offline ceremony reference docs ├── ceremony-live-usb-setup.md ├── COMMISSIONING-TODO.md ├── ca-architecture.md ├── ca-provisioner-set.md ├── ca-rotation-and-recovery.md └── certificate-authority-threat-model.md ``` `TARGET_DIR` may be a freshly-formatted, mounted USB stick itself (e.g. when running `prepare-ceremony-usb.sh` inside a Docker container with the USB bind-mounted). In that case the rsync step below is not needed — the files are written to the USB directly. After the script finishes, copy the tree to a **fresh, labeled** USB: ``` rsync -a --delete ~/ceremony-supplies/ /media/$USER/SUPPLIES/ceremony/ sync umount /media/$USER/SUPPLIES ``` Label it physically (`CCAT CA SUPPLIES — 2026-MM-DD`). **Do not** plug this USB back into an internet-connected machine after this point. It is ceremony-only media. ## Ceremony-time verification After booting the Live USB (USB #1) and inserting the supplies USB (USB #2), before installing anything: ``` cd /media/ubuntu/SUPPLIES sha256sum -c MANIFEST.sha256 ``` Every line must say `OK`. If anything fails, **stop the ceremony.** Tampering between preparation and ceremony is the exact threat the manifest defends against. If the manifest passes: ``` sudo apt install -y ./debs/*.deb ./step/*.deb sudo systemctl start pcscd ``` Sanity check the HSM stack sees the dongles: ``` lsusb | grep -i nitrokey pkcs11-tool --list-slots step kms --help ``` Two Nitrokey slots should show up (one per dongle, if both are plugged in at this point — note that HSM #1 is only plugged in for the root operations, and HSM #2 is swapped in for the intermediate operations; see ceremony procedure). From here, proceed to the ceremony procedure itself in [`playbook.md`](playbook.md). ## Pre-ceremony physical discipline Before booting from USB #1: - Unplug Ethernet physically. - Disable Wi-Fi and Bluetooth in BIOS/firmware settings. - In the Ubuntu boot menu, choose **"Try Ubuntu"**, not "Install". - Do not mount the host's internal disk. If the Files app shows it as a sidebar entry, do not click it. Once booted, as a belt-and-suspenders network disable: ``` nmcli radio all off ip link show | grep 'state UP' # should show only loopback ``` ## Post-ceremony hygiene - Power off the laptop normally (not suspend). - Remove both USBs and label them with the ceremony date. - USB #2 (supplies) can be kept for the next ceremony **without re-plugging it into a network-connected machine**. The manifest check at the next ceremony re-verifies contents either way. - The ceremony artifacts USB (separate from USB #1 and #2 — the *export* USB carrying `root_ca.crt`, `intermediate_ca.crt`, SSH CA pubkeys, and `FINGERPRINT.txt`) is a distinct third stick, and is the only USB that moves to an internet-connected machine after the ceremony. It carries only public material. ## Updating pinned versions `VERSIONS.txt` in the supplies tree records the Smallstep binary versions used. For the next ceremony (rotation, rehearsal, etc.): 1. Pick new versions from the Smallstep releases pages. 2. Edit the defaults in `prepare-ceremony-usb.sh`, or pass via env vars (`STEP_CLI_VERSION=…`, `STEP_KMS_VERSION=…`). 3. Commit the script change with the new version numbers in the commit message, so the ceremony record in git matches what ran. For reproducibility, the Ubuntu ISO release should also be pinned in ceremony notes (e.g. "Ceremony ran with 24.04.1, SHA256 …").