Ceremony Live USB — Preparation Guide#

Scope. How to prepare the two USB sticks used in the offline root ceremony (Phase 2 of CA commissioning). Keep the boot USB ephemeral, put all software on a second USB, verify hashes at both ends.

Related:

  • COMMISSIONING-TODO.md — overall Phase 2 checklist

  • playbook.md — the executable ceremony itself

  • ../background/ca-architecture.md — design context for the CA the ceremony is producing

  • prepare-ceremony-usb.sh — scripted supplies-USB build

Why two USBs instead of one persistent stick#

A persistent Live USB keeps state across boots. That is exactly the property we do not want: any pre-ceremony online session could have tampered with installed tooling. The split is:

  • USB #1 (boot) — vanilla Ubuntu LTS Live, no persistence. Fresh RAM-only environment every boot.

  • USB #2 (supplies).deb packages and the Smallstep binaries, each individually hashed. Verified against a manifest at ceremony time.

If USB #2 is tampered with between preparation and the ceremony, the manifest check catches it. If USB #1 is tampered with, the Ubuntu SHA256 + GPG verification catches it. Both checks happen independently.

Threat model this setup addresses#

  • PIN capture via keylogger or tampered opensc/step binary running on the ceremony device. Neutralised by using an ephemeral Live USB boot and air-gapped operation.

  • “Sign extra things while unlocked” attacks from a compromised signing tool. Neutralised by using binaries whose hashes match a pre-verified manifest.

  • Exfiltration of the ceremony transcript, CSR, or PINs over the network during the ceremony. Neutralised by air-gap.

  • Persistent compromise surviving to later sessions. Neutralised by the Live USB being RAM-only and the ceremony SSD never being mounted.

See ../background/certificate-authority-threat-model.md for the broader CA threat model this slots into.

USB #1 — Ubuntu LTS Live (boot media)#

Prepare on any internet-connected machine.

wget https://releases.ubuntu.com/24.04/ubuntu-24.04.1-desktop-amd64.iso
wget https://releases.ubuntu.com/24.04/SHA256SUMS
wget https://releases.ubuntu.com/24.04/SHA256SUMS.gpg

# Ubuntu release signing keys (current as of 2026)
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com \
    --recv-keys 0xD94AA3F0EFE21092 0x843938DF228D22F7

gpg --verify SHA256SUMS.gpg SHA256SUMS
sha256sum -c SHA256SUMS --ignore-missing

Both checks must pass. Then flash:

sudo dd if=ubuntu-24.04.1-desktop-amd64.iso of=/dev/sdX bs=4M status=progress conv=fsync && sync

Replace /dev/sdX with the USB device node. Do not enable persistence in any flashing tool — Rufus, balenaEtcher, etc. default to no persistence, which is what we want.

Label the stick physically (CCAT CA BOOT 2026-MM-DD) and set it aside.

USB #2 — Ceremony supplies#

Build with the helper script. Prerequisites on the prep machine: Ubuntu 24.04 LTS (same release as the ISO, so ABI matches), working apt, wget, gpg, jq.

cd step-ca
./prepare-ceremony-usb.sh ~/ceremony-supplies

The script populates ~/ceremony-supplies/ with:

ceremony-supplies/
├── README.md             # "start here" entry point placed on the USB
├── VERSIONS.txt          # pinned versions of Smallstep binaries
├── MANIFEST.sha256       # SHA256 of every file in debs/, step/, docs/
├── debs/                 # opensc, pcscd, and transitive dependencies
│   ├── opensc_*.deb
│   ├── opensc-pkcs11_*.deb
│   ├── pcscd_*.deb
│   ├── libccid_*.deb
│   └── …
├── step/
│   ├── step-cli_*.deb
│   ├── step-kms-plugin_*.deb
│   └── *_checksums.txt   # Smallstep's upstream checksums, re-verified
└── docs/                 # offline ceremony reference docs
    ├── ceremony-live-usb-setup.md
    ├── COMMISSIONING-TODO.md
    ├── ca-architecture.md
    ├── ca-provisioner-set.md
    ├── ca-rotation-and-recovery.md
    └── certificate-authority-threat-model.md

TARGET_DIR may be a freshly-formatted, mounted USB stick itself (e.g. when running prepare-ceremony-usb.sh inside a Docker container with the USB bind-mounted). In that case the rsync step below is not needed — the files are written to the USB directly.

After the script finishes, copy the tree to a fresh, labeled USB:

rsync -a --delete ~/ceremony-supplies/ /media/$USER/SUPPLIES/ceremony/
sync
umount /media/$USER/SUPPLIES

Label it physically (CCAT CA SUPPLIES 2026-MM-DD).

Do not plug this USB back into an internet-connected machine after this point. It is ceremony-only media.

Ceremony-time verification#

After booting the Live USB (USB #1) and inserting the supplies USB (USB #2), before installing anything:

cd /media/ubuntu/SUPPLIES
sha256sum -c MANIFEST.sha256

Every line must say OK. If anything fails, stop the ceremony. Tampering between preparation and ceremony is the exact threat the manifest defends against.

If the manifest passes:

sudo apt install -y ./debs/*.deb ./step/*.deb
sudo systemctl start pcscd

Sanity check the HSM stack sees the dongles:

lsusb | grep -i nitrokey
pkcs11-tool --list-slots
step kms --help

Two Nitrokey slots should show up (one per dongle, if both are plugged in at this point — note that HSM #1 is only plugged in for the root operations, and HSM #2 is swapped in for the intermediate operations; see ceremony procedure).

From here, proceed to the ceremony procedure itself in playbook.md.

Pre-ceremony physical discipline#

Before booting from USB #1:

  • Unplug Ethernet physically.

  • Disable Wi-Fi and Bluetooth in BIOS/firmware settings.

  • In the Ubuntu boot menu, choose “Try Ubuntu”, not “Install”.

  • Do not mount the host’s internal disk. If the Files app shows it as a sidebar entry, do not click it.

Once booted, as a belt-and-suspenders network disable:

nmcli radio all off
ip link show | grep 'state UP'   # should show only loopback

Post-ceremony hygiene#

  • Power off the laptop normally (not suspend).

  • Remove both USBs and label them with the ceremony date.

  • USB #2 (supplies) can be kept for the next ceremony without re-plugging it into a network-connected machine. The manifest check at the next ceremony re-verifies contents either way.

  • The ceremony artifacts USB (separate from USB #1 and #2 — the export USB carrying root_ca.crt, intermediate_ca.crt, SSH CA pubkeys, and FINGERPRINT.txt) is a distinct third stick, and is the only USB that moves to an internet-connected machine after the ceremony. It carries only public material.

Updating pinned versions#

VERSIONS.txt in the supplies tree records the Smallstep binary versions used. For the next ceremony (rotation, rehearsal, etc.):

  1. Pick new versions from the Smallstep releases pages.

  2. Edit the defaults in prepare-ceremony-usb.sh, or pass via env vars (STEP_CLI_VERSION=…, STEP_KMS_VERSION=…).

  3. Commit the script change with the new version numbers in the commit message, so the ceremony record in git matches what ran.

For reproducibility, the Ubuntu ISO release should also be pinned in ceremony notes (e.g. “Ceremony ran with 24.04.1, SHA256 …”).