Credential Chain

1. Overview

The credential chain defines the order in which credentials must be recovered to restore access to Domus Digitalis infrastructure. Each credential unlocks the next level in the chain.

This is the most critical recovery document. Without understanding this chain, you cannot recover from a complete system loss. Print this page and store with your offline backups.

2. Credential Chain Diagram

┌─────────────────────────────────────────────────────────────────┐
│                     CREDENTIAL CHAIN                            │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ┌──────────────┐                                               │
│  │   YubiKey    │  Physical token (FIDO2 + GPG)                 │
│  │  (Primary)   │  Backup: Secondary YubiKey or fallback key    │
│  └──────┬───────┘                                               │
│         │                                                       │
│         ▼ unlocks                                               │
│  ┌──────────────┐                                               │
│  │   SSH Keys   │  ~/.ssh/id_ed25519_sk_*                       │
│  │              │  Provides: Access to all systems              │
│  └──────┬───────┘                                               │
│         │                                                       │
│         ▼ stored in                                             │
│  ┌──────────────┐                                               │
│  │   age Key    │  ~/.secrets/.metadata/keys/master.age.key     │
│  │  (master)    │  Backup: LUKS USB, M-Disc                     │
│  └──────┬───────┘                                               │
│         │                                                       │
│         ▼ decrypts                                              │
│  ┌──────────────┐                                               │
│  │  dsec Vault  │  ~/.secrets/vaults/d000/                      │
│  │   (d000)     │  Contains: All service credentials            │
│  └──────┬───────┘                                               │
│         │                                                       │
│         ▼ provides                                              │
│  ┌──────────────┐                                               │
│  │   Service    │  ISE, pfSense, Vault, DC, NAS, WLC            │
│  │ Credentials  │  Loaded via: dsource d000 dev/network         │
│  └──────────────┘                                               │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

3. Chain Components

3.1. Level 1: YubiKey (Physical)

Item Details

Primary

YubiKey 5 NFC (FIDO2 resident keys + GPG)

Secondary

YubiKey 5C (identical configuration)

Fallback

Software key at ~/.ssh/id_ed25519_fallback

Location

Primary: On person, Secondary: Home safe

Recovery

If both lost: Use fallback key, then re-enroll new YubiKeys

3.2. Level 2: SSH Keys

Key Purpose

id_ed25519_sk_rk_primary

YubiKey primary - resident key

id_ed25519_sk_rk_secondary

YubiKey secondary - resident key

id_ed25519_fallback

Software fallback (encrypted, age-protected)

Location

~/.ssh/ (public keys only on workstation)

Backup

LUKS USB contains fallback private key

3.3. Level 3: age Master Key

Item Details

File

~/.secrets/.metadata/keys/master.age.key

Format

age identity file (AGE-SECRET-KEY-…​)

Protects

All .age encrypted files in the secrets vault

Backup Locations

LUKS USB #1 (home), LUKS USB #2 (offsite), M-Disc (archival)

If you lose the age master key, ALL encrypted secrets are PERMANENTLY UNRECOVERABLE. This includes all dsec vaults, encrypted backups, and service credentials.

3.4. Level 4: dsec Vault (d000)

Item Details

Location

~/.secrets/vaults/d000/

Structure

SOPS-encrypted YAML files organized by environment

Decryption

Requires age master key

Contents

All infrastructure credentials

3.4.1. Vault Structure

~/.secrets/vaults/d000/
├── dev/
│   ├── network.enc.yaml      # ISE, pfSense, switch, WLC creds
│   ├── vault.enc.yaml        # HashiCorp Vault token
│   └── keycloak.enc.yaml     # Keycloak admin
├── byod/
│   └── portal.enc.yaml       # BYOD portal secrets
└── prod/
    └── backup.enc.yaml       # NAS, backup credentials

3.5. Level 5: Service Credentials

Once dsec vault is accessible, load credentials:

# Load network credentials
dsource d000 dev/network

# Now available as environment variables:
# ISE_API_USER, ISE_API_PASS
# PFSENSE_HOST, PFSENSE_API_KEY
# IOS_HOST, IOS_USER, IOS_PASS
# VAULT_ADDR, VAULT_TOKEN
# WLC_HOST, WLC_USER, WLC_PASS

4. Recovery Scenarios

4.1. Scenario 1: New Workstation

You have YubiKey but fresh OS install:

# 1. Mount LUKS backup USB
sudo cryptsetup luksOpen /dev/sdX1 backup-usb
sudo mount /dev/mapper/backup-usb /mnt/backup

# 2. Restore age master key
mkdir -p ~/.secrets/.metadata/keys
cp /mnt/backup/keys/master.age.key ~/.secrets/.metadata/keys/
chmod 600 ~/.secrets/.metadata/keys/master.age.key

# 3. Clone secrets repo or restore vault
git clone git@github.com:EvanusModestus/domus-secrets.git ~/.secrets/vaults

# 4. Install dsec and source credentials
dsource d000 dev/network

# 5. SSH keys auto-generated from YubiKey
ssh-keygen -K  # Extract resident keys from YubiKey

4.2. Scenario 2: Lost YubiKey (Both)

Both YubiKeys lost or destroyed:

# 1. Mount LUKS USB (requires LUKS passphrase from memory/paper)
sudo cryptsetup luksOpen /dev/sdX1 backup-usb
sudo mount /dev/mapper/backup-usb /mnt/backup

# 2. Restore fallback SSH key
cp /mnt/backup/keys/id_ed25519_fallback ~/.ssh/
chmod 600 ~/.ssh/id_ed25519_fallback

# 3. Use fallback key to access systems
ssh -i ~/.ssh/id_ed25519_fallback user@server

# 4. Restore age key and dsec vault
cp /mnt/backup/keys/master.age.key ~/.secrets/.metadata/keys/
chmod 600 ~/.secrets/.metadata/keys/master.age.key

# 5. Order new YubiKeys and re-enroll
# See: runbooks/yubikey-ssh-validation.adoc

4.3. Scenario 3: Lost age Key

age master key is missing:

# 1. Check LUKS USB #1 (home safe)
# 2. Check LUKS USB #2 (offsite)
# 3. Check M-Disc archival (fireproof safe)

# If found on any backup:
cp /mnt/backup/keys/master.age.key ~/.secrets/.metadata/keys/
chmod 600 ~/.secrets/.metadata/keys/master.age.key

# Verify
age -d -i ~/.secrets/.metadata/keys/master.age.key test.age

If age key is on NONE of the backups, all encrypted data is permanently lost. This is why we maintain 3+ copies in different locations.

4.4. Scenario 4: Complete Infrastructure Loss

Everything destroyed (fire, theft, disaster):

  1. Acquire new hardware

  2. Retrieve M-Disc from fireproof safe (or offsite LUKS USB)

  3. Boot from Arch Linux ISO

  4. Mount M-Disc or LUKS USB

  5. Restore age key

  6. Restore SSH fallback key

  7. Clone secrets repo

  8. Begin infrastructure rebuild

5. Backup Verification

5.1. Monthly Check

# Verify LUKS USB #1 is readable
sudo cryptsetup luksOpen /dev/sdX1 backup-usb
sudo mount /dev/mapper/backup-usb /mnt/backup

# Verify age key exists and works
age -d -i /mnt/backup/keys/master.age.key /mnt/backup/test.age

# Verify SSH fallback key exists
ls -la /mnt/backup/keys/id_ed25519_fallback

# Unmount
sudo umount /mnt/backup
sudo cryptsetup luksClose backup-usb

5.2. Quarterly Rotation

  1. Sync LUKS USB #1 → LUKS USB #2

  2. Swap offsite location

  3. Update rotation log

5.3. Annual M-Disc Verification

  1. Read M-Disc in optical drive

  2. Verify all files readable

  3. Burn new M-Disc if any read errors

  4. Store in fireproof safe

6. Quick Reference Card

Print and store with backups:

CREDENTIAL CHAIN RECOVERY
==========================

1. LUKS USB passphrase: [MEMORIZED or in safe]

2. Mount LUKS USB:
   sudo cryptsetup luksOpen /dev/sdX1 backup-usb
   sudo mount /dev/mapper/backup-usb /mnt/backup

3. Restore age key:
   cp /mnt/backup/keys/master.age.key ~/.secrets/.metadata/keys/
   chmod 600 ~/.secrets/.metadata/keys/master.age.key

4. Restore SSH fallback (if YubiKeys lost):
   cp /mnt/backup/keys/id_ed25519_fallback ~/.ssh/
   chmod 600 ~/.ssh/id_ed25519_fallback

5. Clone or restore dsec vault:
   git clone git@github.com:EvanusModestus/domus-secrets.git ~/.secrets/vaults

6. Load credentials:
   dsource d000 dev/network

7. Verify access:
   netapi ise mnt sessions

7. Related Documentation