Encryption Tools

To run the vault helper tool we use a Raspberry Pi computer. We use the Raspberry Pi is to allow use to use USB based, PGP smart cards for some of the PGP keys used in init and rekey operations.

We encrypt the root token with a shared PGP key that everyone on the team knows the password for.

The smart card we have chosen to use is the Nitrokey Storage: Nitrokey

Physical Security is Paramount

Due to using a Raspberry Pi computer and physical PGP smart cards, we now have to secure and audit access to physical items.

We do this with a couple of tools.

Tamper Evident Bags

We store everything inside of hard-plastic, snap-lock containers then we place those containers inside of tamper-evident bags.


Each tamper-evident bag has a bar code and serial number.

After filling out the info on the front of the bag (who prepared it?, what’s inside?, the date/time? etc), we record the serial number and photograph the bag and store this info in a different place than the bag itself.

Each bag comes with a "receipt" as well which contains a printed serial number and some fields for the same information. The receipts are stored in a separate location as well.

Standard Form 702

Tamper-evident bags are not the only measure we take.

We also lock these bags in a safe, and audit the access to the safe.

We do so by using Standard Form 702, which was developed for the military.

Each time the safe or tamper evident bags are opened/closed, or checked the form is updated with the initials of the person[s] opening the safe.

We schedule a check of our safe in a group calendar for monthly audits as well.