Generation Authority

Role

The generation authority manages the cryptographic material that ties kernel generations to LUKS encryption. It holds generation_secrets -- the values that nodes use (combined with their preboot_secret) to derive LUKS keys for /persist.

The generation authority is the enforcement point for generation revocation: deleting a generation_secret makes it impossible for any node to derive the LUKS key for that generation. Cryptographic revocation -- not a blocklist, but destruction of key material.

What It Does

• Generation secret management: Creates and stores generation_secrets for each kernel generation. One secret per generation.
• "Send what you have" protocol: Receives preboot auth requests (H(preboot_secret) + list of cached generation IDs). Selects the best available generation. Returns the generation_secret + generation_id.
• Generation revocation: Deleting a generation_secret is irreversible. No node can derive the key for that generation ever again, even with a valid preboot_secret. This is how the org sets a security floor.
• Remote wipe control: By refusing all offered generations and providing only a new one, the gen-auth forces a node to reformat /persist (remote wipe without revocation).

What It Does NOT Do

• Enrollment. The Provisioner handles node identity and enrollment.
• Image building. The Build Service compiles and assembles images.
• Image signing. The provisioner signs image hashes, not the gen-auth.

The gen-auth's scope is narrow: generation secrets and the decision of which generation a node should boot. Nothing else.

Links

• 04 Disk Encryption -- LUKS key derivation from generation_secret
• 05 Loading the Real OS -- Generation selection at boot
• 10 Sustaining the Org -- Rolling upgrades and generation lifecycle