Comments (6)
When keys are rotated, you can rebind to new keys using clevis client.
With this command you can check the slot for a particular encrypted device:
clevis luks list -d "device"
To obtain information regarding keys (if they were rotated), you can use:
clevis luks report -d "device" -s "slot"
In case keys have been rotated, you can always rebind a slot with the new keys with next command:
clevis luks regen -d "device" -s "slot"
In your case, if keys must be regenerated due to an issue in the upgrading, you might want to use "clevis luks regen" to bind to new keys.
More info on key rotation:
https://www.youtube.com/watch?v=d4GmJPvhjcY (Min.15 and onwards)
from tang.
Hello. As far as I know, there have not been non backwards compatible changes recently on Tang.
Tang dumps key information normally to /var/db/tang
Due to that, if your upgrade preserves previous directory, there should be no issue.
If, due to some incompatibility (which now I can not figure out), information regarding keys changes, you might need a key renegotiation for your scenario ...
- How many clients are you using?
- All of them are clevis clients?
from tang.
from tang.
Thank you for sharing that video, it has useful information.
is there a way to only rotate the client side while leaving the tang server alone? my use case is as follows: I made a cloud-image which is pre-configured to unlock from the tang server, with the other key slot removed. I dont want all machines made from the cloud-image to use the same decryption key so I would like to bind another tang key to another slot and remove the one that came configured on the cloud-image. But when I try to configure another slot it asks for the decryption key and i cant figure out how to use the first tang key to auth that
from tang.
Thank you for sharing that video, it has useful information. is there a way to only rotate the client side while leaving the tang server alone?
Key rebinding means to update keys to current active keys that have been rotated. Key rotation is a mechanism for keys on tang server to be updated, key rebinding is a mechanism for clevis clients to be updated to use those keys.
my use case is as follows: I made a cloud-image which is pre-configured to unlock from the tang server, with the other key slot removed.
Sorry, I don't understand what "the other key slot" means. You have one slot entry per clevis pin configuration. If something is removed, then let's omit it.
I dont want all machines made from the cloud-image to use the same decryption key so I would like to bind another tang key to another slot and remove the one that came configured on the cloud-image. But when I try to configure another slot it asks for the decryption key and i cant figure out how to use the first tang key to auth that
Password asked when you configure another slot are the ones for decryption of that particular LUKS volume you are trying to configure. Configuration of one slot should not be related to other slot.
Maybe you can try to propose here the complete scenario (with tang servers involved, devices, etc.) and the commands you are using, to try to have a more detailed description.
from tang.
I apologize for my useless post. My problem came from a lack of understanding. I wanted to rotate the "clevis key" without rotating the tang keys. Now I have a better understanding of how luks works, and now I know that what I really wanted was to rotate my luks master key with cryptsetup reencrypt. Thank you for responding. I'll leave my previous post in place along with this in case it helps somebody else in the future.
from tang.
Related Issues (20)
- "Not on the same physical medium" security requirement for Tang server and clients HOT 1
- Tang server does not deliver keys HOT 12
- README.md: 404 on link to Docker container HOT 5
- Tang running in standalone mode is leaving defunct processes after each request is served
- Release version 13
- Include parameter to change URL path prefix where server is listening
- Fedora rawhide container failing due to issues on dnf.conf format HOT 2
- Similar protocol with proof HOT 3
- Github actions related to code (build, coverage) should not be executed on documentation changes
- Release version 14
- [minor] Check for ss before testing
- Avoid clang compiler warning
- Possibly increase adv-standalone test timeout HOT 3
- Tang in early boot
- Allow binding tang http server to a given IP address
- Adapt Github actions to avoid Node16 and upgrade to Node20 HOT 1
- Release version 15
- ECMR Doc - Need to create JWE in browser
- Update documentation for 'optional' configurations (SSL/TLS & Authentication)
- Create advertisements offline HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tang.