This post explains how to rotate Tang Server Keys and update the Clevis Client. Note, below is an example hence all certificates, keys and device names/uuid’s are fictional.
Change the keys on the tang server
1. Check existing key:
# ls -la /var/db/tang total 8 dr-xrws---. 2 tang tang 84 Jun 26 11:24 . drwxr-xr-x. 4 root root 46 Jun 26 11:23 .. -rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk -rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk
2. tangd-keygen:
# /usr/libexec/tangd-keygen Usage: /usr/libexec/tangd-keygen [jwkdir] [[sig] [exc]
3. Create new keys:
# /usr/libexec/tangd-keygen /var/db/tang # ls -la /var/db/tang total 20 dr-xrws---. 2 tang tang 4096 Jun 26 14:55 . drwxr-xr-x. 4 root root 46 Jun 26 11:23 .. -rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk -rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk <<<<<<<<<<<<< -rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk <<<<<<<<<<<<< -rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk
4. Move the old keys:
# ls -la /var/db/tang total 20 dr-xrws---. 2 tang tang 4096 Jun 26 14:55 . drwxr-xr-x. 4 root root 46 Jun 26 11:23 .. -rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk <<<<<<<<<<<<< -rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk -rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk -rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk <<<<<<<<<<<<<
# cd /var/db/tang # mv 2J0R1adoOltTNPitEHImCfvmiKI.jwk .2J0R1adoOltTNPitEHImCfvmiKI.jwk # mv W86fsibSgr_VbM2fy-yp4DEX2JY.jwk .W86fsibSgr_VbM2fy-yp4DEX2JY.jwk
Clevis Client
Note, CentOS/RHEL 8.2 is required for the following commands.
1. Check if the keys have been changed, and regenerate if new keys are found:
# clevis luks report -d /dev/xvdc -s 1 Key "2J0R1adoOltTNPitEHImCfvmiKI" is not in the advertisement and was probably rotated! {"alg":"ECMR","crv":"P-521","key_ops":["deriveKey"],"kty":"EC","x":"AJrpQNcXc20jSHemv8LbuAV2jimQvdtMZiv1ec2P1lwzm980hPh3EtSVwjlBV-ShRbd5i4SusemYUDTOQdc85WMO","y":"ALlFj2imS7oLAb5MF9wK2ZVYNxrrhDEoQ7nINFYTmQbzitGcADCgkqBaJ0ndbAgAbj5wDHhRWBY7tFuMqgF0ZHRQ"} Key "W86fsibSgr_VbM2fy-yp4DEX2JY" is not in the advertisement and was probably rotated! {"alg":"ES512","crv":"P-521","key_ops":["verify"],"kty":"EC","x":"APo5tX0_-ljbbqjPWIIOwzrSMxGSwVQV_PH1ZNjnriiBMOvuwoVtIAiN7tnU9hWe_-qu2nO49mDnIjqB1BCjZStH","y":"AbkxDUmUW6y6cn2lInoniOMkh84Ex5qAvRQnoy_9HoV5kckDV6GtlRZdQmIzLrMqaQwMcGdkuVU-HkqqQMS--RLi"} Report detected that some keys were rotated. Do you want to regenerate luks metadata with "clevis luks regen -d /dev/xvdc -s 1"? [ynYN] y Regenerating with: PIN: tang CONFIG: {"url":"http://"} The advertisement contains the following signing keys: KlbbdbNpdMrVwrk6hZ1wCCeabOY Do you wish to trust these keys? [ynYN] y Keys were succesfully rotated.
2. Test new keys ( using device /dev/mapper/encrypteddisk, which is xvdc ):
# umount /encrypted/ # cryptsetup luksClose /dev/mapper/encrypteddisk # clevis luks unlock -d /dev/xvdc # df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 1.9G 0 1.9G 0% /dev tmpfs 1.9G 0 1.9G 0% /dev/shm tmpfs 1.9G 8.5M 1.9G 1% /run tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup /dev/mapper/ol_dhcp-root 17G 1.7G 16G 10% / /dev/xvda1 1014M 172M 843M 17% /boot tmpfs 378M 0 378M 0% /run/user/0 /dev/mapper/encrypteddisk 5.0G 68M 5.0G 2% /encrypted