The Geek Diary

how to rotate Tang Server Keys and update the Clevis Client

by

This post explains how to rotate Tang Server Keys and update the Clevis Client. Note, below is an example hence all certificates, keys and device names/uuid’s are fictional.

Change the keys on the tang server

1. Check existing key:

# ls -la /var/db/tang
total 8
dr-xrws---. 2 tang tang 84 Jun 26 11:24 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

2. tangd-keygen:

# /usr/libexec/tangd-keygen
Usage: /usr/libexec/tangd-keygen [jwkdir] [[sig] [exc]

3. Create new keys:

# /usr/libexec/tangd-keygen /var/db/tang
# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

4. Move the old keys:

# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk
-rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk <<<<<<<<<<<<<
# cd /var/db/tang
# mv 2J0R1adoOltTNPitEHImCfvmiKI.jwk .2J0R1adoOltTNPitEHImCfvmiKI.jwk
# mv W86fsibSgr_VbM2fy-yp4DEX2JY.jwk .W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

Clevis Client

Note, CentOS/RHEL 8.2 is required for the following commands.

1. Check if the keys have been changed, and regenerate if new keys are found:

# clevis luks report -d /dev/xvdc -s 1
Key "2J0R1adoOltTNPitEHImCfvmiKI" is not in the advertisement and was probably rotated!
{"alg":"ECMR","crv":"P-521","key_ops":["deriveKey"],"kty":"EC","x":"AJrpQNcXc20jSHemv8LbuAV2jimQvdtMZiv1ec2P1lwzm980hPh3EtSVwjlBV-ShRbd5i4SusemYUDTOQdc85WMO","y":"ALlFj2imS7oLAb5MF9wK2ZVYNxrrhDEoQ7nINFYTmQbzitGcADCgkqBaJ0ndbAgAbj5wDHhRWBY7tFuMqgF0ZHRQ"}
Key "W86fsibSgr_VbM2fy-yp4DEX2JY" is not in the advertisement and was probably rotated!
{"alg":"ES512","crv":"P-521","key_ops":["verify"],"kty":"EC","x":"APo5tX0_-ljbbqjPWIIOwzrSMxGSwVQV_PH1ZNjnriiBMOvuwoVtIAiN7tnU9hWe_-qu2nO49mDnIjqB1BCjZStH","y":"AbkxDUmUW6y6cn2lInoniOMkh84Ex5qAvRQnoy_9HoV5kckDV6GtlRZdQmIzLrMqaQwMcGdkuVU-HkqqQMS--RLi"}

Report detected that some keys were rotated.
Do you want to regenerate luks metadata with "clevis luks regen -d /dev/xvdc -s 1"? [ynYN] y
Regenerating with:
PIN: tang
CONFIG: {"url":"http://"}
The advertisement contains the following signing keys:
KlbbdbNpdMrVwrk6hZ1wCCeabOY

Do you wish to trust these keys? [ynYN] y
Keys were succesfully rotated.

2. Test new keys ( using device /dev/mapper/encrypteddisk, which is xvdc ):

# umount /encrypted/
# cryptsetup luksClose /dev/mapper/encrypteddisk
# clevis luks unlock -d /dev/xvdc
# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 8.5M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/mapper/ol_dhcp-root 17G 1.7G 16G 10% /
/dev/xvda1 1014M 172M 843M 17% /boot
tmpfs 378M 0 378M 0% /run/user/0
/dev/mapper/encrypteddisk 5.0G 68M 5.0G 2% /encrypted

You May Also Like