• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

how to rotate Tang Server Keys and update the Clevis Client

by admin

This post explains how to rotate Tang Server Keys and update the Clevis Client. Note, below is an example hence all certificates, keys and device names/uuid’s are fictional.

Change the keys on the tang server

1. Check existing key:

# ls -la /var/db/tang
total 8
dr-xrws---. 2 tang tang 84 Jun 26 11:24 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

2. tangd-keygen:

# /usr/libexec/tangd-keygen
Usage: /usr/libexec/tangd-keygen [jwkdir] [[sig] [exc]

3. Create new keys:

# /usr/libexec/tangd-keygen /var/db/tang
# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

4. Move the old keys:

# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk
-rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk <<<<<<<<<<<<<
# cd /var/db/tang
# mv 2J0R1adoOltTNPitEHImCfvmiKI.jwk .2J0R1adoOltTNPitEHImCfvmiKI.jwk
# mv W86fsibSgr_VbM2fy-yp4DEX2JY.jwk .W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

Clevis Client

Note, CentOS/RHEL 8.2 is required for the following commands.

1. Check if the keys have been changed, and regenerate if new keys are found:

# clevis luks report -d /dev/xvdc -s 1
Key "2J0R1adoOltTNPitEHImCfvmiKI" is not in the advertisement and was probably rotated!
{"alg":"ECMR","crv":"P-521","key_ops":["deriveKey"],"kty":"EC","x":"AJrpQNcXc20jSHemv8LbuAV2jimQvdtMZiv1ec2P1lwzm980hPh3EtSVwjlBV-ShRbd5i4SusemYUDTOQdc85WMO","y":"ALlFj2imS7oLAb5MF9wK2ZVYNxrrhDEoQ7nINFYTmQbzitGcADCgkqBaJ0ndbAgAbj5wDHhRWBY7tFuMqgF0ZHRQ"}
Key "W86fsibSgr_VbM2fy-yp4DEX2JY" is not in the advertisement and was probably rotated!
{"alg":"ES512","crv":"P-521","key_ops":["verify"],"kty":"EC","x":"APo5tX0_-ljbbqjPWIIOwzrSMxGSwVQV_PH1ZNjnriiBMOvuwoVtIAiN7tnU9hWe_-qu2nO49mDnIjqB1BCjZStH","y":"AbkxDUmUW6y6cn2lInoniOMkh84Ex5qAvRQnoy_9HoV5kckDV6GtlRZdQmIzLrMqaQwMcGdkuVU-HkqqQMS--RLi"}

Report detected that some keys were rotated.
Do you want to regenerate luks metadata with "clevis luks regen -d /dev/xvdc -s 1"? [ynYN] y
Regenerating with:
PIN: tang
CONFIG: {"url":"http://"}
The advertisement contains the following signing keys:
KlbbdbNpdMrVwrk6hZ1wCCeabOY

Do you wish to trust these keys? [ynYN] y
Keys were succesfully rotated.

2. Test new keys ( using device /dev/mapper/encrypteddisk, which is xvdc ):

# umount /encrypted/
# cryptsetup luksClose /dev/mapper/encrypteddisk
# clevis luks unlock -d /dev/xvdc
# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 8.5M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/mapper/ol_dhcp-root 17G 1.7G 16G 10% /
/dev/xvda1 1014M 172M 843M 17% /boot
tmpfs 378M 0 378M 0% /run/user/0
/dev/mapper/encrypteddisk 5.0G 68M 5.0G 2% /encrypted

Filed Under: CentOS/RHEL, CentOS/RHEL 8, Linux

Some more articles you might also be interested in …

  1. How to Remove/Delete All Packages from Channel(s) in SpaceWalk
  2. How to enable core dump for Applications on CentOS/RHEL
  3. How to disable IPv6 on CentOS / RHEL 7
  4. egrep Command Examples in Linux
  5. Detect and Scan New Luns in CentOS/RHEL
  6. How to check change log of RPM packages on CentOS/RHEL
  7. Starting udev: udevd inotify_init failed: too many open files
  8. Linux OS service ‘iscsid’
  9. sar Command Examples in Linux
  10. Linux OS Service ‘sshd’

You May Also Like

Primary Sidebar

Recent Posts

  • qemu-system-x86_64: command not found
  • timedatectl: command not found
  • mpirun.openmpi: command not found
  • startkde: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright