come ruotare le chiavi del server Tang e aggiornare il client Clevis

Questo post spiega come ruotare le chiavi del server Tang e aggiornare il client Clevis. Nota, di seguito è riportato un esempio, quindi tutti i certificati, le chiavi e i nomi dei dispositivi/uuid sono fittizi.

Cambia le chiavi sul tang server

1. Verifica la chiave esistente:

# ls -la /var/db/tang
total 8
dr-xrws---. 2 tang tang 84 Jun 26 11:24 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

2. tangd-keygen:

# /usr/libexec/tangd-keygen
Usage: /usr/libexec/tangd-keygen [jwkdir] [[sig] [exc]

3. Crea nuove chiavi:

# /usr/libexec/tangd-keygen /var/db/tang
# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

4. Sposta le vecchie chiavi:

# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk <<<<<<<<<<<<<
-rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk
-rw-r--r--. 1 root tang 349 Jun 26 14:55 M4jCcwNXkEFDxaUw23nxzb0h3mE.jwk
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk <<<<<<<<<<<<<

# cd /var/db/tang
# mv 2J0R1adoOltTNPitEHImCfvmiKI.jwk .2J0R1adoOltTNPitEHImCfvmiKI.jwk
# mv W86fsibSgr_VbM2fy-yp4DEX2JY.jwk .W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

Cliente Clevis

Nota, CentOS/RHEL 8.2 è richiesto per i seguenti comandi.

1. Verifica se le chiavi sono state modificate e rigenera se vengono trovate nuove chiavi:

# clevis luks report -d /dev/xvdc -s 1
Key "2J0R1adoOltTNPitEHImCfvmiKI" is not in the advertisement and was probably rotated!
{"alg":"ECMR","crv":"P-521","key_ops":["deriveKey"],"kty":"EC","x":"AJrpQNcXc20jSHemv8LbuAV2jimQvdtMZiv1ec2P1lwzm980hPh3EtSVwjlBV-ShRbd5i4SusemYUDTOQdc85WMO","y":"ALlFj2imS7oLAb5MF9wK2ZVYNxrrhDEoQ7nINFYTmQbzitGcADCgkqBaJ0ndbAgAbj5wDHhRWBY7tFuMqgF0ZHRQ"}
Key "W86fsibSgr_VbM2fy-yp4DEX2JY" is not in the advertisement and was probably rotated!
{"alg":"ES512","crv":"P-521","key_ops":["verify"],"kty":"EC","x":"APo5tX0_-ljbbqjPWIIOwzrSMxGSwVQV_PH1ZNjnriiBMOvuwoVtIAiN7tnU9hWe_-qu2nO49mDnIjqB1BCjZStH","y":"AbkxDUmUW6y6cn2lInoniOMkh84Ex5qAvRQnoy_9HoV5kckDV6GtlRZdQmIzLrMqaQwMcGdkuVU-HkqqQMS--RLi"}

Report detected that some keys were rotated.
Do you want to regenerate luks metadata with "clevis luks regen -d /dev/xvdc -s 1"? [ynYN] y
Regenerating with:
PIN: tang
CONFIG: {"url":"http://"}
The advertisement contains the following signing keys:
KlbbdbNpdMrVwrk6hZ1wCCeabOY

Do you wish to trust these keys? [ynYN] y
Keys were succesfully rotated.

2. Testare nuove chiavi (usando il dispositivo /dev/mapper/encrypteddisk, che è xvdc):

# umount /encrypted/
# cryptsetup luksClose /dev/mapper/encrypteddisk
# clevis luks unlock -d /dev/xvdc
# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 8.5M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/mapper/ol_dhcp-root 17G 1.7G 16G 10% /
/dev/xvda1 1014M 172M 843M 17% /boot
tmpfs 378M 0 378M 0% /run/user/0
/dev/mapper/encrypteddisk 5.0G 68M 5.0G 2% /encrypted