Secure deploy of keys

Robert Markula robert at markula.org
Wed Dec 14 12:10:52 CET 2022 

Am 13.12.22 um 14:47 schrieb Diego Zuccato:
> Hello all.
>
> What's the recommended way to deploy (or re-deploy) security-sensitive 
> objects (just to say one: private ssh key to avoid client warnings 
> when redeploying a server)?

You could use RedHat's Latchset framework [1] with Clevis (on the 
client) and Tang (on the server).

It would roughly work as follows:

1. A secret is generated locally on the FAI client:
head -100 /dev/urandom | tr -dc 'a-z0-9' > secret.txt

2. This secret is encrypted locally using the Tang server:
clevis encrypt tang 
'{"url":"http://tang.example.com","thp":"Jfmvz_ZjfbCgeFqAgWpTOIgEeRw4"}' 
< secret.txt > secret_ENCRYPTED.txt

Where 'Jfmvz_ZjfbCgeFqAgWpTOIgEeRw4' is the publically known key of the 
Tang server.

3. You can copy the 'secret_ENCRYPTED.txt' to any SSH server. 
Alternatively you could place this file in FAI's log directory, which 
gets conveniently copied to the FAI server at the end of the FAI 
installation run. The secret would then live on the FAI server in an 
encrpyted form.

4. From then on, the secret can be used by any kind of automated or 
manual process. Let's assume, the admin (you) wants to read the secret. 
You login to the FAI server, head to the FAI log dir and decrypt the 
secret, again using the Tang server:
clevis decrypt < secret_ENCRYPTED.txt > secret.txt

With Clevis and Tang, you could even define the requirement to use e.g. 
two different Tang servers in order to be able to decrypt the file. Or 
you could require to use one Tang server and a password or even the TPM. 
The framework is very flexible here.

But now for the really interesting part: you do not need (!) access to 
the Tang server when encrypting files. So the FAI client and the FAI 
server do not need access to the Tang server. You can encrypt files 
offline by providing the so-called public 'server advertisement' of the 
Tang server during encryption. So all clients can only encrypt, but 
never decrypt data.
Your Salt server - or admin machine -, on the other hand, would have 
access to the Tang server and thus be able to automatically decrypt your 
secrets.

You can even use Clevis and Tang with LUKS in order to encrypt disks 
upon creation and decrypt them automatically during bootup. So during 
normal operation, fully encrypted systems are able to bootup without any 
hands-on requirement as long as the Tang server is reachable. But any 
intruder that steals your machines cannot decrypt the systems because he 
has no access to your internal Tang server. Fallback to password-based 
decryption is, of course, always possible.

[1] https://github.com/latchset/clevis

More information about the linux-fai mailing list