Secure deploy of keys

Diego Zuccato diego.zuccato at unibo.it
Mon Jan 16 14:12:01 CET 2023 

Tks for the answer. Sorry for seeing it late but it went in the spam 
folder :(
I didn't know clevis/tang, but it's really interesting (maybe a bit 
overkill in my scenario).

Diego

Il 15/12/2022 18:53, Robert Markula ha scritto:
> Am 15.12.22 um 18:15 schrieb Toomas Tamm via linux-fai:
>> This message was wrapped to be DMARC compliant. The actual message
>> text is therefore in an attachment.
> Hi Toom,
> 
> unforunately I can't quote you directly, but regarding a rogue attacker 
> mimicking the MAC of an install client: You have to manually enable a 
> FAI installation, otherwise the client cannot be installed:
> 
> fai-chboot -c DEFAULT client.example.com
> 
> Granted, with the right timing one could be faster with a rogue client 
> than with the real client. But on the other hand, any client with access 
> to the FAI NFS server can manually mount the NFSroot and obtain any 
> secrets living on the NFS server via this method.
> 
> So keeping a secret on the NFSroot is not a viable solution. But there 
> are possibilities to work around that. What has been discussed:
> 
> 1. the secret is created on the install client during installation and 
> transfered to another system in a secure way, e.g. via SSH
> 2. the secret is pulled from a third-party solution, which is outside 
> the scope of FAI (e.g. via Salt, Cfengine or any other configuration 
> management software). Authenticated registration of the install client 
> to the configuration management software of your choice is the weakest 
> link here [1]
> 3. using public key encryption (GPG, PKI, SSH) [2]
> 4. using a zero-trust-like approach to secrets like clevis/tang [3]
> 
> I have not looked into solutions like HashiCorp Vault, but maybe that 
> can be cleverly integrated as well?
> 
> Kind regards,
> 
> 
> Robert
> 
> [1] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg07955.html
> [2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html
> [3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786

More information about the linux-fai mailing list