Secure deploy of keys
Diego Zuccato
diego.zuccato at unibo.it
Mon Jan 16 15:28:54 CET 2023
Just did a quick test. Seems feasible to use clevis w/ tpm2 to securely
bind credentials to a machine. The idea is:
- in case of new install there are no machine-specific files
- secrets gets generated as usual
- once the machine is up & running, use ssh to run a script to
encrypt the needed secret files using machine's TPM and tranfer
encrypted files to FAI
- in case of reinstall, FAI transfers encrypted files to the machine and
runs clevis decrypt to restore 'em
That's just a rough idea. Any evident issues?
Diego
Il 16/01/2023 14:12, Diego Zuccato ha scritto:
> Tks for the answer. Sorry for seeing it late but it went in the spam
> folder :(
> I didn't know clevis/tang, but it's really interesting (maybe a bit
> overkill in my scenario).
>
> Diego
>
> Il 15/12/2022 18:53, Robert Markula ha scritto:
>> Am 15.12.22 um 18:15 schrieb Toomas Tamm via linux-fai:
>>> This message was wrapped to be DMARC compliant. The actual message
>>> text is therefore in an attachment.
>> Hi Toom,
>>
>> unforunately I can't quote you directly, but regarding a rogue
>> attacker mimicking the MAC of an install client: You have to manually
>> enable a FAI installation, otherwise the client cannot be installed:
>>
>> fai-chboot -c DEFAULT client.example.com
>>
>> Granted, with the right timing one could be faster with a rogue client
>> than with the real client. But on the other hand, any client with
>> access to the FAI NFS server can manually mount the NFSroot and obtain
>> any secrets living on the NFS server via this method.
>>
>> So keeping a secret on the NFSroot is not a viable solution. But there
>> are possibilities to work around that. What has been discussed:
>>
>> 1. the secret is created on the install client during installation and
>> transfered to another system in a secure way, e.g. via SSH
>> 2. the secret is pulled from a third-party solution, which is outside
>> the scope of FAI (e.g. via Salt, Cfengine or any other configuration
>> management software). Authenticated registration of the install client
>> to the configuration management software of your choice is the weakest
>> link here [1]
>> 3. using public key encryption (GPG, PKI, SSH) [2]
>> 4. using a zero-trust-like approach to secrets like clevis/tang [3]
>>
>> I have not looked into solutions like HashiCorp Vault, but maybe that
>> can be cleverly integrated as well?
>>
>> Kind regards,
>>
>>
>> Robert
>>
>> [1] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg07955.html
>> [2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html
>> [3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html
>
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
More information about the linux-fai
mailing list