Secure deploy of keys

Diego Zuccato diego.zuccato at unibo.it
Mon Jan 16 15:28:54 CET 2023 

Just did a quick test. Seems feasible to use clevis w/ tpm2 to securely 
bind credentials to a machine. The idea is:
- in case of new install there are no machine-specific files
   - secrets gets generated as usual
   - once the machine is up & running, use ssh to run a script to 
encrypt the needed secret files using machine's TPM and tranfer 
encrypted files to FAI
- in case of reinstall, FAI transfers encrypted files to the machine and 
runs clevis decrypt to restore 'em

That's just a rough idea. Any evident issues?

Diego

Il 16/01/2023 14:12, Diego Zuccato ha scritto:
> Tks for the answer. Sorry for seeing it late but it went in the spam 
> folder :(
> I didn't know clevis/tang, but it's really interesting (maybe a bit 
> overkill in my scenario).
> 
> Diego
> 
> Il 15/12/2022 18:53, Robert Markula ha scritto:
>> Am 15.12.22 um 18:15 schrieb Toomas Tamm via linux-fai:
>>> This message was wrapped to be DMARC compliant. The actual message
>>> text is therefore in an attachment.
>> Hi Toom,
>>
>> unforunately I can't quote you directly, but regarding a rogue 
>> attacker mimicking the MAC of an install client: You have to manually 
>> enable a FAI installation, otherwise the client cannot be installed:
>>
>> fai-chboot -c DEFAULT client.example.com
>>
>> Granted, with the right timing one could be faster with a rogue client 
>> than with the real client. But on the other hand, any client with 
>> access to the FAI NFS server can manually mount the NFSroot and obtain 
>> any secrets living on the NFS server via this method.
>>
>> So keeping a secret on the NFSroot is not a viable solution. But there 
>> are possibilities to work around that. What has been discussed:
>>
>> 1. the secret is created on the install client during installation and 
>> transfered to another system in a secure way, e.g. via SSH
>> 2. the secret is pulled from a third-party solution, which is outside 
>> the scope of FAI (e.g. via Salt, Cfengine or any other configuration 
>> management software). Authenticated registration of the install client 
>> to the configuration management software of your choice is the weakest 
>> link here [1]
>> 3. using public key encryption (GPG, PKI, SSH) [2]
>> 4. using a zero-trust-like approach to secrets like clevis/tang [3]
>>
>> I have not looked into solutions like HashiCorp Vault, but maybe that 
>> can be cleverly integrated as well?
>>
>> Kind regards,
>>
>>
>> Robert
>>
>> [1] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg07955.html
>> [2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html
>> [3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html
> 

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786

More information about the linux-fai mailing list