Am 13.12.22 um 14:47 schrieb Diego Zuccato:
Hello all.
What's the recommended way to deploy (or re-deploy) security-sensitive
objects (just to say one: private ssh key to avoid client warnings
when redeploying a server)?
You could use RedHat's Latchset framework [1] with Clevis (on the
client) and Tang (on the server).
It would roughly work as follows:
1. A secret is generated locally on the FAI client:
head -100 /dev/urandom | tr -dc 'a-z0-9' > secret.txt
2. This secret is encrypted locally using the Tang server:
clevis encrypt tang
'{"url":"http://tang.example.com","thp":"Jfmvz_ZjfbCgeFqAgWpTOIgEeRw4"}'
< secret.txt > secret_ENCRYPTED.txt
Where 'Jfmvz_ZjfbCgeFqAgWpTOIgEeRw4' is the publically known key of the
Tang server.
3. You can copy the 'secret_ENCRYPTED.txt' to any SSH server.
Alternatively you could place this file in FAI's log directory, which
gets conveniently copied to the FAI server at the end of the FAI
installation run. The secret would then live on the FAI server in an
encrpyted form.
4. From then on, the secret can be used by any kind of automated or
manual process. Let's assume, the admin (you) wants to read the secret.
You login to the FAI server, head to the FAI log dir and decrypt the
secret, again using the Tang server:
clevis decrypt < secret_ENCRYPTED.txt > secret.txt
With Clevis and Tang, you could even define the requirement to use e.g.
two different Tang servers in order to be able to decrypt the file. Or
you could require to use one Tang server and a password or even the TPM.
The framework is very flexible here.
But now for the really interesting part: you do not need (!) access to
the Tang server when encrypting files. So the FAI client and the FAI
server do not need access to the Tang server. You can encrypt files
offline by providing the so-called public 'server advertisement' of the
Tang server during encryption. So all clients can only encrypt, but
never decrypt data.
Your Salt server - or admin machine -, on the other hand, would have
access to the Tang server and thus be able to automatically decrypt your
secrets.
You can even use Clevis and Tang with LUKS in order to encrypt disks
upon creation and decrypt them automatically during bootup. So during
normal operation, fully encrypted systems are able to bootup without any
hands-on requirement as long as the Tang server is reachable. But any
intruder that steals your machines cannot decrypt the systems because he
has no access to your internal Tang server. Fallback to password-based
decryption is, of course, always possible.
[1] https://github.com/latchset/clevis
