Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
On Tuesday, 24 November 2020 08:55:32 CET Christoph Biedl wrote: > * Re-run tangd-update, the command > > systemctl restart tangd-update.service > > should do the trick. Else manually something like It did. I verified that /var/cache/tang/default.jws did not have «"key_ops": ["deriveKey"]» and then restarting tangd-update.service did regenerate correctly /var/cache/tang/default.jws. Now clevis command is working as expected. Thanks for the help :-)
Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
Control: reassign 975343 tang 7-1 Control: tags 975343 upstream Control: retitle 975343 tang: Race condition between keygen and update, resulting in "Key derivation key not available!" Control: severity 975343 important Dominique Dumont wrote... > $ echo foo | clevis encrypt tang '{"url": "http://192.168.1.14"}' > bar.txt > The advertisement contains the following signing keys: > > jvCF5[...]8s5A > > Do you wish to trust these keys? [ynYN] y > Key derivation key not available! Okay, here's the story: tangd-keygen creates two files in /var/db/tang/, the second one containing '(...)"key_ops":["deriveKey"](...)'. In parallel, tangd-update takes all the files in that directory to build (among other) /var/cache/tang/default.jws. Now if tangd-keygen hasn't finished the job yet, the second one is not taken into account, and this happens on slower hardware. Possibly upstream was in the assumption the multiple After=... in tangd.socket are being started serialized, not in parallel. You can check your situation using the following command: jq -r .payload signature.asc Description: PGP signature
Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
Control: tags 975343 confirmed Dominique Dumont wrote... > When using tang on armhf, clevis fails: > > $ echo foo | clevis encrypt tang '{"url": "http://192.168.1.14"}' > bar.txt > The advertisement contains the following signing keys: > > jvCF5[...]8s5A > > Do you wish to trust these keys? [ynYN] y > Key derivation key not available! That's bad. The cause is probably tang, and also in buster. I'll do more checks and will act according to my findings. Thanks for reporting, Christoph signature.asc Description: PGP signature
Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
Package: clevis Version: 13-2 Severity: normal Dear Maintainer, I've setup clevis from Debian/unstable on an amd64 machine and tang on an armhf system (an OLinuXino card). When using tang on armhf, clevis fails: $ echo foo | clevis encrypt tang '{"url": "http://192.168.1.14"}' > bar.txt The advertisement contains the following signing keys: jvCF5[...]8s5A Do you wish to trust these keys? [ynYN] y Key derivation key not available! On the other hand, clevis runs fine when using tang installed on the same amd64 system (which is somewhat less useful): $ echo foo | clevis encrypt tang '{"url": "http://127.0.0.1"}' > bar.txt The advertisement contains the following signing keys: p4n0[...]f99qM Do you wish to trust these keys? [ynYN] y All the best * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-3-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages clevis depends on: ii cracklib-runtime2.9.6-3.2+b2 ii curl7.72.0-1 ii jose10-3 ii libc6 2.31-4 ii libjansson4 2.13.1-1 ii libjose010-3 ii libpwquality-tools 1.4.2-1+b2 ii libssl1.1 1.1.1h-1 ii luksmeta9-3 Versions of packages clevis recommends: ii cryptsetup-bin 2:2.3.4-1 clevis suggests no packages. -- no debconf information