-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
documentate How to upgrade #78
Comments
Hello. As far as I know, there have not been non backwards compatible changes recently on Tang. Tang dumps key information normally to /var/db/tang Due to that, if your upgrade preserves previous directory, there should be no issue. If, due to some incompatibility (which now I can not figure out), information regarding keys changes, you might need a key renegotiation for your scenario ...
|
Hi Sergio,
at the moment we have only less then 10 Clients, but in the future there where much more (>200) and all are/will be clevis clients (which other are out there?)
So i can backup /var/db/tang and restore in worst case.
What do mean with "key renegotiation" ?
Reiner Schulz
Von: Sergio Arroutbi ***@***.***
Gesendet: Mittwoch, 20. Oktober 2021 09:31
An: latchset/tang ***@***.***>
Cc: Schulz, Reiner ***@***.***>; Author ***@***.***>
Betreff: Re: [latchset/tang] documentate How to upgrade (#78)
Hello. As far as I know, there have not been non backwards compatible changes recently on Tang.
Tang dumps key information normally to /var/db/tang
Due to that, if your upgrade preserves previous directory, there should be no issue.
If, due to some incompatibility (which now I can not figure out), information regarding keys changes, you might need a key renegotiation for your scenario ...
* How many clients are you using?
* All of them are clevis clients?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#78 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AWCKZDTRLNN4VDSTT76THBDUHZV4TANCNFSM5GBYLFLQ>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
When keys are rotated, you can rebind to new keys using clevis client. With this command you can check the slot for a particular encrypted device: To obtain information regarding keys (if they were rotated), you can use: In case keys have been rotated, you can always rebind a slot with the new keys with next command: In your case, if keys must be regenerated due to an issue in the upgrading, you might want to use "clevis luks regen" to bind to new keys. More info on key rotation: |
Thank you for sharing that video, it has useful information. |
Key rebinding means to update keys to current active keys that have been rotated. Key rotation is a mechanism for keys on tang server to be updated, key rebinding is a mechanism for clevis clients to be updated to use those keys.
Sorry, I don't understand what "the other key slot" means. You have one slot entry per clevis pin configuration. If something is removed, then let's omit it.
Password asked when you configure another slot are the ones for decryption of that particular LUKS volume you are trying to configure. Configuration of one slot should not be related to other slot. Maybe you can try to propose here the complete scenario (with tang servers involved, devices, etc.) and the commands you are using, to try to have a more detailed description. |
I apologize for my useless post. My problem came from a lack of understanding. I wanted to rotate the "clevis key" without rotating the tang keys. Now I have a better understanding of how luks works, and now I know that what I really wanted was to rotate my luks master key with cryptsetup reencrypt. Thank you for responding. I'll leave my previous post in place along with this in case it helps somebody else in the future. |
Hi there,
i have to upgrade from tang 7.2 (Debian Buster) to 8.3 (Debian Bullseye).
My tang servs already a few other servers
it there anything i have to watch bevor/while/after a distrib upgrade?
The text was updated successfully, but these errors were encountered: