-
Notifications
You must be signed in to change notification settings - Fork 57
Server Key Database
The Tang Server (tang-keyd) requires a database of keys. The key database is simply a directory (usually /var/tang) of key files with two special naming conventions that control the server's behavior. Key management can be performed using standard file manipulation routines. If your Tang Server instance is running, it will automatically pick up any changes to the key database immediately.
The key files contain OpenSSL's standard key format. In fact, you can generate keys with OpenSSL directly:
openssl ecparam -name secp384r1 -genkey -out test.key
However, the best way to generate keys is to use tang-key-gen:
tang-key-gen -g secp384r1 -A -r # Generates an advertised recovery key in P-384
tang-key-gen -g secp384r1 -a -s # Generates an unadvertised signature key in P-384
The tang-key-gen utility takes care of several other crucial details, including:
- Appropriate file permissions
- Automatically generated filename (a timestamp)
- Knowledge of the key database directory
- Key advertisement
- Key usage
Tang key files also follow two important naming conventions that control:
- Key advertisement
- Key usage
Keys that begin with '.' are not advertised. All other keys are advertised. Please note that unadvertised keys can still be used for clients that know about them. Thus, unadvertised keys are merely deprecated. To disable a key from use altogether, you simply remove it from the database directory.
You may freely move keys between an advertised and unadvertised state as your policy dictates.
The Tang protocol uses two different kinds of keys: signing and recovery. This usage is determined by the file's extension. Signing keys have names that end in '.sig'. Recovery keys have names that end in '.rec'. Keys without either suffix will be ignored by the server.
NOTE WELL: You MUST NOT change a key's usage. Attempting to do so will compromise the security of the system.