documentate How to upgrade

[dvz-rs]

Hi there,

i have to upgrade from tang 7.2 (Debian Buster) to 8.3 (Debian Bullseye).
My tang servs already a few other servers
it there anything i have to watch bevor/while/after a distrib upgrade?

[sarroutbi]

Hello. As far as I know, there have not been non backwards compatible changes recently on Tang.

Tang dumps key information normally to /var/db/tang

Due to that, if your upgrade preserves previous directory, there should be no issue.

If, due to some incompatibility (which now I can not figure out), information regarding keys changes, you might need a key renegotiation for your scenario ...

• How many clients are you using?
• All of them are clevis clients?

[dvz-rs]

Hi Sergio, at the moment we have only less then 10 Clients, but in the future there where much more (>200) and all are/will be clevis clients (which other are out there?) So i can backup /var/db/tang and restore in worst case. What do mean with "key renegotiation" ? Reiner Schulz Von: Sergio Arroutbi ***@***.*** Gesendet: Mittwoch, 20. Oktober 2021 09:31 An: latchset/tang ***@***.***> Cc: Schulz, Reiner ***@***.***>; Author ***@***.***> Betreff: Re: [latchset/tang] documentate How to upgrade (#78) Hello. As far as I know, there have not been non backwards compatible changes recently on Tang. Tang dumps key information normally to /var/db/tang Due to that, if your upgrade preserves previous directory, there should be no issue. If, due to some incompatibility (which now I can not figure out), information regarding keys changes, you might need a key renegotiation for your scenario ... * How many clients are you using? * All of them are clevis clients? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#78 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AWCKZDTRLNN4VDSTT76THBDUHZV4TANCNFSM5GBYLFLQ>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[sarroutbi]

When keys are rotated, you can rebind to new keys using clevis client.

With this command you can check the slot for a particular encrypted device:
clevis luks list -d "device"

To obtain information regarding keys (if they were rotated), you can use:
clevis luks report -d "device" -s "slot"

In case keys have been rotated, you can always rebind a slot with the new keys with next command:
clevis luks regen -d "device" -s "slot"

In your case, if keys must be regenerated due to an issue in the upgrading, you might want to use "clevis luks regen" to bind to new keys.

More info on key rotation:
https://www.youtube.com/watch?v=d4GmJPvhjcY (Min.15 and onwards)

[krzee]

Thank you for sharing that video, it has useful information.
is there a way to only rotate the client side while leaving the tang server alone? my use case is as follows: I made a cloud-image which is pre-configured to unlock from the tang server, with the other key slot removed. I dont want all machines made from the cloud-image to use the same decryption key so I would like to bind another tang key to another slot and remove the one that came configured on the cloud-image. But when I try to configure another slot it asks for the decryption key and i cant figure out how to use the first tang key to auth that

[sarroutbi]

Thank you for sharing that video, it has useful information. is there a way to only rotate the client side while leaving the tang server alone?

Key rebinding means to update keys to current active keys that have been rotated. Key rotation is a mechanism for keys on tang server to be updated, key rebinding is a mechanism for clevis clients to be updated to use those keys.

my use case is as follows: I made a cloud-image which is pre-configured to unlock from the tang server, with the other key slot removed.

Sorry, I don't understand what "the other key slot" means. You have one slot entry per clevis pin configuration. If something is removed, then let's omit it.

I dont want all machines made from the cloud-image to use the same decryption key so I would like to bind another tang key to another slot and remove the one that came configured on the cloud-image. But when I try to configure another slot it asks for the decryption key and i cant figure out how to use the first tang key to auth that

Password asked when you configure another slot are the ones for decryption of that particular LUKS volume you are trying to configure. Configuration of one slot should not be related to other slot.

Maybe you can try to propose here the complete scenario (with tang servers involved, devices, etc.) and the commands you are using, to try to have a more detailed description.

[krzee]

I apologize for my useless post. My problem came from a lack of understanding. I wanted to rotate the "clevis key" without rotating the tang keys. Now I have a better understanding of how luks works, and now I know that what I really wanted was to rotate my luks master key with cryptsetup reencrypt. Thank you for responding. I'll leave my previous post in place along with this in case it helps somebody else in the future.