-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for a keyscript pin, which would call an executable to retrieve key material #191
Comments
Disclaimer: I'm not the clevis developer. Anyway, implementing this isn't really difficult since
Cheers, |
Thanks for the details @cbiedl .
Yeah we've been running into this a bit at work recently while working to develop a simple integration with LUKS.
If I'm reading you correctly here, I'm not proposing that clevis supports the LUKS keyscript functionality. Instead, I'm checking to see if clevis could have its own keyscript functionality via a pin, so something like this:
Reading through the code a bit more, it looks like this may be simpler than I originally expected. The README mentions that the pins are plugins, but the nature of those plugins was unclear to me until I dug through the code. Now I see that a pin named
I'll mess around with this a bit more and see I can build off the test pin to get a simple keyscript pin to behave. |
I have a prototype working here: I used the example of the The command works like this # Encrypt
$ echo "hi there" | ./src/pins/keyscript/clevis-encrypt-keyscript '{"keyscript": "/tmp/keyscript"}' > keyscript.jwe
$ cat keyscript.jwe ; echo
eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsiY2ZnIjp7ImtleXNjcmlwdCI6Ii90bXAva2V5c2NyaXB0In0sInBpbiI6ImtleXNjcmlwdCJ9LCJlbmMiOiJBMjU2R0NNIn0..9ZmxtknGj5qtka_P.DBq9JLBWRkMQ.ETuFwW5MG00lQuGT46uABg
$ cat keyscript.jwe | cut -d"." -f1 | jose b64 dec -i- ; echo
{"alg":"dir","clevis":{"cfg":{"keyscript":"/tmp/keyscript"},"pin":"keyscript"},"enc":"A256GCM"}
# Decrypt
$ cat keyscript.jwe | ./src/pins/keyscript/clevis-decrypt-keyscript
hi there If there is interest in having this capability in clevis I can clean this up and even add on some options like passing arguments to the keyscript. |
Possibly I completely understood your initial request indeed. |
That guide is awesome @cbiedl - thanks! I hadn't gotten to the initramfs and dracut configuration yet, so that is especially helpful. Your "key in a file" pin looks very similar to my "keyscript" pin - that would have been good to find a few hours ago. :D I'll read through your work on #203 in more detail (as well as your PR on #204) when I come back around to this. |
As a lower barrier to entry for integrations with custom sources of secret material, would the maintainers be open to a
keyscript
-like pin in clevis, mirroring the functionality of the same argument incrypttab
?https://manpages.debian.org/testing/cryptsetup/crypttab.5.en.html
This may allow integrations like #39 to be developed with less bloat to clevis core.
The text was updated successfully, but these errors were encountered: