|
 |
04a7a1 |
From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001
|
|
|
04a7a1 |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
04a7a1 |
Date: Wed, 7 Nov 2018 14:53:08 +0100
|
|
|
04a7a1 |
Subject: [PATCH 1/3] Delete remaining references to the removed http pin
|
|
|
04a7a1 |
|
|
|
04a7a1 |
Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
|
|
|
04a7a1 |
there are still references of it in the docs and also the dracut module.
|
|
|
04a7a1 |
|
|
|
04a7a1 |
This was causing dracut to fail building the initramfs due the following:
|
|
|
04a7a1 |
|
|
|
04a7a1 |
dracut-install: ERROR: installing 'clevis-decrypt-http'
|
|
|
04a7a1 |
|
|
|
04a7a1 |
Suggested-by: Dominick Grift <dac.override@gmail.com>
|
|
|
04a7a1 |
|
|
|
04a7a1 |
Fixes: #73
|
|
|
04a7a1 |
---
|
|
|
04a7a1 |
README.md | 21 ---------------------
|
|
|
04a7a1 |
src/clevis.1.adoc | 21 ---------------------
|
|
|
04a7a1 |
src/luks/clevis-luks-bind.1.adoc | 1 -
|
|
|
04a7a1 |
src/luks/systemd/dracut/module-setup.sh.in | 1 -
|
|
|
04a7a1 |
src/pins/sss/clevis-encrypt-sss.1.adoc | 1 -
|
|
|
04a7a1 |
5 files changed, 45 deletions(-)
|
|
|
04a7a1 |
|
|
|
04a7a1 |
diff --git a/README.md b/README.md
|
|
|
04a7a1 |
index ce8def12ec96..d57339aca5d9 100644
|
|
|
04a7a1 |
--- a/README.md
|
|
|
04a7a1 |
+++ b/README.md
|
|
|
04a7a1 |
@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When
|
|
|
04a7a1 |
the advertisment is specified manually like this, Clevis presumes that the
|
|
|
04a7a1 |
advertisement is trusted.
|
|
|
04a7a1 |
|
|
|
04a7a1 |
-#### PIN: HTTP
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-Clevis also ships a pin for performing escrow using HTTP. Please note that,
|
|
|
04a7a1 |
-at this time, this pin does not provide HTTPS support and is suitable only
|
|
|
04a7a1 |
-for use over local sockets. This provides integration with services like
|
|
|
04a7a1 |
-[Custodia](http://github.com/latchset/custodia).
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-For example:
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-```bash
|
|
|
04a7a1 |
-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
|
|
|
04a7a1 |
-```
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-The HTTP pin generate a new (cryptographically-strong random) key and performs
|
|
|
04a7a1 |
-encryption using it. It then performs a PUT request to the URL specified. It is
|
|
|
04a7a1 |
-understood that the server will securely store this key for later retrieval.
|
|
|
04a7a1 |
-During decryption, the pin will perform a GET request to retrieve the key and
|
|
|
04a7a1 |
-perform decryption.
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-Patches to provide support for HTTPS and authentication are welcome.
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
#### PIN: TPM2
|
|
|
04a7a1 |
|
|
|
04a7a1 |
Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
|
|
|
04a7a1 |
diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc
|
|
|
04a7a1 |
index 756aba57a4c8..dea0a696f5f7 100644
|
|
|
04a7a1 |
--- a/src/clevis.1.adoc
|
|
|
04a7a1 |
+++ b/src/clevis.1.adoc
|
|
|
04a7a1 |
@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to
|
|
|
04a7a1 |
encrypt the data so that it can be automatically decrypted if the policy is
|
|
|
04a7a1 |
met. Lets walk through an example.
|
|
|
04a7a1 |
|
|
|
04a7a1 |
-== HTTP ESCROW
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-When using the HTTP pin, we create a new, cryptographically-strong, random key.
|
|
|
04a7a1 |
-This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
|
|
|
04a7a1 |
-Then at decryption time, we attempt to fetch the key back again in order to
|
|
|
04a7a1 |
-decrypt our data. So, for our configuration we need to pass the URL to the key
|
|
|
04a7a1 |
-location:
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
- $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-To decrypt the data, simply provide the ciphertext (JWE):
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
- $ clevis decrypt < JWE > PLAINTEXT
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-Notice that we did not pass any configuration during decryption. The decrypt
|
|
|
04a7a1 |
-command extracted the URL (and possibly other configuration) from the JWE
|
|
|
04a7a1 |
-object, fetched the encryption key from the escrow and performed decryption.
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
|
|
|
04a7a1 |
-
|
|
|
04a7a1 |
== TANG BINDING
|
|
|
04a7a1 |
|
|
|
04a7a1 |
Clevis provides support for the Tang network binding server. Tang provides
|
|
|
04a7a1 |
@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)].
|
|
|
04a7a1 |
|
|
|
04a7a1 |
== SEE ALSO
|
|
|
04a7a1 |
|
|
|
04a7a1 |
-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
|
|
|
04a7a1 |
link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
|
|
|
04a7a1 |
link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
|
|
|
04a7a1 |
link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
|
|
|
04a7a1 |
diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
|
|
|
04a7a1 |
index 9f3a880cfb0c..0d649e3ec28b 100644
|
|
|
04a7a1 |
--- a/src/luks/clevis-luks-bind.1.adoc
|
|
|
04a7a1 |
+++ b/src/luks/clevis-luks-bind.1.adoc
|
|
|
04a7a1 |
@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key.
|
|
|
04a7a1 |
== SEE ALSO
|
|
|
04a7a1 |
|
|
|
04a7a1 |
link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
|
|
|
04a7a1 |
-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
|
|
|
04a7a1 |
link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
|
|
|
04a7a1 |
link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
|
|
|
04a7a1 |
link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
|
|
|
04a7a1 |
diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
|
|
|
04a7a1 |
index 119762e38326..48aea5b3f29a 100755
|
|
|
04a7a1 |
--- a/src/luks/systemd/dracut/module-setup.sh.in
|
|
|
04a7a1 |
+++ b/src/luks/systemd/dracut/module-setup.sh.in
|
|
|
04a7a1 |
@@ -36,7 +36,6 @@ install() {
|
|
|
04a7a1 |
inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
|
|
|
04a7a1 |
|
|
|
04a7a1 |
inst_multiple /etc/services \
|
|
|
04a7a1 |
- clevis-decrypt-http \
|
|
|
04a7a1 |
clevis-decrypt-tang \
|
|
|
04a7a1 |
clevis-decrypt-sss \
|
|
|
04a7a1 |
@libexecdir@/clevis-luks-askpass \
|
|
|
04a7a1 |
diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
|
|
|
04a7a1 |
index d46498db328c..7144e7e9ea96 100644
|
|
|
04a7a1 |
--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
|
|
|
04a7a1 |
+++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
|
|
|
04a7a1 |
@@ -54,6 +54,5 @@ receive key fragments.
|
|
|
04a7a1 |
|
|
|
04a7a1 |
== SEE ALSO
|
|
|
04a7a1 |
|
|
|
04a7a1 |
-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
|
|
|
04a7a1 |
link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
|
|
|
04a7a1 |
link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
|
|
|
04a7a1 |
--
|
|
|
04a7a1 |
2.19.1
|
|
|
04a7a1 |
|