Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13976

Add Tang Documentation for Assisted Installer

XMLWordPrintable

    • Moderate
    • No
    • 5
    • T&PS 2023 #6, T&PS 2023 #7
    • 2
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      In assisted installer when I want to enable TANG encryption I am asked for Server Thumbprint. Unfortunately, the assisted installer or any documentation I was able to find do not explain how to get such thing.

      Version-Release number of selected component (if applicable):

      Latest as of May 12, 2023

      How reproducible:

      Always

      Additional info:

      
Discussion from #assisted-installer-forum slack channel:

5d
dyocum
  
Hello!  A customer has this question:
In assisted installer when I want to enable TANG encryption I am asked for Server Thumbprint. Unfortunately, the assisted installer or any documentation I was able to find do not explain how to get such thing.
5d
Trey West
  I think this doc explains it: https://docs.openshift.com/container-platform/4.9//security/network_bound_disk_encryption/nbde-managing-encryption-keys.html
They should be able to run tang-show-keys <tang-port> on their tang server and it will be displayed
4d
Jakub Bittner
  But only if you have root access to TANG server. What should you do if you do not?
I opened that case, because I need to get a thumbprint of tang2.nbde-001.prod.iad2.dc.redhat.com in order to install encrypted workers and I do not have root access to it.
4d
Trey West
  
@Jakub Bittner
 you can also see the thumbprint if you run this:
echo okay | clevis encrypt tang '{"url":"http://<tang-server>:<tang-port>"}'
You will get an interactive prompt that shows the signing key which is the thumbprint.  You can then verify it works by running:
echo okay | clevis encrypt tang '{"url":"http://<tang-server>:<tang-port>", "thp": "<thumbprint>"}' | clevis decrypt
:white_check_mark:
1

4d
Trey West
  
@Nir Magnezi
 I see documentation for how to retrieve the tang server thumbprint when a user has access to the tang server but nothing straightforward on how to get it from the client side. Do you know of some documentation that explains it?
4d
Jakub Bittner
  I have seen such howto in the past somewhere in older openshift version docs, but I can not find it
1d
dyocum
  
@Nir Magnezi
 Do you have an answer to Trey's question :point_up: ? (edited) 
New
9h
Nir Magnezi
  When I learned this protocol I used: https://github.com/latchset/tang#tang-protocol
9h
Nir Magnezi
  it does specify how to fetch pub keys / pub keys using using specified signing key

            rhn-support-jowilkin John Wilkins
            rhn-support-dyocum Daniel Yocum
            Ido Ovadia Ido Ovadia (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: