-
Bug
-
Resolution: Done
-
Undefined
-
None
-
4.12.z
Description of problem:
In assisted installer when I want to enable TANG encryption I am asked for Server Thumbprint. Unfortunately, the assisted installer or any documentation I was able to find do not explain how to get such thing.
Version-Release number of selected component (if applicable):
Latest as of May 12, 2023
How reproducible:
Always
Additional info:
Discussion from #assisted-installer-forum slack channel: 5d dyocum Hello! A customer has this question: In assisted installer when I want to enable TANG encryption I am asked for Server Thumbprint. Unfortunately, the assisted installer or any documentation I was able to find do not explain how to get such thing. 5d Trey West I think this doc explains it: https://docs.openshift.com/container-platform/4.9//security/network_bound_disk_encryption/nbde-managing-encryption-keys.html They should be able to run tang-show-keys <tang-port> on their tang server and it will be displayed 4d Jakub Bittner But only if you have root access to TANG server. What should you do if you do not? I opened that case, because I need to get a thumbprint of tang2.nbde-001.prod.iad2.dc.redhat.com in order to install encrypted workers and I do not have root access to it. 4d Trey West @Jakub Bittner you can also see the thumbprint if you run this: echo okay | clevis encrypt tang '{"url":"http://<tang-server>:<tang-port>"}' You will get an interactive prompt that shows the signing key which is the thumbprint. You can then verify it works by running: echo okay | clevis encrypt tang '{"url":"http://<tang-server>:<tang-port>", "thp": "<thumbprint>"}' | clevis decrypt :white_check_mark: 1 4d Trey West @Nir Magnezi I see documentation for how to retrieve the tang server thumbprint when a user has access to the tang server but nothing straightforward on how to get it from the client side. Do you know of some documentation that explains it? 4d Jakub Bittner I have seen such howto in the past somewhere in older openshift version docs, but I can not find it 1d dyocum @Nir Magnezi Do you have an answer to Trey's question :point_up: ? (edited) New 9h Nir Magnezi When I learned this protocol I used: https://github.com/latchset/tang#tang-protocol 9h Nir Magnezi it does specify how to fetch pub keys / pub keys using using specified signing key