Bind clevis luks to specific tang key pair

[rianbooyer]

I'm not sure if i'm asking this properly.

I have tang installed and have generated new key advertisements:

tang-show-keys 8111

8nhn5lAEdzFF8VjsCoYmkTkUvLK7DavHg20vuP-qsws
Xv5TSLcg7znFCvOowNlA8jeshvw2bqdSCFg8B04bLQE
9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 < this is the one i want to bind to
MhsUuxB2tY7uipzeTavGeBKMa0Raxf_HrkpXmQubxzo

My test system:

Ubuntu 24.04.x
/dev/sda3 is encrypted with a password

I download the advertisement and store it in /boot/tang.key

curl http://itrss-ops.missouri.edu:8111/adv/9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 > /boot/tang.key

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

then i bind by running clevis luks bind:

clevis luks bind -d /dev/sda3 tang '{"url":"http://10.47.203.157:8111/adv/9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4", "adv": "/boot/tang.key", "thp": "9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4"}'
Enter existing LUKS password:

this finishes and i do the update-initramfs -uk all

i reboot and the drive decrypts automatically

ok my issue is this

when i remove the tang file on the server

tang-show-keys 8111

8nhn5lAEdzFF8VjsCoYmkTkUvLK7DavHg20vuP-qsws
Xv5TSLcg7znFCvOowNlA8jeshvw2bqdSCFg8B04bLQE
MhsUuxB2tY7uipzeTavGeBKMa0Raxf_HrkpXmQubxzo

The system will still boot and auto decript even through that key is now gone in /var/db/tang on the host server.

It seems when i try to bind to a specific jwk it doesn't bind to that key but one of the others existing on the system.

The reason for this is i would like to have specific jwk keys and advertisements assigned to each system and if something happens i want to destroy the key on the server to prevent the system from auto unlocking at all.

That way if a system is stolen or misplaced the person would have to know the lvm password to decrypt the drive at boot and if it is brought back we have to issue a new advertisement and key.

Not sure if tang and clevis can actually do this.

any assistance would be greatly appreciated :)

[rianbooyer]

Someone emailed and mentioned that he advertisement wasn't downloaded. It was i just copied the wrong output above. I verified the advertisement downloaded matched the one accessed from just the url.

[sarroutbi]

And ... with correct advertisement configured ... did it work? I am not an initramfs expert, but I guess what is taking place in your scenario is that advertisement used is stored in initramfs so, although deleting the file, it is still accessible from there.

Don't get me wrong, it is difficult for me to try to understand this particular scenario. I am just going out on a limb with this