Can i target specific advertisement with clevis (cant get that to work)

[rianbooyer]

I'm not sure if I'm asking this properly.

I have tang installed and have generated new key advertisements:

tang-show-keys 8111
8nhn5lAEdzFF8VjsCoYmkTkUvLK7DavHg20vuP-qsws
Xv5TSLcg7znFCvOowNlA8jeshvw2bqdSCFg8B04bLQE
9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 < this is the one i want to bind to
MhsUuxB2tY7uipzeTavGeBKMa0Raxf_HrkpXmQubxzo

My test system:

Ubuntu 24.04.x
/dev/sda3 is encrypted with a password

I download the advertisement and store it in /boot/tang.key

curl http://itrss-ops.missouri.edu:8111/adv/9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 > /boot/tang.key
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

then I bind by running clevis Luks bind:

clevis luks bind -d /dev/sda3 tang '{"url":"http://10.47.203.157:8111", "adv": "/boot/tang.key", "thp": "9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4"}'
Enter existing LUKS password:

this finishes and I do the update-initramfs -uk all

I reboot and the drive decrypts automatically

ok my issue is this

when i remove the tang file on the server

tang-show-keys 8111
8nhn5lAEdzFF8VjsCoYmkTkUvLK7DavHg20vuP-qsws
Xv5TSLcg7znFCvOowNlA8jeshvw2bqdSCFg8B04bLQE
MhsUuxB2tY7uipzeTavGeBKMa0Raxf_HrkpXmQubxzo

The system will still boot and auto decrypt even through that key is now gone in /var/db/tang on the host server.

It seems when i try to bind to a specific jwk it doesn't bind to that key but one of the others existing on the system.

I would like to have specific jwk keys and advertisements assigned to each system and if something happens i want to destroy the key on the server to prevent the system from auto unlocking at all.

That way if a system is stolen, misplaced, or compromised, the person would have to know the lvm password to decrypt the drive at boot and if it is brought back, we have to issue a new advertisement and key.

Not sure if tang and clevis can actually do this.

any assistance would be greatly appreciated :)

[sarroutbi]

I'm not sure if I'm asking this properly.

I have tang installed and have generated new key advertisements:

tang-show-keys 8111 8nhn5lAEdzFF8VjsCoYmkTkUvLK7DavHg20vuP-qsws Xv5TSLcg7znFCvOowNlA8jeshvw2bqdSCFg8B04bLQE 9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 < this is the one i want to bind to MhsUuxB2tY7uipzeTavGeBKMa0Raxf_HrkpXmQubxzo

My test system:

Ubuntu 24.04.x /dev/sda3 is encrypted with a password

I download the advertisement and store it in /boot/tang.key

curl http://itrss-ops.missouri.edu:8111/adv/9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 > /boot/tang.key % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

According to previous command, /boot/tang.key seems to be empty. May I ask you to verify if downloaded file is empty? If so, I guess behavior described seems to be reasonable

[rianbooyer]

Not sure why it failed there or maybe i didnt copy the right output. When i look at the key and repeat the process the advertisement i save in the keyfile is the same as what i get when accessing the url. Im not at the machine at the moment but ive ran through the process several times trying to get it to work.

…

On Wed, Jan 7, 2026, 3:19 AM Sergio Arroutbi ***@***.***> wrote: *sarroutbi* left a comment (latchset/tang#161) <#161 (comment)> I'm not sure if I'm asking this properly. I have tang installed and have generated new key advertisements: tang-show-keys 8111 8nhn5lAEdzFF8VjsCoYmkTkUvLK7DavHg20vuP-qsws Xv5TSLcg7znFCvOowNlA8jeshvw2bqdSCFg8B04bLQE 9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 < this is the one i want to bind to MhsUuxB2tY7uipzeTavGeBKMa0Raxf_HrkpXmQubxzo My test system: Ubuntu 24.04.x /dev/sda3 is encrypted with a password I download the advertisement and store it in /boot/tang.key curl http://itrss-ops.missouri.edu:8111/adv/9oJI7El6CTuuCpXnPiz8HYUL-VG_17lpeYoxUok6EH4 > /boot/tang.key % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 According to previous command, /boot/tang.key seems to be empty. May I ask you to verify if downloaded file is empty? If so, I guess behavior described seems to be reasonable — Reply to this email directly, view it on GitHub <#161 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQFRUPMTGBKSWNUS6IDY43L4FTFRLAVCNFSM6AAAAACQ2UGP4WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTOMJXHE3TCMRZHA> . You are receiving this because you authored the thread.Message ID: ***@***.***>