boot.initrd.clevis.devices.<name>.secretFile has a type of path in NixOS 24.05. This means that every *.jwe file used with this option ends up in world-readable nix store.
Why this seems disturbing?
To the best of my knowledge, when using a Tang pin, the *.jwe file contains everything needed for an interaction with the Tang server that results in key decryption.
To validate this thesis, I've set up an experiment with 2 machines: S that acted as a Tang server and C that used Clevis to decrypt a LUKS partition on boot. After C performed successful unattended boot, I've logged in as an unprivileged user and run:
It printed the LUKS passphrase. I also tried copying the *.jwe file to another machine (that was able to contact the Tang server), run clevis decrypt < *.jwe there, and also recovered LUKS passphrase.
it is of utmost importance that the client protect cJWK from prying eyes. This may include device permissions, filesystem permissions, security frameworks (such as SELinux) or even the use of hardware encryption such as a TPM.
Looking at the above experiment, it seems to me that the cJWK can be read from the *.jwe file; therefore, this file should be treated as a proper secret and not included in the nix store.
Issue description
boot.initrd.clevis.devices.<name>.secretFile
has a type ofpath
in NixOS 24.05. This means that every*.jwe
file used with this option ends up in world-readable nix store.Why this seems disturbing?
To the best of my knowledge, when using a Tang pin, the
*.jwe
file contains everything needed for an interaction with the Tang server that results in key decryption.To validate this thesis, I've set up an experiment with 2 machines: S that acted as a Tang server and C that used Clevis to decrypt a LUKS partition on boot. After C performed successful unattended boot, I've logged in as an unprivileged user and run:
It printed the LUKS passphrase. I also tried copying the
*.jwe
file to another machine (that was able to contact the Tang server), runclevis decrypt < *.jwe
there, and also recovered LUKS passphrase.Recommendations
In the Security Considerations subsection of Tang's readme it is said that:
Looking at the above experiment, it seems to me that the
cJWK
can be read from the*.jwe
file; therefore, this file should be treated as a proper secret and not included in the nix store.