Closed S-Hahne closed 1 year ago
sarroutbi
commented
1 year ago Hello @S-Hahne . For that version (I guess you are using 12-1ubuntu2.3), -y option was not yet implemented (note -y option is not available):
$ clevis encrypt tang -h
Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE
...You need a more recent version. In case you can not upgrade your Ubuntu version, you will need to compile source version and install it.
S-Hahne
commented
1 year ago Hello @sarroutbi,
many thanks. Sorry, I have just read the docs here in github and all promised to have -y. I didn't think of any reason that this will not be available in Focal. Updating Ubuntu is no real option as we'll be setting up several virtual machines and we are currently not at the point where all machines will run Jammy.
Can you also imagine a reason for the different behavior when explicitly using the thumbprints? (That was our preferred way anyway)
Many thanks again!
sergio-correia
commented
1 year ago but using the same config with clevis luks always prompts "Token could not be imported from the file":
This usually means that there is not enough space left in the LUKS header to store the required metadata. Do you have other bindings already in this device? (clevis luks list -d DEVICE might be helpful here)
If so, you may try to remove those and re-bind.
S-Hahne
commented
1 year ago Many Thanks!
That sounds reasonable. We'll try this again on a fresh install then 👍🏼 As that's no bug in clevis, I'll close this issue.
Kindest regards, Sebastian
Dear community,
There seems to be an issue with the tang pin for automation purposes.
We're using Ubuntu 20.04 with the latest available clevis packages from apt to automate the initialization of clevis with sss (with three tang servers as pins) for the decryption of our luks disks.
This already works when executing the initialization manually from the terminal. And now we wanted to disable the interactive questions to trust the tang servers advertisements. The documentation supposes to either add the thp (thumbprint) into the tang configuration or -y to trust everything. Both seems to fail.
The thumbprint attempt just fails when we're trying to use clevis luks. In clevis encrypt it works okay:
but using the same config with clevis luks always prompts "Token could not be imported from the file":
Trying to use -y fails even on a very basic test with tang itself. It still asks to trust the server's advertisement:
Did we miss anything? I couldn't find any open issues regarding these topics and we've checked the commands (especially the configs) several times that there is no typo.
Many thanks for your help in advance, Sebastian