Clevis/Tang: Network-bound Disk Encryption via WireGuard?

[denji]

It might be a good idea to implement clevis/tang UEFI hook with secure booting via WireGuard?

• https://github.com/latchset/tang
• https://github.com/latchset/clevis
• https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/
• https://docs.openshift.com/container-platform/4.11/security/network_bound_disk_encryption/nbde-about-disk-encryption-technology.html
• https://docs.oracle.com/en/operating-systems/oracle-linux/cockpit/cockpit-nbde.html
• https://cockpit-project.org/blog/cockpit-175.html
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#network-bound-disk-encryption_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption
• https://wiki.archlinux.org/title/Clevis (YubiKey / Secure Boot tip's)
• https://github.com/kishorv06/arch-mkinitcpio-clevis-hook

[r-pufky]

I've never used tang/clevis -- pretty neat.

I'll have to look into each to see if there are specific changes required for wireguard-initramfs support. I'm very much inclined to keep this module singularly focused and do it well; but open to changes if it's required to get these tools working.

[coelner]

There is nothing to do, it works flawless for the case:

1. establish wireguard tunnel, get tang/clevis over vpn to decrypt root partition, boot OS

Instead it could be useful to store the private wireguard key into the TPM, which get only unsealed if the secure boot chain is valid. I would consider the wireguard-initramfs more as an overlay to handle specific maintenance task in a specific net and not really as a security enhancement (problem: keeping the private key private). In combination with the initramfs-dropbear ssh-server you get a neat fallback troubleshooting solution, if something went wrong with clevis/tang. And due the pre-shared-key handling in the initramfs-dropbear solution you get a trust bonding which is safe, as long as you can keep your private ssh client key safe.

clevis can be configured to use the TPM as a client key storage, which should be limited to a verified secure boot chain. But there is no need for an additional protection layer.