dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
nullpoint/MASTER_README.md
Dominik Roth 03f37e3c74 check out raven
2025-05-13 21:23:55 +02:00

98 lines
2.3 KiB
Markdown
Raw Permalink Blame History

# Tang Server Setup
Tang server for remote LUKS unlock. Runs on-premise with logging for future approval system integration.
## Quick Setup
```bash
# Install Tang
# Fedora/CentOS:
sudo dnf install tang
# Ubuntu:
sudo apt install tang
# Enable and start Tang service
sudo systemctl enable tangd.socket
sudo systemctl start tangd.socket
# Generate keys
sudo mkdir -p /var/db/tang
sudo tangd-keygen /var/db/tang
# Get thumbprint for Ignition config
sudo tang-show-keys /var/db/tang
```
## Security
### Connection Security
- Tang uses HTTPS for all connections
- Each connection is encrypted end-to-end
- Tang verifies client identity through challenge-response
- Client verifies Tang's identity through signed advertisements
### Request Logging
To log all unlock requests:
1. Create a wrapper script:
```bash
#!/bin/bash
# /usr/local/bin/tangd-wrapper
# Get client info
CLIENT_IP="$SOCAT_PEERADDR"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
echo "$TIMESTAMP: Unlock request from $CLIENT_IP" >> /var/log/tang-requests.log
wall "Tang unlock request from $CLIENT_IP at $TIMESTAMP" # Notify all TTYs
exec /usr/libexec/tangd "$@"
echo "$TIMESTAMP: Request auto-approved" >> /var/log/tang-requests.log
```
Or use the wrapper provided by [raven](https://git.dominik-roth.eu/dodox/raven) to refuse unlocks upon it's activation.
2. Make it executable:
```bash
sudo chmod +x /usr/local/bin/tangd-wrapper
```
3. Configure systemd to use the wrapper:
```bash
# Create override directory
sudo mkdir -p /etc/systemd/system/tangd.socket.d/
# Create override file
sudo tee /etc/systemd/system/tangd.socket.d/override.conf << EOF
[Socket]
ExecStart=
ExecStart=/usr/local/bin/tangd-wrapper
EOF
# Reload and restart
sudo systemctl daemon-reload
sudo systemctl restart tangd.socket
```
Now when a server requests an unlock:
1. A message appears on all TTYs (including SSH sessions)
2. The request is logged to `/var/log/tang-requests.log`
3. The request is automatically approved
4. All actions are logged with timestamps
Future integration points:
- Add webhook support to notify Slack/Discord
- Add approval via web interface
- Add rate limiting
- Add client whitelisting
## Backup
```bash
# Backup keys
sudo tar -czf tang-keys-$(date +%Y%m%d).tar.gz /var/db/tang/
```
## Recovery
If keys are lost:
1. Generate new keys
2. Update all client configurations
3. Re-encrypt all client systems
Reference in New Issue View Git Blame Copy Permalink