dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
fbc558877c
nullpoint/MASTER_README.md
Dominik Roth 03f37e3c74 check out raven
2025-05-13 21:23:55 +02:00

2.3 KiB
Raw Blame History

Tang Server Setup

Tang server for remote LUKS unlock. Runs on-premise with logging for future approval system integration.

Quick Setup

# Install Tang
# Fedora/CentOS:
sudo dnf install tang
# Ubuntu:
sudo apt install tang

# Enable and start Tang service
sudo systemctl enable tangd.socket
sudo systemctl start tangd.socket

# Generate keys
sudo mkdir -p /var/db/tang
sudo tangd-keygen /var/db/tang

# Get thumbprint for Ignition config
sudo tang-show-keys /var/db/tang

Security

Connection Security

  • Tang uses HTTPS for all connections
  • Each connection is encrypted end-to-end
  • Tang verifies client identity through challenge-response
  • Client verifies Tang's identity through signed advertisements

Request Logging

To log all unlock requests:

  1. Create a wrapper script:
#!/bin/bash
# /usr/local/bin/tangd-wrapper

# Get client info
CLIENT_IP="$SOCAT_PEERADDR"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')

echo "$TIMESTAMP: Unlock request from $CLIENT_IP" >> /var/log/tang-requests.log
wall "Tang unlock request from $CLIENT_IP at $TIMESTAMP" # Notify all TTYs
exec /usr/libexec/tangd "$@"
echo "$TIMESTAMP: Request auto-approved" >> /var/log/tang-requests.log

Or use the wrapper provided by raven to refuse unlocks upon it's activation.

  1. Make it executable:
sudo chmod +x /usr/local/bin/tangd-wrapper
  1. Configure systemd to use the wrapper:
# Create override directory
sudo mkdir -p /etc/systemd/system/tangd.socket.d/

# Create override file
sudo tee /etc/systemd/system/tangd.socket.d/override.conf << EOF
[Socket]
ExecStart=
ExecStart=/usr/local/bin/tangd-wrapper
EOF

# Reload and restart
sudo systemctl daemon-reload
sudo systemctl restart tangd.socket

Now when a server requests an unlock:

  1. A message appears on all TTYs (including SSH sessions)
  2. The request is logged to /var/log/tang-requests.log
  3. The request is automatically approved
  4. All actions are logged with timestamps

Future integration points:

  • Add webhook support to notify Slack/Discord
  • Add approval via web interface
  • Add rate limiting
  • Add client whitelisting

Backup

# Backup keys
sudo tar -czf tang-keys-$(date +%Y%m%d).tar.gz /var/db/tang/

Recovery

If keys are lost:

  1. Generate new keys
  2. Update all client configurations
  3. Re-encrypt all client systems