Displaying 20 results from an estimated 24 matches for "clevis".
Did you mean:
levis
2019 Oct 17
0
Using Clevis/Tang (NBDE) to automatically decrypt volumes from within libguestfs
...n in your
virtual machines. But instead of having to type a passphrase when the
guest boots, there is a network server which gives out tokens, so as
long as the guest is booted from the trusted network it is able to
boot unattended.
In RHEL[1] we have three pieces of software which help here:
- Clevis: Installed in the guest, it replaces the normal askpass
script with one which goes to the server to get the decryption
token.
- Tang: This is the server component, ie. it must always be running
on the trusted network so your guests can boot unattended.
- JOSE: Something something JSON...
2018 Jun 08
2
C7, encryption, and clevis
We've been required to encrypt h/ds, and so have been rolling that out
over the last year or so. Thing is, you need to put in a password, of
course, to boot the system. My manager found a way to allow us to reboot
without being at the system's keyboard, a package called clevis. Works
fine... except in a couple of very special cases.
Those systems, the problem is that, due to older software, and *very*
expensive licenses that are tied to a MAC address, I have to spoof the MAC
address since my users got new(er) machines.
Clevis is trying to contact its password server, u...
2018 Nov 27
1
NBDE, clevis and tang for non-root disk
...; find the actual problem. The problem is that the initramfs image generated
> by dracut -f does not include the /etc/crypttab from the OS (it only
> contains the entry for the root device). Once I have manually added the
> other volumes in the /etc/crypttab file from the initramfs image, clevis
> is able to decrypt all volumes. Now the question is why the generated
> iniramfs image has a different /etc/crypttab. How can I specify
> /etc/crypttab for the initramfs so that
> furhter kernel updates will not replace it with the wrong file?
>
Sorry, I think you misunderstood. T...
2018 Jun 08
3
C7, encryption, and clevis
...;ve been required to encrypt h/ds, and so have been rolling that out
>> over the last year or so. Thing is, you need to put in a password, of
>> course, to boot the system. My manager found a way to allow us to reboot
>> without being at the system's keyboard, a package called clevis. Works
>> fine... except in a couple of very special cases.
>>
>> Those systems, the problem is that, due to older software, and *very*
>> expensive licenses that are tied to a MAC address, I have to spoof the
>> MAC address since my users got new(er) machines.
>>...
2018 Jun 08
0
C7, encryption, and clevis
...> We've been required to encrypt h/ds, and so have been rolling that out
> over the last year or so. Thing is, you need to put in a password, of
> course, to boot the system. My manager found a way to allow us to reboot
> without being at the system's keyboard, a package called clevis. Works
> fine... except in a couple of very special cases.
>
> Those systems, the problem is that, due to older software, and *very*
> expensive licenses that are tied to a MAC address, I have to spoof the MAC
> address since my users got new(er) machines.
>
> Clevis is trying...
2018 Nov 26
0
NBDE, clevis and tang for non-root disk
...moment I add
another volume to /etc/crypttab the system will no longer boot
automatically. A tcpdump on the tang server shows no traffic while the
system is stuck at the LUKS password prompt.
The second encrypted volume is set up in the same way as the root device
and I can unlock the volume using clevis-luks-unlock -d /dev/vda3.
I've seen in
https://rhelblog.redhat.com/2018/04/13/an-easier-way-to-manage-disk-decryption-at-boot-with-red-hat-enterprise-linux-7-5-using-nbde/
that clevis-luks-askpass.path needs to be enabled but it doesn't make a
difference.
Any ideas on what 's wrong or h...
2018 Jun 08
0
C7, encryption, and clevis
...ng that out
>>>>> over the last year or so. Thing is, you need to put in a password, of
>>>>> course, to boot the system. My manager found a way to allow us to
>>>>> reboot without being at the system's keyboard, a package called
>>>>> clevis. Works fine... except in a couple of very special cases.
>>>>>
>>>>> Those systems, the problem is that, due to older software, and *very*
>>>>> expensive licenses that are tied to a MAC address, I have to spoof the
>>>>> MAC address since...
2018 Jun 08
2
C7, encryption, and clevis
...have been rolling that out
>>>> over the last year or so. Thing is, you need to put in a password, of
>>>> course, to boot the system. My manager found a way to allow us to
>>>> reboot without being at the system's keyboard, a package called
>>>> clevis. Works fine... except in a couple of very special cases.
>>>>
>>>> Those systems, the problem is that, due to older software, and *very*
>>>> expensive licenses that are tied to a MAC address, I have to spoof the
>>>> MAC address since my users got ne...
2018 Jun 08
0
C7, encryption, and clevis
...uired to encrypt h/ds, and so have been rolling that out
>>> over the last year or so. Thing is, you need to put in a password, of
>>> course, to boot the system. My manager found a way to allow us to reboot
>>> without being at the system's keyboard, a package called clevis. Works
>>> fine... except in a couple of very special cases.
>>>
>>> Those systems, the problem is that, due to older software, and *very*
>>> expensive licenses that are tied to a MAC address, I have to spoof the
>>> MAC address since my users got new(e...
2018 Nov 27
0
NBDE, clevis and tang for non-root disk
...e hint needed to find
the actual problem. The problem is that the initramfs image generated by
dracut -f does not include the /etc/crypttab from the OS (it only contains
the entry for the root device). Once I have manually added the other
volumes in the /etc/crypttab file from the initramfs image, clevis is able
to decrypt all volumes.
Now the question is why the generated iniramfs image has a different
/etc/crypttab. How can I specify /etc/crypttab for the initramfs so that
furhter kernel updates will not replace it with the wrong file?
Radu
2018 Jun 08
0
C7, encryption, and clevis
Frank Cox wrote:
>> > so if it would work, replace shortname with short and short1?
>
> With all of this hokey-pokey surrounding licensing and mac addresses, I
> wonder if this outfit is actually still in compliance with the terms of
> their license for this software, whatever it may be?
>
> If the software licensed to run only on Machine X and Machine X has now
>
2018 Jun 08
0
C7, encryption, and clevis
Valeri Galtsev wrote:
> On 06/08/18 15:26, m.roth at 5-cent.us wrote:
<SNIP>
>>> On a similar note: one of the companies whose software scientists here
>>> were using a lot (IDL is a product) changed hand several times, and
>>> last owner changed licensing terms and stopped signing perpetual
licenses.
>>> With perpetual license you were able to keep
2018 Jun 10
0
C7, encryption, and clevis
On 2018-06-08, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:
>
> Frank, I 100% agree with you. The only case with spoofed MAC address and
> license that may have chance to stand in court will be if all below are
> true:
>
> 1. the company issued perpetual license.
> 2. the company does not exist
Based on what's written below, it seems like the company does
2018 Jun 08
0
C7, encryption, and clevis
Valeri Galtsev wrote:
> On 06/08/18 13:48, m.roth at 5-cent.us wrote:
>> Frank Cox wrote:
>>>>> so if it would work, replace shortname with short and short1?
>>>
>>> With all of this hokey-pokey surrounding licensing and mac addresses, I
>>> wonder if this outfit is actually still in compliance with the terms of
>>> their license for this
2018 Jun 08
1
C7, encryption, and clevis
On 06/08/18 15:45, m.roth at 5-cent.us wrote:
> Valeri Galtsev wrote:
>> On 06/08/18 15:26, m.roth at 5-cent.us wrote:
> <SNIP>
>>>> On a similar note: one of the companies whose software scientists here
>>>> were using a lot (IDL is a product) changed hand several times, and
>>>> last owner changed licensing terms and stopped signing perpetual
2018 Jun 08
2
C7, encryption, and clevis
> > so if it would work, replace shortname with short and short1?
With all of this hokey-pokey surrounding licensing and mac addresses, I wonder if this outfit is actually still in compliance with the terms of their license for this software, whatever it may be?
If the software licensed to run only on Machine X and Machine X has now been junked and replace by Machine Y, then isn't the
2018 Jun 08
2
C7, encryption, and clevis
On 06/08/18 15:26, m.roth at 5-cent.us wrote:
> Valeri Galtsev wrote:
>> On 06/08/18 13:48, m.roth at 5-cent.us wrote:
>>> Frank Cox wrote:
>>>>>> so if it would work, replace shortname with short and short1?
>>>>
>>>> With all of this hokey-pokey surrounding licensing and mac addresses, I
>>>> wonder if this outfit is
2018 Feb 13
0
Two MACs for one IP
The reason I want to assign one IP to two MAC addresses is that I have one
(and only one) user for whom I have to spoof the MAC address (it's a case
of stupid software licensing). But... his system is encrypted. Now, we're
using clevis to allow reboots without someone being at the keyboard to
type in the password. Those of you who've looked at clevis see where this
is going: clevis uses the *real* firmware MAC address to get the key from
the latchset server... while currently, the dhcpd *only* knows the spoofed
MAC address....
2019 Apr 01
1
dracut ipv6 fixed ip
hi,
we have successfully implemented at tang/clevis environment for
automatically entering luks keys and booting hosts without operator
intervention.
Now we would like to use this as well on ipv6 networks, but I do not seem
to get it to work.
I have already posted this issue to the dracut devs github issue tracker (
https://github.com/dracutdevs/d...
2018 Jun 08
5
C7, encryption, and clevis
On 06/08/18 13:48, m.roth at 5-cent.us wrote:
> Frank Cox wrote:
>>>> so if it would work, replace shortname with short and short1?
>>
>> With all of this hokey-pokey surrounding licensing and mac addresses, I
>> wonder if this outfit is actually still in compliance with the terms of
>> their license for this software, whatever it may be?
>>
>> If