nbde over internet

Support for security such as Firewalls and securing linux
Post Reply
whoop
Posts: 2
Joined: 2020/10/17 13:25:06

nbde over internet

Post by whoop » 2020/10/17 13:32:20

In most examples I've seen about nbde it seems to be used to unlock luks machines over a local (secure) network.
Communication doesn't need tls because it is stateless. The machine is unlock comparing keys.
What encryption is being used when communicating between clevis client and tang server?
Is it "wise" to unlock an encrypted machine using nbde over the internet?

Thanx.

aks
Posts: 3032
Joined: 2014/09/20 11:22:14

Re: nbde over internet

Post by aks » 2020/10/18 18:01:43

Not over the Internet.

whoop
Posts: 2
Joined: 2020/10/17 13:25:06

Re: nbde over internet

Post by whoop » 2020/10/19 17:21:55

That's what I gathered also. But why?
So every time I need to reboot a remote server I need to get on the road or use some dropbear/dracut-ssh/partial encryption scheme to get things going again? There's no automation?
I would think that nbde would be ideal in this situation. Stuff can be rebooted automatically and in the event a clevis machine gets stolen you just pull the tang service.
I am under the impression that a man-in-the-middle attack will not work and the communication between clevis and tang do not contain any information that could compromise the encryption (so there's no risk). The only problem would be DDOS, but that risk counts for every network service in the end; in some way.

Why isn't nbde being advertised as being able to solve this problem. I can't be the first one to think of this. What am I missing?

aks
Posts: 3032
Joined: 2014/09/20 11:22:14

Re: nbde over internet

Post by aks » 2020/10/25 18:10:39

Why is it not a good idea to send secrets over a public network? (they are secrets - why else are you encrypting).

Yes these things can be automated with some thought.

Post Reply

Return to “CentOS 8 - Security Support”