-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable RHEL LUKs to use IBM S390x CEX Card Encryption #438
Comments
Hi, Could someone please give a direction that how to progress on the Luks encryption with IBM HSM using clevis? |
Hi @sarroutbi , Is there any way we can store these types of keys in eg :
|
Can you please ellaborate? How are you generating secure_xtskey1.skey file? |
We have a CEX card attached to the VM and we generate the secure key by mentioning the cex card domain 00.0047. /etc/zkey/repository is the default directory when we use following command to generate the secure keys. This can be override by using zkey generate --name secure_xtskey1 --keybits 256 --xts --volume-type LUKS2 --sector-size 512 --apqns 00.0047 Here is the pin I created which explains the process of creating the secure keys. |
Hello @madhu-pillai. I have tried something like this: $ cat secure_xtskey1.skey | jose b64 enc -I- | jose b64 dec -i- I obtain the string generated, so I doubt this is a clevis specific issue |
Hi @sarroutbi ,
A quick question. Would you be alright to explain what is the working principle of clevis-encrypt and clevis-decrypt? What I understood is clevis-encrypt PIN CFG command take stdin of plaintext which get encrypted with the HSM key ( in my case it is the secure_xtskey.skey generated from the crypto card,) which inturn convert that to JWE as stdout which get saved in the volume luks header. Decrypt process Is it how this clevis works? Kindly correct me if I am wrong. |
Hello @madhu-pillai.
$ echo secret | clevis encrypt tpm2 '{}' | clevis decrypt tpm2 '{}'
secret |
Feature Request
Luks PIN for IBM CEX (Cryptograpic Express Card) similar to TPM for Encrypting root volume LUKS with secureKeys by using IBM CEX card co-processor CCA .
I am in process of enabling CEX cryptograhic card in S390x for Luks Disk Encryption specifically for root volume.
The main aim is to implement in OCP to utilize protected key generated from utility zkey where each CEX (CCA)cards will be assigned to each OCP nodes with Master key loaded. For that this feature requires in RHEL.
The secure key get generated from the master key in the cryptographic co-processor and the effective key in securekey can be only derived inside cryptogrpahic cards with master key residing in the card.
Environment
IBM S390x.
What hardware/cloud provider/hypervisor is being used to run Ignition?
IBM S390x.
Desired Feature
A CEX (Hardware Security Module) in LUKS PIN for root device encryption. Similar to TPM2.
Other Information
Have tested by creating volume for pervasive encryption in s390x. similarly we need to use for root volume LUKS encryption with protected key.
https://www.ibm.com/docs/en/linux-on-systems?topic=volumes-creating-volume-pervasive-encryption
The text was updated successfully, but these errors were encountered: