imgcrypt icon indicating copy to clipboard operation
imgcrypt copied to clipboard
verified publisher icon containerd

Better key management using tang/clevis

Open clauderobi opened this issue 10 months ago • 4 comments

As it is the case for most, if not all, security solution, managing the key is crucial.

Looking at his solution I see that the running / deployment infrastructure needs to have access to the private key. It would be better for the sake of security, that the private key is not seen by the infrastructure. tang offers just that!

It is way too long to go into the details here but are the maintainers open at considering adding tang/clevis support?

clauderobi avatar Mar 28 '25 16:03 clauderobi

It is way too long to go into the details here but are the maintainers open at considering adding tang/clevis support?

We have pkcs11 support as well. If you want to send a PR and test case, sure!

stefanberger avatar Mar 28 '25 17:03 stefanberger

I am not a go programmer so that would be a steep curve... But before, is there any "plugin" where the actual encryption / decryption would be handed out to an external program that returns / accepts as JWE?

clauderobi avatar Mar 28 '25 18:03 clauderobi

This keyprovider here is used by the test suite in this project for key wrapping and unwrapping: https://github.com/lumjjb/simple-ocicrypt-keyprovider/blob/main/main.go

If you want to go by a standard I would still point you to pkcs11. It's supported by HSMs for example.

stefanberger avatar Mar 28 '25 19:03 stefanberger

incase it helps, here are two implementations where the key is either in GCP KMS or on a TPM.

these are dicrect calls vs going through a stadard pkcs interface (which is more portable but requires a bit more setup)

https://github.com/salrashid123/ocicrypt-tpm-keyprovider

https://github.com/salrashid123/ocicrypt-kms-keyprovider

salrashid123 avatar Oct 20 '25 07:10 salrashid123