clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

View tang pin config

Open VeganShark opened this issue 6 years ago • 4 comments

Hi, Is there any way to view the tang pin configuration? If I am on running system that has 2 active slots, one a tang pin and the other a plain luks key, I know I can find and verify which is the plain luks key by running luksOpen --test-passphrase. But what if I want to verify which tang server url:port the other slot was binded to. Is there any way to view that?

Thanks

VeganShark avatar Feb 20 '19 23:02 VeganShark

@VeganShark you could use the following script:

#!/bin/bash

DEV=$1
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e

luksmeta show -d "$DEV" | while read -r slot state uuid; do
    [ "$uuid" != "$UUID" ] && continue
    [ "$state" != "active" ] && continue

    pin=`luksmeta load -d "$DEV" -s "$slot" -u "$UUID" 2>/dev/null | cut -d . -f1 | jose b64 dec -i-`
    echo -e "Pin bound to slot $slot:\n$pin"
done

For example:

$ sudo ./list_pins.sh /dev/sda3
Pin bound to slot 1:
{"alg":"ECDH-ES","clevis":{"pin":"tang","tang":.."url":"http://localhost"}}...

I've proposed a clevis list command some time ago in PR #24. Probably I should re-fresh that taking into account @npmccallum comments.

martinezjavier avatar Feb 21 '19 11:02 martinezjavier

Perfect! Since I really just want the url I piped your luksmeta load line to | jq '.clevis.tang.url'

VeganShark avatar Feb 21 '19 17:02 VeganShark

Hello @VeganShark.

Can we close this issue then?

clevis-luks-list command could be used for this, right?

sarroutbi avatar Jan 20 '22 12:01 sarroutbi

Hello @VeganShark. Can we close this issue then? clevis-luks-list command could be used for this, right?

clevis-luks-list works.

The "luksmeta" command fails when used with LUKS 2.

mbabuskov avatar Jun 20 '24 09:06 mbabuskov