Bug 2126533

Summary: [RFE] Clevis to provide a parameter for the key description of a key in the kernel keyring
Product: Red Hat Enterprise Linux 9 Reporter: Dennis Keefe <dkeefe>
Component: clevisAssignee: Sergio Arroutbi <sarroutb>
Status: CLOSED ERRATA QA Contact: Martin Zelený <mzeleny>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 9.2CC: amulhern, dapospis, jafiala, mzeleny, rsroka, sarroutb
Target Milestone: rcKeywords: AutoVerified, FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: clevis-18-107.el9 Doc Type: Enhancement
Doc Text:
.Clevis accepts external tokens With the new `-e` option introduced to the Clevis automated encryption tool, you can provide an external token ID to avoid entering your password during `cryptsetup`. This feature makes the configuration process more automated and convenient, and is useful particularly for packages such as `stratis` that use Clevis.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:46:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1862173    
Bug Blocks:    

Description Dennis Keefe 2022-09-13 18:30:10 UTC 
This BZ should be blocked by 1862173, as support in cryptsetup is required for Clevis to support this feature. 

Copied from: https://bugzilla.redhat.com/show_bug.cgi?id=1862173#c20

"The basic idea is that unlocking a cryptsetup volume does indeed work using tokens specifying a key description. This causes the device to unlock without prompting the user for a passphrase when invoking cryptsetup luksOpen. The problem here is that cryptsetup luksAddKey does not have this same functionality. cryptsetup luksAddKey requires an existing passphrase to modify the key slots and a new passphrase to add to an open key slot. Our long term goal is to add this feature so that Clevis can invoke cryptsetup luksAddKey and use a key description to fetch the existing password for modification access from the kernel keyring. Currently, cryptsetup luksAddKey only supports a keyfile and stdin for password input as far as I can tell. Adding a key description option for password input would provide us with the ability to remove a rather lengthy workaround to expose passphrases from the kernel keyring securely as a file so that cryptsetup can consume them. Ondrej, I have no strong preference for whether you'd like to take advantage of tokens to accomplish this or whether you'd rather provide a command line parameter to specify the key description. I think we can make either work.

Ondrej and Sergio, we had already discussed this over email, but I just want to make sure that the bugzilla has the appropriate information because my original request was a little too vague for those following along."
Comment 15 Sergio Arroutbi 2023-01-16 12:52:17 UTC 
@jafiala : Can you please review if DocText is appropriate?
Comment 17 Sergio Arroutbi 2023-01-19 11:16:21 UTC 
@jafiala : Doc text looks good to me. Thanks
Comment 20 errata-xmlrpc 2023-05-09 07:46:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (clevis bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2321