RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2126533 - [RFE] Clevis to provide a parameter for the key description of a key in the kernel keyring
Summary: [RFE] Clevis to provide a parameter for the key description of a key in the k...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: clevis
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Sergio Arroutbi
QA Contact: Martin Zelený
Jan Fiala
URL:
Whiteboard:
Depends On: 1862173
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-13 18:30 UTC by Dennis Keefe
Modified: 2023-05-09 09:01 UTC (History)
6 users (show)

Fixed In Version: clevis-18-107.el9
Doc Type: Enhancement
Doc Text:
.Clevis accepts external tokens With the new `-e` option introduced to the Clevis automated encryption tool, you can provide an external token ID to avoid entering your password during `cryptsetup`. This feature makes the configuration process more automated and convenient, and is useful particularly for packages such as `stratis` that use Clevis.
Clone Of:
Environment:
Last Closed: 2023-05-09 07:46:11 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-133877 0 None None None 2022-09-13 18:52:43 UTC
Red Hat Issue Tracker SECENGSP-4774 0 None None None 2022-09-13 18:52:53 UTC
Red Hat Product Errata RHBA-2023:2321 0 None None None 2023-05-09 07:46:17 UTC

Description Dennis Keefe 2022-09-13 18:30:10 UTC 
This BZ should be blocked by 1862173, as support in cryptsetup is required for Clevis to support this feature. 

Copied from: https://bugzilla.redhat.com/show_bug.cgi?id=1862173#c20

"The basic idea is that unlocking a cryptsetup volume does indeed work using tokens specifying a key description. This causes the device to unlock without prompting the user for a passphrase when invoking cryptsetup luksOpen. The problem here is that cryptsetup luksAddKey does not have this same functionality. cryptsetup luksAddKey requires an existing passphrase to modify the key slots and a new passphrase to add to an open key slot. Our long term goal is to add this feature so that Clevis can invoke cryptsetup luksAddKey and use a key description to fetch the existing password for modification access from the kernel keyring. Currently, cryptsetup luksAddKey only supports a keyfile and stdin for password input as far as I can tell. Adding a key description option for password input would provide us with the ability to remove a rather lengthy workaround to expose passphrases from the kernel keyring securely as a file so that cryptsetup can consume them. Ondrej, I have no strong preference for whether you'd like to take advantage of tokens to accomplish this or whether you'd rather provide a command line parameter to specify the key description. I think we can make either work.

Ondrej and Sergio, we had already discussed this over email, but I just want to make sure that the bugzilla has the appropriate information because my original request was a little too vague for those following along."
Comment 15 Sergio Arroutbi 2023-01-16 12:52:17 UTC 
@jafiala : Can you please review if DocText is appropriate?
Comment 17 Sergio Arroutbi 2023-01-19 11:16:21 UTC 
@jafiala : Doc text looks good to me. Thanks
Comment 20 errata-xmlrpc 2023-05-09 07:46:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (clevis bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2321
Note You need to log in before you can comment on or make changes to this bug.