"Not on the same physical medium" security requirement for Tang server and clients #101

jamshid · 2022-11-08T23:27:13Z

The README says it's important the Tang keys are not on the same physical medium when using a container, but that's not really docker/container-specific right? If the Tang server and a client are running in virtual machines on the same host and the server is stolen, the data can be unencrypted.

Docker Container
Tang is also available as a Docker Container.
Care should be taken to ensure that, when deploying in a container cluster, that the Tang keys are not stored on the same physical medium that you wish to protect.

IMO it would be good to move the "Tang keys must not be stored on the same physical medium that you wish to protect" requirement to https://github.com/latchset/tang/#security-considerations.

sarroutbi · 2022-11-10T10:27:06Z

IMHO, it is worth to remember in the README.md that tang and clevis client should be pinned to different hosts for security issues. I agree it is not Docker specific, but it applies to Docker, so, it is worth reminding it there.

jamshid changed the title ~~"Same physical media"~~ "Not on the same physical medium" security requirement for Tang server and clients Nov 8, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

"Not on the same physical medium" security requirement for Tang server and clients #101

"Not on the same physical medium" security requirement for Tang server and clients #101

jamshid commented Nov 8, 2022

sarroutbi commented Nov 10, 2022 •

edited

Loading

Uh oh!

"Not on the same physical medium" security requirement for Tang server and clients #101

"Not on the same physical medium" security requirement for Tang server and clients #101

Comments

jamshid commented Nov 8, 2022

sarroutbi commented Nov 10, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sarroutbi commented Nov 10, 2022 •

edited

Loading