This allows the operator to re-use an existing passphrase but let the
sealed volume be re-created automatically (so decryption can still
happen, we don't loose the original passphrase).
Also allows the operator to skip a PCR (e.g. 11) if they want to by
simply removing it after the initial enrollement or by manuall creating
the initial sealed volume but only with the PCRs they are interested in
by setting those to empty strings. This is useful if a PCR is expected
to change often, e.g. PCR 11 because of kernel upgrades.
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
and fix some issues with the data we send back and forth between the
client and the server
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
- Flatten if/else logic by handling errors and returning early
- Use different logger for server logs. Also handle skipped errors.
- Remove unecessary for loop
- --zap-log-level can already be used (and it works)
- Remove non-existent enki flag
- Run tests with KVM enabled on self-hosted runners
and also don't add grub.cfg since it's already there in the base image
- Remove non-used earthly target
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
- add new suite to the pipeline and fix Earthly to run tests
- read configuration from file
- the "kcrypt" section is our configuration now
- move configuration logic in `kcrypt` repository
Part of #399
Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
We use those field to identify which partition is requested. On the
client side, the label is not available when the partition is encrypted.
We allow the client to request the passphrase for a partition using the
partition name (e.g. /dev/sdb1) or the UUID (as returned by blkid).
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
in order to identify the partition. The label is not available before
the filesystem is descrypted (post-install). In that case the server can
look up the partition in the configuration using the name or the
mountpoint.
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
