Discuss: Support for automated decrypt / remote unlock for apps - clevis / tang ?

[ieugen]

This might be in a companion library but Clevis and Tang implement a protocol for automated decryption (remote unlock).

It might be useful for tempel to support at least the client part if not more.

Clevis and Tang provide a way for a system to decrypt secrets if it's in a specific network or has access to TPM.
Seemed quite ingenious to me and worth mentioning in the context of tempel.

Might be useful for starting an application that needs to decrypt a bunch of service (the admin) credentials without requiring user input.

https://github.com/latchset/clevis
https://github.com/latchset/tang

[ptaoussanis]

Hi there! I've not heard of either of these before, thanks for the links. Will take a look next time I'm doing batched work on Tempel - though please note that in principle my current plan is to keep Tempel's scope limited to more or less what it does now.

(Which of course doesn't exclude the possibility of interested folks building higher-level protocols on top of it, etc. 👍)

[ieugen]

Thanks, sounds reasonable.