Description
Hi there!
There is no discussions in this repo, so I'm going to open issue.
I'm just curious if such a case is really secures anything.
Here is "security" section from Tang's README, for clarity:
There are thus three avenues of attack which we will consider in turn:
- Man-in-the-Middle
- Compromise the client to gain access to cJWK
- Compromise the server to gain access to sJWK's private key
I'm trying to encrypt root disks of some VM instances hosted in clouds. This is for protecting VMs from cloud provider itself. And I didn't understand clearly for binding to Tang server is it supposed to run in private or public network?
In examples, there is URLs such as http://tang.local which suggests that Tang should run NOT in publicly accessible network. Unfortunately, for my objective this can't be the case.
If I will run Tang in any kind of private network hosted by cloud provider, then I'm not securing anything, as cloud provider would easily access Tang server in that network.
On the other hand, if I will run Tang outside provider's boundary, then it will not be accessible by VMs trying to recover LUKS keys, and to achieve that I need to connect VMs somehow to my own private network, which in turn requires VMs to have some kind of keys/credentials to access such network, which I can't store securely inside VMs itself.
But there is one network that doesn't require any setup to access, and this is Internet. So, I'm considering this scenario:
- I have another host not in cloud provider infrastructure
- it runs Tang
- it is accessible over Internet
- cloud VMs bind LUKS to that Tang host
Then, I didn't understand is that scenario really secures anything? To my understanding, this is point 2 from "Tang security considerations". In this case, cJWK stored in LUKSMeta along with Tang's URL, so it can be easily accessed by provider, and as long as Tang server is public they can easily recover LUKS keys. To my understanding, this is much like stashing key from your apartments under apartment's "Welcome!" rug - it is "secure" unless you know where to look - under rug. (In this analogy, that would be actually neighbor's rug, but this doesn't change anything).
Note that doing SSS to multiple Tang servers not changes anything, as it doesn't matter how many of them there, as long as they are publicly accessible.