1. Enabling Network-Bound Disk Encryption
  2. Install and Configure a Tang Server
  3. Rotate Tang Keys

Rotate Tang Keys

Rotate Tang keys periodically to improve security. Rotation of keys is manual and isn't a mandatory procedure.

  1. Rename old keys in /var/db/tang.

    To rotate Tang keys, rename old keys within the /var/db/tang directory to prefix them with a period (.), so that they're hidden, and rerun the initialization command. For example: 

    cd /var/db/tang; for i in *; do mv $i .$i; done
  2. Regenerate the Tang keys.
    sudo /usr/libexec/tangd-keygen /var/db/tang
  3. Remove old keys from the system.

    When you're certain that no client systems are still dependent on any of the old keys you can remove them from the system. Removing the old keys while clients are still using them results in failures to unlock a disk or volume and the user must provide an existing LUKS passphrase manually at boot.

    To remove the old keys, remove the files in /var/db/tang that are prefixed with a period (.)

When you rotate keys on the Tang server, you must update clients to use the new keys. See Update Clevis for Tang Key Rotation for more information.