Suggest additional keyfile/passphrase when using TPM-pinned encryption in single node case

[jlebon]

trafficstars

Both the RHEL docs (see the WARNING boxes) and https://wiki.archlinux.org/title/Trusted_Platform_Module#Clevis recommend setting a strong passphrase when using TPM pinning.

This can be done using storage.luks.keyFile in the Ignition config, but if the Ignition config cannot be secured we should also document doing it manually using cryptsetup luksAddKey once the host is up.

[bgilbert]

Both of those warnings seem to be concerned with sealing to PCR values, which we don't currently do.

I agree that we should document the consequences of only using TPM pinning (if you lose your motherboard, you lose your data), and that we should suggest alternatives (Tang and static keys). But I don't think we should recommend a backup passphrase. FCOS is still primarily targeted at clusters, which should be able to handle the complete loss of a node. And as you point out, there are security implications of putting a key in the Ignition config; it's cleaner and more secure to use Tang.

[jlebon]

You're right re. PCR sealing. I learned about that bit shortly after filing this issue.

But I don't think we should recommend a backup passphrase. FCOS is still primarily targeted at clusters, which should be able to handle the complete loss of a node. And as you point out, there are security implications of putting a key in the Ignition config; it's cleaner and more secure to use Tang.

Yeah, it makes less sense in a cluster context. I was thinking more of the single node case. The protection offered by TPM pinning might be good enough and Tang might be too much work to setup. I'll retitle this issue.