This post explains how to rotate Tang Server Keys and update the Clevis Client. Note, below is an example hence all certificates, keys and device names/uuid’s are fictional.

Change the keys on the tang server

1. Check existing key:

# ls -la /var/db/tang
total 8
dr-xrws---. 2 tang tang 84 Jun 26 11:24 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 11:24 W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

2. tangd-keygen:

# /usr/libexec/tangd-keygen
Usage: /usr/libexec/tangd-keygen [jwkdir] [[sig] [exc]

3. Create new keys:

# /usr/libexec/tangd-keygen /var/db/tang
# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk
-rw-r--r--. 1 root tang 354 Jun 26 14:55 KlbbdbNpdMrVwrk6hZ1wCCeabOY.jwk 

4. Move the old keys:

# ls -la /var/db/tang
total 20
dr-xrws---. 2 tang tang 4096 Jun 26 14:55 .
drwxr-xr-x. 4 root root 46 Jun 26 11:23 ..
-rw-r--r--. 1 root tang 349 Jun 26 11:24 2J0R1adoOltTNPitEHImCfvmiKI.jwk 
# cd /var/db/tang
# mv 2J0R1adoOltTNPitEHImCfvmiKI.jwk .2J0R1adoOltTNPitEHImCfvmiKI.jwk
# mv W86fsibSgr_VbM2fy-yp4DEX2JY.jwk .W86fsibSgr_VbM2fy-yp4DEX2JY.jwk

Clevis Client

Note, CentOS/RHEL 8.2 is required for the following commands.

1. Check if the keys have been changed, and regenerate if new keys are found:

# clevis luks report -d /dev/xvdc -s 1
Key "2J0R1adoOltTNPitEHImCfvmiKI" is not in the advertisement and was probably rotated!
{"alg":"ECMR","crv":"P-521","key_ops":["deriveKey"],"kty":"EC","x":"AJrpQNcXc20jSHemv8LbuAV2jimQvdtMZiv1ec2P1lwzm980hPh3EtSVwjlBV-ShRbd5i4SusemYUDTOQdc85WMO","y":"ALlFj2imS7oLAb5MF9wK2ZVYNxrrhDEoQ7nINFYTmQbzitGcADCgkqBaJ0ndbAgAbj5wDHhRWBY7tFuMqgF0ZHRQ"}
Key "W86fsibSgr_VbM2fy-yp4DEX2JY" is not in the advertisement and was probably rotated!
{"alg":"ES512","crv":"P-521","key_ops":["verify"],"kty":"EC","x":"APo5tX0_-ljbbqjPWIIOwzrSMxGSwVQV_PH1ZNjnriiBMOvuwoVtIAiN7tnU9hWe_-qu2nO49mDnIjqB1BCjZStH","y":"AbkxDUmUW6y6cn2lInoniOMkh84Ex5qAvRQnoy_9HoV5kckDV6GtlRZdQmIzLrMqaQwMcGdkuVU-HkqqQMS--RLi"}

Report detected that some keys were rotated.
Do you want to regenerate luks metadata with "clevis luks regen -d /dev/xvdc -s 1"? [ynYN] y
Regenerating with:
PIN: tang
CONFIG: {"url":"http://"}
The advertisement contains the following signing keys:
KlbbdbNpdMrVwrk6hZ1wCCeabOY

Do you wish to trust these keys? [ynYN] y
Keys were succesfully rotated.

2. Test new keys ( using device /dev/mapper/encrypteddisk, which is xvdc ):

# umount /encrypted/
# cryptsetup luksClose /dev/mapper/encrypteddisk
# clevis luks unlock -d /dev/xvdc
# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 8.5M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/mapper/ol_dhcp-root 17G 1.7G 16G 10% /
/dev/xvda1 1014M 172M 843M 17% /boot
tmpfs 378M 0 378M 0% /run/user/0
/dev/mapper/encrypteddisk 5.0G 68M 5.0G 2% /encrypted