Skip to content

Server Key Database

Jump to bottom Edit New page
Nathaniel McCallum edited this page Apr 20, 2016 · 7 revisions

The Tang Server (tang-keyd) requires a database of keys. The key database is simply a directory (usually /var/tang) of key files with two special naming conventions that control the server's behavior. Key management can be performed using standard file manipulation routines. If your Tang Server instance is running, it will automatically pick up any changes to the key database immediately.

Key File Naming

Tang key files follow two important naming conventions that control:

  • Key advertisement
  • Key usage

Key Advertisement

Keys that begin with '.' are not advertised. All other keys are advertised. Please note that unadvertised keys can still be used for clients that know about them. Thus, unadvertised keys are merely deprecated and will not be picked up by new clients. To disable a key from use altogether, you simply remove it from the database directory.

You may freely move keys between an advertised and unadvertised state as your policy dictates.

Key Usage

The Tang protocol uses two different kinds of keys: signing and recovery. This usage is determined by the file's extension. Signing keys have names that end in '.sig'. Recovery keys have names that end in '.rec'. Keys without either suffix will be ignored by the server.

NOTE WELL: You MUST NOT change a key's usage. Attempting to do so will compromise the security of the system.

Key File Contents

The key files contain OpenSSL's standard key format. In fact, you can generate keys with OpenSSL directly:

# Generate an advertised recovery key in P-384
$ openssl ecparam -name secp384r1 -genkey -out /var/tang/mykey.rec

# Generate an undvertised signature key in P-384
$ openssl ecparam -name secp384r1 -genkey -out /var/tang/.mykey.sig

However, the best way to generate keys is to use tang-key-gen:

# Generate an advertised recovery key in P-384
$ tang-key-gen -g secp384r1 -A -r

# Generates an unadvertised signature key in P-384
$ tang-key-gen -g secp384r1 -a -s

The tang-key-gen utility takes care of several other crucial details, including:

  • Appropriate file permissions
  • Automatically generated filename (a timestamp)
  • Knowledge of the key database directory
  • Key advertisement
  • Key usage
Add a custom footer
Add a custom sidebar
Clone this wiki locally