Skip to content

Linux Key Escrow - Agent #23771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 53 commits into from
Nov 21, 2024
Merged

Linux Key Escrow - Agent #23771

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
6403e56
run zenity with args
mostlikelee Nov 7, 2024
8e115a6
implement errs
mostlikelee Nov 7, 2024
8dc7d2f
implement Show Info
mostlikelee Nov 7, 2024
ea8032c
add linux build flags
mostlikelee Nov 7, 2024
5c4ce48
Handbook: fix broken link (#23043)
mikermcneil Nov 8, 2024
94c5d28
return 0 exit code on nil
mostlikelee Nov 10, 2024
11bb407
fix quoted string args
mostlikelee Nov 10, 2024
b7d3955
add logging
mostlikelee Nov 10, 2024
f5c5b9a
fix arg formatting
mostlikelee Nov 10, 2024
b6d3634
fix again
mostlikelee Nov 10, 2024
0758695
fix tests
mostlikelee Nov 10, 2024
b032e42
fix output
mostlikelee Nov 10, 2024
624a9b0
use execuser in zenity
mostlikelee Nov 11, 2024
6f5a519
abstract to dialog
mostlikelee Nov 11, 2024
ff887da
trim newline from zenity output
mostlikelee Nov 13, 2024
48448f2
add progress dialog
mostlikelee Nov 19, 2024
1ff8ccc
fix arg order return nil on context cancel
mostlikelee Nov 19, 2024
e5f76c4
cleanup Show Progress interface
mostlikelee Nov 19, 2024
ff699e8
return -1 on non ExitError
mostlikelee Nov 20, 2024
9206678
fix ineffectual assign
mostlikelee Nov 20, 2024
0697065
Handbook: fix broken link (#23043)
mikermcneil Nov 8, 2024
4d29872
Handbook: fix broken link (#23043)
mikermcneil Nov 8, 2024
1a4c8b0
Handbook: fix broken link (#23043)
mikermcneil Nov 8, 2024
9af5958
lvm package
mostlikelee Nov 8, 2024
133ca83
luks tool
mostlikelee Nov 12, 2024
7ef0ea4
add zenity to tool
mostlikelee Nov 12, 2024
be3e19c
add zenity retries
mostlikelee Nov 12, 2024
7d6a621
add re entry prompt
mostlikelee Nov 12, 2024
d140d4d
luks runner
mostlikelee Nov 12, 2024
3205ed1
add config runner
mostlikelee Nov 13, 2024
344a828
go-blockdevice implementation
mostlikelee Nov 13, 2024
9b57ea9
move tool
mostlikelee Nov 13, 2024
b951f88
add keyslot retries
mostlikelee Nov 13, 2024
5911b79
use zenity
mostlikelee Nov 13, 2024
21fd2d3
escrow correct passphrase
mostlikelee Nov 13, 2024
86dcac4
cleanup
mostlikelee Nov 13, 2024
595a572
send errs in luks response
mostlikelee Nov 13, 2024
07dbb5f
generate 35 len passphrase
mostlikelee Nov 14, 2024
7af58ec
changelog
mostlikelee Nov 14, 2024
894fe09
lint fix
mostlikelee Nov 14, 2024
59c4f52
post key
mostlikelee Nov 15, 2024
0d02e81
cleanup
mostlikelee Nov 20, 2024
bd9b8e3
add salt and keyslot
mostlikelee Nov 20, 2024
1cdd864
add progress prompt
mostlikelee Nov 20, 2024
5f9e61b
revert
mostlikelee Nov 20, 2024
4d1ff60
correct changelog
mostlikelee Nov 20, 2024
a140682
review comments
mostlikelee Nov 20, 2024
a0967f7
address gosec errs
mostlikelee Nov 20, 2024
e798fbc
cleanup
mostlikelee Nov 20, 2024
194fecc
Merge branch 'main' into 23586-agent-escrow
mostlikelee Nov 20, 2024
7ca442b
address comments, remove progress prompts
mostlikelee Nov 21, 2024
86408b1
lint - remove progress prompt
mostlikelee Nov 21, 2024
67cc7c4
fix keyphrase validation
mostlikelee Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ require (
github.com/jmoiron/sqlx v1.3.5
github.com/josephspurrier/goversioninfo v1.4.0
github.com/kevinburke/go-bindata v3.24.0+incompatible
github.com/klauspost/compress v1.17.8
github.com/klauspost/compress v1.17.9
github.com/kolide/launcher v1.0.12
github.com/lib/pq v1.10.9
github.com/macadmins/osquery-extension v1.2.3
Expand Down Expand Up @@ -98,6 +98,7 @@ require (
github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9
github.com/sethvargo/go-password v0.3.0
github.com/shirou/gopsutil/v3 v3.24.3
github.com/siderolabs/go-blockdevice/v2 v2.0.3
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
github.com/smallstep/pkcs7 v0.0.0-20240723090913-5e2c6a136dfa
github.com/smallstep/scep v0.0.0-20240214080410-892e41795b99
Expand Down Expand Up @@ -184,6 +185,7 @@ require (
github.com/alecthomas/jsonschema v0.0.0-20211022214203-8b29eab41725 // indirect
github.com/antchfx/xpath v1.2.2 // indirect
github.com/apache/thrift v0.18.1 // indirect
github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/atc0005/go-teams-notify/v2 v2.6.0 // indirect
github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
Expand Down Expand Up @@ -299,6 +301,7 @@ require (
github.com/secure-systems-lab/go-securesystemslib v0.5.0 // indirect
github.com/sergi/go-diff v1.2.0 // indirect
github.com/shoenig/go-m1cpu v0.1.6 // indirect
github.com/siderolabs/go-cmd v0.1.1 // indirect
github.com/skeema/knownhosts v1.2.1 // indirect
github.com/slack-go/slack v0.9.4 // indirect
github.com/spf13/afero v1.6.0 // indirect
Expand Down
14 changes: 12 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,8 @@ github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 h1:7Ip0wMmLHLRJdrloDxZfhMm0xrLXZS8+COSu2bXmEQs=
github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
Expand Down Expand Up @@ -459,6 +461,8 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8=
github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
github.com/freddierice/go-losetup/v2 v2.0.1 h1:wPDx/Elu9nDV8y/CvIbEDz5Xi5Zo80y4h7MKbi3XaAI=
github.com/freddierice/go-losetup/v2 v2.0.1/go.mod h1:TEyBrvlOelsPEhfWD5rutNXDmUszBXuFnwT1kIQF4J8=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
Expand Down Expand Up @@ -813,8 +817,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab h1:KVR7cs+oPyy85i+8t1ZaNSy1bymCy5FuWyt51pdrXu4=
github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab/go.mod h1:OYYulo9tUqRadRLwB0+LE914sa1ui2yL7OrcU3Q/1XY=
github.com/kolide/launcher v1.0.12 h1:f2uT1kKYGIbj/WVsHDc10f7MIiwu8MpmgwaGaT7D09k=
Expand Down Expand Up @@ -1057,6 +1061,12 @@ github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg
github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/siderolabs/gen v0.5.0 h1:Afdjx+zuZDf53eH5DB+E+T2JeCwBXGinV66A6osLgQI=
github.com/siderolabs/gen v0.5.0/go.mod h1:1GUMBNliW98Xeq8GPQeVMYqQE09LFItE8enR3wgMh3Q=
github.com/siderolabs/go-blockdevice/v2 v2.0.3 h1:IEgDqd3H3gPphahrdvfAzU8RmD4r5eQdWC+vgFQQoEg=
github.com/siderolabs/go-blockdevice/v2 v2.0.3/go.mod h1:74htzCV913UzaLZ4H+NBXkwWlYnBJIq5m/379ZEcu8w=
github.com/siderolabs/go-cmd v0.1.1 h1:nTouZUSxLeiiEe7hFexSVvaTsY/3O8k1s08BxPRrsps=
github.com/siderolabs/go-cmd v0.1.1/go.mod h1:6hY0JG34LxEEwYE8aH2iIHkHX/ir12VRLqfwAf2yJIY=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
Expand Down
Binary file added orbit-linux
View file
Open in desktop
Binary file not shown.
1 change: 1 addition & 0 deletions orbit/changes/22047-linux-key-escrow
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* added functionality to support linux disk encryption key escrow including end user prompts and LUKS key management
4 changes: 4 additions & 0 deletions orbit/cmd/orbit/orbit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"github.com/fleetdm/fleet/v4/orbit/pkg/installer"
"github.com/fleetdm/fleet/v4/orbit/pkg/keystore"
"github.com/fleetdm/fleet/v4/orbit/pkg/logging"
"github.com/fleetdm/fleet/v4/orbit/pkg/luks"
"github.com/fleetdm/fleet/v4/orbit/pkg/osquery"
"github.com/fleetdm/fleet/v4/orbit/pkg/osservice"
"github.com/fleetdm/fleet/v4/orbit/pkg/platform"
Expand All @@ -38,6 +39,7 @@ import (
"github.com/fleetdm/fleet/v4/orbit/pkg/update"
"github.com/fleetdm/fleet/v4/orbit/pkg/update/filestore"
"github.com/fleetdm/fleet/v4/orbit/pkg/user"
"github.com/fleetdm/fleet/v4/orbit/pkg/zenity"
"github.com/fleetdm/fleet/v4/pkg/certificate"
"github.com/fleetdm/fleet/v4/pkg/file"
retrypkg "github.com/fleetdm/fleet/v4/pkg/retry"
Expand Down Expand Up @@ -935,6 +937,8 @@ func main() {
case "windows":
orbitClient.RegisterConfigReceiver(update.ApplyWindowsMDMEnrollmentFetcherMiddleware(windowsMDMEnrollmentCommandFrequency, orbitHostInfo.HardwareUUID, orbitClient))
orbitClient.RegisterConfigReceiver(update.ApplyWindowsMDMBitlockerFetcherMiddleware(windowsMDMBitlockerCommandFrequency, orbitClient))
case "linux":
orbitClient.RegisterConfigReceiver(luks.New(orbitClient, zenity.New()))
}

flagUpdateReceiver := update.NewFlagReceiver(orbitClient.TriggerOrbitRestart, update.FlagUpdateOptions{
Expand Down
37 changes: 37 additions & 0 deletions orbit/pkg/luks/luks.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
package luks

import (
"github.com/fleetdm/fleet/v4/orbit/pkg/dialog"
)

type KeyEscrower interface {
SendLinuxKeyEscrowResponse(LuksResponse) error
}

type LuksRunner struct {
escrower KeyEscrower
notifier dialog.Dialog
}

type LuksResponse struct {
// Passphrase is a newly created passphrase generated by fleetd for securing the LUKS volume.
// This passphrase will be securely escrowed to the server.
Passphrase string

// KeySlot specifies the LUKS key slot where this new passphrase was created.
// It is currently not used, but may be useful in the future for passphrase rotation.
KeySlot *uint

// Salt is the salt used to generate the LUKS key.
Salt string

// Err is the error message that occurred during the escrow process.
Err string
}

func New(escrower KeyEscrower, notifier dialog.Dialog) *LuksRunner {
return &LuksRunner{
escrower: escrower,
notifier: notifier,
}
}
Loading
Loading