Question 1

How to integrate Tang with LUKS for disk encryption?

Accepted Answer

Tang is designed for network-bound decryption of LUKS keys using tools like Clevis. Set up a Tang server, then use Clevis to encrypt LUKS keys with Tang's advertisement, allowing automatic decryption when the client is on the secure network.

Question 2

Tang vs HashiCorp Vault for key management?

Accepted Answer

Tang is stateless and minimal, ideal for network-bound encryption without authentication, while Vault offers comprehensive secrets management with access controls, auditing, and dynamic secrets. Choose Tang for simple, anonymous recovery; Vault for complex, policy-driven environments.

Question 3

Is Tang secure without TLS?

Accepted Answer

Yes, Tang uses the McCallum-Relyea exchange to blind keys during recovery, making requests indistinguishable from random to eavesdroppers. The README explains this provides security without TLS, though optional TLS can be added for extra protection.

Question 4

How to rotate keys in Tang without breaking clients?

Accepted Answer

Rotate keys by generating new ones, disabling old keys by prefixing with a dot (e.g., .oldsig.jwk), and waiting before deletion. The README outlines this process but cautions about timing to avoid client lockouts.

Question 5

What are Tang's performance implications?

Accepted Answer

Tang is lightweight and stateless, so performance overhead is low, primarily dependent on ECDH operations. However, network latency during recovery can impact decryption speed, especially in high-latency environments.

Question 6

Can Tang run in Docker or Kubernetes?

Accepted Answer

Yes, Tang has a Docker container option, but the README warns to store keys separately from protected data. In Kubernetes, ensure keys are managed via secrets and pods have network access to the Tang server.

Tang

What is Tang?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions