Index: security/Makefile =================================================================== --- security/Makefile +++ security/Makefile @@ -94,6 +94,7 @@ SUBDIR += clamfs SUBDIR += clamsmtp SUBDIR += clamtk + SUBDIR += clevis SUBDIR += cloak SUBDIR += clusterssh SUBDIR += cops Index: security/clevis/Makefile =================================================================== --- /dev/null +++ security/clevis/Makefile @@ -0,0 +1,26 @@ +PORTNAME= clevis +DISTVERSION= 19 +CATEGORIES= security +MASTER_SITES= https://github.com/latchset/${PORTNAME}/releases/download/v${DISTVERSION}/ + +MAINTAINER= hdholm@alumni.iastate.edu +COMMENT= Tang is a small daemon for binding data to the presence of a network +WWW= https://github.com/latchset/clevis + +LICENSE= GPLv3 +LICENSE_FILE= ${WRKSRC}/COPYING + +LIB_DEPENDS= libhttp_parser.so:www/http-parser \ + libjansson.so:devel/jansson \ + libjose.so:net/jose +BUILD_DEPENDS= a2x:textproc/asciidoc \ + ${LOCALBASE}/libdata/pkgconfig/jose.pc:net/jose \ + tang-show-keys:security/tang \ + tpm2:security/tpm2-tools \ + curl:ftp/curl + +USES= compiler:c11 cpe meson pkgconfig ssl tar:xz + +CPE_VENDOR= tang_project + +.include Index: security/clevis/distinfo =================================================================== --- /dev/null +++ security/clevis/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1695803760 +SHA256 (clevis-19.tar.xz) = b34e97d72cf59feb56875bfccd6732d8b3d2751714da799a6a6a388cfe234b55 +SIZE (clevis-19.tar.xz) = 66376 Index: security/clevis/pkg-descr =================================================================== --- /dev/null +++ security/clevis/pkg-descr @@ -0,0 +1,20 @@ +Clevis is a pluggable framework for automated decryption, including supporting +security/tang, a server for binding data to network presence. + +This sounds fancy, but the concept is simple. You have some data, but you only +want it to be available when the system containing the data is on a certain, +usually secure, network. This is where Tang comes in. + +First, the client gets a list of the Tang server's advertised asymmetric keys. +This can happen online by a simple HTTP GET. Alternatively, since the keys are +asymmetric, the public key list can be distributed out of band. + +Second, the client uses one of these public keys to generate a unique, +cryptographically strong encryption key. The data is then encrypted using this +key. Once the data is encrypted, the key is discarded. Some small metadata is +produced as part of this operation which the client should store in a convenient +location. This process of encrypting data is the provisioning step. + +Third, when the client is ready to access its data, it simply loads the metadata +produced in the provisioning step and performs an HTTP POST in order to recover +the encryption key. This process is the recovery step.