tang

Table of Content

General
Commands
Installation
Setup
Key files
Rekey tang

General

Tang is a service for binding cryptographic keys to network presence. It offers a secure, stateless, anonymous alternative to key escrow services.

Commands

Commands	Description
`tang-show-keys [port]`	shows the loaded keys in tang

Installation

$ apt install tang

If you wana monitor it, there is a package called tang-nagios which gives you the script check_tang and allows you to query a running tang server and returns the health state.

Setup

After installing the tang package, you are already able to start the socket tangd.socket.

Keep in mind, that tang listens perdefault on port 80

To adjust the port, have a look in the unit file, there you will find the attribute ListenStream, which controuls the listening port.

If you don’t want to change it directly in the package managed file and use an overwrite instead (would recommend that) you have explicit clrea ListenStream first and add then the replacement.
[Socket]
ListenStream=
ListenStream=8080

To enable the socket and start it right away, run the following command:

$ systemctl enable --now tangd.socket

If you check now with ss, you should see the following:

$ ss -tulpen | grep 8080
tcp   LISTEN     0      4096   *:9090  *:*     users:(("systemd",pid=1,fd=102))         ino:199422916 sk:5d8 cgroup:/system.slice/tangd.socket v6only:0 <->

Key files

The keys files for tang are (at least for Debian) stored beneath /var/lib/tang.

These files can be backuped, in case something breaks and you need to start it up again with the old keys.

Rekey tang

Sometimes it is needed to perform a rekey which you can do in two different ways:

So first, stop tang

$ systemctl stop tangd.socket

Next (first method), lets remove the key files and perform a keygen:

$ rm /var/lib/tang/*jwk
$ /usr/libexec/tangd-keygen /var/lib/tang

If you are not removing the “old” keys before running tangd-keygen you will keep them and tang will also load them.

As second method, we run the rotate keys

$ /usr/libexec/tangd-rotate-keys
Disabled advertisement of key gSFSpnZmWnHcLTAhViARtIWYdw30DtIbTmWqJ24bh3Y.jwk -> .gSFSpnZmWnHcLTAhViARtIWYdw30DtIbTmWqJ24bh3Y.jwk
Disabled advertisement of key zXnckFX8OehQ6-GiQh7nQo7x4jefwlsWvuFbODRfaYA.jwk -> .zXnckFX8OehQ6-GiQh7nQo7x4jefwlsWvuFbODRfaYA.jwk
Created new key RL9twdG6EE4lbHDDCuI2XqlD3iZp57qG9I49flhCpBo.jwk
Created new key XKYTFAqwGyMD9c-kU3XSTGRoFjG9Xv9tEIdSPs-I0nA.jwk
Keys rotated successfully

This also takes care about the old keys.

Still have a look at your socket file, as it might be that tang also loads .*.jwk files.

This allows you to still use the old keys with your client, but new actions will only be taken with the new generated keys.

After all clients using the old keys, you can safely remove the .*.jwk files. But do never remove files while the socket is running and serving data to clients, this can lead to dataloss.

And at last step, we start it again.

$ systemctl start tangd.socket

Sharing is caring