Description
Dear all,
as far as I understood clevis, it's utilizing jose under the hood so my question might be not perfectly matching here.
I was looking into making a TANG integration as highly secure as possible by adding mTLS to the deployment. clevis/jose are capable to access an SSL secured TANG service but it's not possible to utilize mTLS in addtion.
I can work around that by using stunnel and even wrap TANG to be only able to be used in such a stunnel/loopback configuration when doing the same on encrypting sensitive data.
My question would now be if adding mTLS to the clevis/jose tool chain for such use-case would make send and I understand that this use-case cannot be applied to clevis-luks-tang and in particular initramfs scenarios (at least not at the moment) but for other scenarios it makes perfectly sense to protect the resources with mTLS (if wanted).
Any oppinions on that is highly appreciated (also please point me to jose if you consider it more applicable on their side but I do want to avoid cross posting immediately)
All the best and kind regards
Michi
Ps: I can POC the setup in an automated way if someone is interested.
https://github.com/michaelalang/tang-mtls