docs: add howto to setup TLS connections #2553

igaw · 2024-10-30T16:23:53Z

There are couple of step necessary to get TLS working nicely. Document it how this is done.

martin-gpy · 2024-10-31T09:54:06Z

TLS.md

+  --hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36 \
+  --subsysnqn nqn.io-1 --identity 1 \
+  --keydata NVMeTLSkey-1:01:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACtVQoZ: \
+  --insert --keyfile /etc/nvme/tls-keys


Looks like the --keyfile option is currently not available for check-tls-key, but only for gen-tls-key.

I just added this new option yesterday :)

TLS.md

igaw · 2024-10-31T11:18:59Z

I've added some more content to it, e.g. the debugging tips. I've spend some time to figure them all out. Maybe it helps others to shortcut if something isn't working.

TLS.md

igaw · 2024-11-04T10:06:27Z

@martin-gpy do miss something or is my wording difficult to understand? I tried to write down everything I learned in the last few weeks on this topic. But don't expect too much from me, I am not a technical doc writer :)

TLS.md

martin-gpy · 2024-11-08T05:54:47Z

TLS.md

+### Recommendation for Handling TLS Keys
+
+The `nvme connect` command also allows passing a TLS key directly via the
+command line or a JSON config file. Avoid this method in production


Are we saying passing the TLS keys via the config JSON file is also a security risk, and should be avoided in production environments? Concern is the only way we can connect using different TLS keys (as well as different dhchap keys) to different subsystems at one go is via the config JSON file alone.

I think we should state this. Generally, mixing configuration with authentication/security tokens is discourage by the security folks. This doesn't mean it is insecure per se. If no one has access to config file except root and nvme-cli, it's propably okay? I heard that the aim should be to remove/hide the tokens from the FS after it has been used. So given this I'd say it better to say it's not recommended to do so.

TLS.md

martin-gpy · 2024-11-08T11:52:10Z

@martin-gpy do miss something or is my wording difficult to understand? I tried to write down everything I learned in the last few weeks on this topic. But don't expect too much from me, I am not a technical doc writer :)

Just had a few minor review comments. This looks quite good now. Thanks for getting this done.

There are couple of step necessary to get TLS working nicely. Document it how this is done. Signed-off-by: Daniel Wagner <wagi@kernel.org>

igaw force-pushed the add-tls-doc branch from c038087 to eda38ad Compare October 30, 2024 16:32

martin-gpy reviewed Oct 31, 2024

View reviewed changes