Encrypting a Volume with NBDE

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we will use Network-Bound Disk Encryption (NBDE) to encrypt a volume on a host. The volume has already been created and encrypted with LUKS. Now we need to implement NBDE so the volume can be automatically decrypted at boot.

*This course is not approved or sponsored by Red Hat.*

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set Up Tang on Server 2
  1. Install Tang by running the following command:
    sudo yum install -y tang
  2. Configure Tang to run at boot with the following command:
    sudo systemctl enable tangd.socket --now
  3. Verify that two Tang keys were created by running the command sudo ls /var/db/tang. There should be two files in that directory with the file extension .jwk.
  4. Lastly, run the ip addr command, and copy the IP address of Server 2 to your clipboard (we’ll need it later).
Encrypt `/dev/xvdg` using NBDE
  1. First, install the necessary Clevis packages on Server 1 using the following command:
    sudo yum install -y clevis clevis-luks clevis-dracut
  2. Next, encrypt the /dev/xvdg disk with the Tang key from Server 2 using the following command:
    sudo clevis bind luks -d /dev/xvdg tang '{"url":"http://10.0.0.<SERVER2_IP>"}'
  3. Verify that the key was entered into the LUKS header of /dev/xvdg by running the following command:
    sudo luksmeta show -d /dev/xvdg
  4. Verify that slot 1 is active and there is a key value next to it.
  5. Lastly, run the sudo dracut -f command to force to retrieval of the Tang key at boot.

Additional Resources

You've grown tired of entering LUKS passphrases at boot and want to set up Network-Bound Disk Encryption (NBDE) to automate this process. There is already a LUKS-encrypted volume named payroll on the physical disk /dev/xvdg. The passphrase for the LUKS-encrypted volume payroll is Pinehead1!.

You now need to encrypt the payroll volume using NBDE. There are two servers: Server1 is the server with the LUKS-encrypted volume payroll on it, and Server2 is the Tang server. Lastly, you'll need to ensure that the NBDE key will automatically be retrieved at boot time.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?