In this hands-on lab, we will use Network-Bound Disk Encryption (NBDE) to encrypt a volume on a host. The volume has already been created and encrypted with LUKS. Now we need to implement NBDE so the volume can be automatically decrypted at boot.
*This course is not approved or sponsored by Red Hat.*
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Set Up Tang on Server 2
- Install Tang by running the following command:
sudo yum install -y tang - Configure Tang to run at boot with the following command:
sudo systemctl enable tangd.socket --now - Verify that two Tang keys were created by running the command
sudo ls /var/db/tang. There should be two files in that directory with the file extension.jwk. - Lastly, run the
ip addrcommand, and copy the IP address of Server 2 to your clipboard (we’ll need it later).
- Install Tang by running the following command:
- Encrypt `/dev/xvdg` using NBDE
- First, install the necessary Clevis packages on Server 1 using the following command:
sudo yum install -y clevis clevis-luks clevis-dracut - Next, encrypt the
/dev/xvdgdisk with the Tang key from Server 2 using the following command:sudo clevis bind luks -d /dev/xvdg tang '{"url":"http://10.0.0.<SERVER2_IP>"}' - Verify that the key was entered into the LUKS header of
/dev/xvdgby running the following command:sudo luksmeta show -d /dev/xvdg - Verify that slot 1 is
activeand there is a key value next to it. - Lastly, run the
sudo dracut -fcommand to force to retrieval of the Tang key at boot.
- First, install the necessary Clevis packages on Server 1 using the following command:
