In this hands-on lab, we will use Network-Bound Disk Encryption (NBDE) to encrypt a volume on a host. The volume has already been created and encrypted with LUKS. Now we need to implement NBDE so the volume can be automatically decrypted at boot.
*This course is not approved or sponsored by Red Hat.*
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Set Up Tang Server
Check the Server 1 status first:
- In your Server 1 terminal window, check the status of the LUKS-encrypted volume (
payroll
) by running the following command:cryptsetup -v status payroll
- Determine where the volume is mounted by running the following command:
df -h
- List the contents of the
payroll
directory by running the following command:ls /payroll
Switch to your Server 2 terminal window:
- Install Tang by running the following command:
sudo yum install -y tang
- Generate the keys for Tang by running the following command:
/usr/libexec/tangd-keygen /var/db/tang
- Configure Tang to run at boot by running the following command:
sudo systemctl enable tangd.socket --now
- Verify that two Tang keys were created by running the following command:
sudo ls /var/db/tang
- Determine the IP address of Server 2 by running the following command:
ip addr
- In your Server 1 terminal window, check the status of the LUKS-encrypted volume (
- Encrypt `/dev/xvdg` Using NBDE
- First, install the necessary Clevis packages on Server 1 by running the following command:
sudo yum install -y clevis clevis-luks clevis-dracut
- Next, encrypt the
/dev/xvdg
disk with the Tang key from Server 2 by running the following command:sudo clevis bind luks -d /dev/xvdg tang '{"url":"http://10.0.0.<SERVER2_IP>"}'
- Verify that the key was entered into the LUKS header of
/dev/xvdg
by running the following command:sudo luksmeta show -d /dev/xvdg
- Verify that slot 1 is
active
and there is a key value next to it. - Lastly, run the
sudo dracut -f
command to force to retrieval of the Tang key at boot.
- First, install the necessary Clevis packages on Server 1 by running the following command: