Encrypting a Volume with NBDE

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we will use Network-Bound Disk Encryption (NBDE) to encrypt a volume on a host. The volume has already been created and encrypted with LUKS. Now we need to implement NBDE so the volume can be automatically decrypted at boot.

*This course is not approved or sponsored by Red Hat.*

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set Up Tang Server

Check the Server 1 status first:

  1. In your Server 1 terminal window, check the status of the LUKS-encrypted volume (payroll) by running the following command:
    cryptsetup -v status payroll
  2. Determine where the volume is mounted by running the following command:
    df -h
  3. List the contents of the payroll directory by running the following command:
    ls /payroll

Switch to your Server 2 terminal window:

  1. Install Tang by running the following command:
    sudo yum install -y tang
  2. Generate the keys for Tang by running the following command:
    /usr/libexec/tangd-keygen /var/db/tang
  3. Configure Tang to run at boot by running the following command:
    sudo systemctl enable tangd.socket --now
  4. Verify that two Tang keys were created by running the following command:
    sudo ls /var/db/tang
  5. Determine the IP address of Server 2 by running the following command:
    ip addr
Encrypt `/dev/xvdg` Using NBDE
  1. First, install the necessary Clevis packages on Server 1 by running the following command:
    sudo yum install -y clevis clevis-luks clevis-dracut
  2. Next, encrypt the /dev/xvdg disk with the Tang key from Server 2 by running the following command:
    sudo clevis bind luks -d /dev/xvdg tang '{"url":"http://10.0.0.<SERVER2_IP>"}'
  3. Verify that the key was entered into the LUKS header of /dev/xvdg by running the following command:
    sudo luksmeta show -d /dev/xvdg
  4. Verify that slot 1 is active and there is a key value next to it.
  5. Lastly, run the sudo dracut -f command to force to retrieval of the Tang key at boot.

Additional Resources

You've grown tired of entering LUKS passphrases at boot and want to set up Network-Bound Disk Encryption (NBDE) to automate this process. There is already a LUKS-encrypted volume named payroll on the physical disk /dev/xvdg. The passphrase for the LUKS-encrypted volume payroll is Pinehead1!.

You now need to encrypt the payroll volume using NBDE. There are two servers: Server1 is the server with the LUKS-encrypted volume payroll on it, and Server2 is the Tang server. Lastly, you'll need to ensure that the NBDE key will automatically be retrieved at boot time.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?