In this hands-on lab, we will use Network-Bound Disk Encryption (NBDE) to encrypt a volume on a host. The volume has already been created and encrypted with LUKS. Now we need to implement NBDE so the volume can be automatically decrypted at boot.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Set Up Tang on Server 2
- Install Tang by running the following command:
sudo yum install -y tang
- Configure Tang to run at boot with the following command:
sudo systemctl enable tangd.socket --now
- Verify that two Tang keys were created by running the command
sudo ls /var/db/tang
. There should be two files in that directory with the file extension.jwk
. - Lastly, run the
ip addr
command, and copy the IP address of Server 2 to your clipboard (we’ll need it later).
- Install Tang by running the following command:
- Encrypt `/dev/xvdg` using NBDE
- First, install the necessary Clevis packages on Server 1 using the following command:
sudo yum install -y clevis clevis-luks clevis-dracut
- Next, encrypt the
/dev/xvdg
disk with the Tang key from Server 2 using the following command:sudo clevis bind luks -d /dev/xvdg tang '{"url":"http://10.0.0.<SERVER2_IP>"}'
- Verify that the key was entered into the LUKS header of
/dev/xvdg
by running the following command:sudo luksmeta show -d /dev/xvdg
- Verify that slot 1 is
active
and there is a key value next to it. - Lastly, run the
sudo dracut -f
command to force to retrieval of the Tang key at boot.
- First, install the necessary Clevis packages on Server 1 using the following command: