Table of Contents
Introduction
In earlier guide, I have created a encrypted file system using crypt setup, now let’s see how to auto mount a encrypted file system using Network bound disk encryption NBDE. In my lab setup I have used only one tang server, setup more for Highly available.
Installing Tang Server
Install the server disk package on tang server.
# yum install tang -yStart and enable the service with --now option, check the status.
# systemctl enable --now tangd.socket
# systemctl status tangd.socketBy default tang server will be using port 80, add the firewall exclusion for http service.
# firewall-cmd --add-service=http --permanent
# firewall-cmd --reload
# firewall-cmd --list-allClient Side Configuration
Search for clevis packages with yum or dnf, Install the below package to configure the client side.
# yum search clevis
# yum install -y clevis-dracut clevis-luks clevisBy running the man page for clevis we will get few of example commands, we need to make sure the required changes to use for our requirement.
# man clevisLook for below two example at the bottom of man page and replace the tang server details with our tang service information. Make sure to use the double quotes ” for all the elements.
# cfg=$'{"t":1,"pins":{"tang":[{"url":"serverb.linuxsysadmins.local"}]}}'
Once the tang server defined in the variable, bind the encrypted file-system to the clevis.
# clevis luks bind -d /dev/vg_secure/lv_secure sss "$cfg"- tang – This option unlock volumes using a network server
- tpm2 – This option allows to unlock volumes using a TPM2 policy
- sss – Finally, this will allow to deploy high-availability systems using the Shamir’s Secret Sharing (SSS) cryptographic scheme
Clevis will prompt to trust the key from tang server and initialize the encrypted file system.
[root@servera ~]# clevis luks bind -d /dev/vg_secure/lv_secure sss "$cfg"
The advertisement contains the following signing keys:
NbzZZcAt9Q0mnV5OGd9_8DBlsbU
Do you wish to trust these keys? [ynYN] Y
You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.
Do you wish to initialize /dev/vg_secure/lv_secure? [yn] y
Enter existing LUKS password:
[root@servera ~]#Right after that, create a crypt tab entry pointing to encrypted disk.
# vim /etc/crypttabsecure /dev/vg_secure/lv_secure none _netdevCreate the FSTAB entry to mount the file system persistently.
# vim /etc/fstab/dev/mapper/secure /secure ext4 _netdev 1 2Finally, enable the clevis luks ask pass to mount the file system during reboots.
# systemctl enable --now clevis-luks-askpass.pathAfter a reboot the /secure looks mounted, we are good with all previous steps.
[root@servera ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 200M 0 part /boot/efi
├─sda2 8:2 0 1G 0 part /boot
└─sda3 8:3 0 18.8G 0 part
├─rhel-root 253:0 0 16.8G 0 lvm /
└─rhel-swap 253:1 0 2G 0 lvm [SWAP]
sdb 8:16 0 10G 0 disk
└─vg_secure-lv_secure 253:2 0 1G 0 lvm
└─secure 253:3 0 1022M 0 crypt /secure
sr0 11:0 1 4.3G 0 rom /mnt
[root@servera ~]#Be in safer side
In case if we forgot the password for luks it can be restored from a backup, to start the backup use luksHeaderBackup option available from cryptsetup command.
# cryptsetup luksHeaderBackup /dev/vg_secure/lv_secure --header-backup-file=/root/luksheader-backup-fileForgot the changed password, can’t decrypt the disk. However, I do remember the old password, let’s recover.
# umount /secure/
# cryptsetup luksClose secure
# cryptsetup luksDump /dev/vg_secure/lv_secure
# cryptsetup luksHeaderRestore /dev/vg_secure/lv_secure --header-backup-file=luksheader-backup-fileOpen the luks and mount, else take a reboot it should mount automatically using NBDE
That’s it, we have auto mounted encrypted file system with NBDE