• Using NBDE to unlock a LUKS encrypted volume
• Preamble
• Installing the server side packages
• Start and enable Tang
• Installing the client side packages
• Configuring manual enrollment of root volumes
• Bind encrypted drive with Tang server
• Regenerate the initial ramdisk
• Conclusion
• Automatic enrollment via kickstart
• Kickstart Pre Section
• Disk partitioning

→ Using NBDE to unlock a LUKS encrypted volume

→ Preamble

This document will explain how to use NBDE to unlock a LUKS encrypted drive at boot on a RedHat based system. Thus mitigating the need to enter a password. This will require a client and a server machine.

→ Installing the server side packages

The server side package for NBDE is called Tang. This will listen on port 80 by default.

yum install -y tang

→ Start and enable Tang

systemctl start tangd.socket
systemctl enable tangd.socket

→ Installing the client side packages

The client side package for NBDE is called clevis. It requires no configuration out of the box.

yum install -y clevis

→ Configuring manual enrollment of root volumes

This will allow you to unlock your root LUKS encrypted root volume.

yum install -y clevis-luks

→ Bind encrypted drive with Tang server

This assumes that your drive is /dev/sdb3 and the tang server's hostname is tang.domain.tld.

clevis luks bind -d /dev/sdb3 tang '{"url":"http://tang.domain.tld"}'

→ Regenerate the initial ramdisk

This will install the necessary kernel modules in your initrd. Without these modules, you will not be able to automatically unlock your volume.

yum install -y clevis-dracut
dracut -f --regenerate-all

→ Conclusion

At this point, you should be able to reboot and test. You will see your normal LUKS password prompt as usual. It should take no more than ten seconds. If it does not unlock, you did something wrong.

→ Automatic enrollment via kickstart

This will allow you to set a password for your LUKS volume as well as enroll the volume on the Tang server. You will need to tailor this to work for your particular needs.

→ Kickstart Pre Section

This section is prompting for a password for your LUKS volume. It is creating the root partition details and storing them in /tmp/password.ks. It is also generating the Post section for use later in the kickstart.

%pre
chvt 3

while true; do
    read -s -p "Password: " password
    echo
    read -s -p "Password (again): " password2
    echo
    [ "$password" = "$password2" ] && break
    echo "Please try again"
done
clear
chvt 1
echo "part / --fstype="ext4" --size=1000 --grow --encrypted --ondisk=sda --passphrase=\"${password}\"" > /tmp/password.ks

cat << EOF >> /tmp/centos-encrypted_post.cfg
clevis luks bind -f -k- -d /dev/sda2 \
tang '{"url":"http://tang.domain.tld","thp":"dPCsoxxHOLw8grXMXxdmHE4c7fI"}' \ <<< "${password}"

dracut -vf --regenerate-all
EOF
%include /tmp/password.ks
%end

→ Disk partitioning

We will need to create a non encrypted /boot partition.

part /boot --fstype="ext4" --ondisk=sda --size=512

---

[home][about][stats][source][contact][cookies][privacy]

---