-
Medium/Average (~15 mins)
-
Understand how to use Network Bound Disk Encryption (NBDE) to securely decrypt LUKS-encrypted volumes
Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of hard drives on physical and virtual machines without requiring manual entry of a password when systems are restarted.
Red Hat® Enterprise Linux® (RHEL) implements NBDE with a central server named Tang and a client framework named Clevis. Tang is used to bind data to a secure network. It is stateless and does not require TLS or authentication. Tang does not interact with client keys, so it never obtains identifying information from the client. Clevis provides automated unlocking of LUKS volumes.
Tang and Clevis are generic server and client components that provide network bound encryption. In Red Hat Enterprise Linux 7, they are used in conjunction with LUKS to encrypt and decrypt root and non-root storage volumes to accomplish NBDE.
This lab covers setting up NBDE using the command line interface, but Cockpit also provides the same functionality in cockpit-storaged. You are able to add, edit, and remove both passphrase-based keys and key server keys.
You install the Tang server on the NBDE1 server and the Clevis client on NBDE3.
-
Navigate to the lab information page from Lab 0: Setup Steps and click CONSOLE for NBDE1:
This page has your environment’s power control and consoles.
-
Log in to the NBDE1 server as root using r3dh4t1! as the password. (If you are prompted for the disk decryption password, it is also r3d4t1!).
-
Install the
tangpackages:[root@nbde1 ~]# yum install tang
TipTo copy and paste text to send to the console without typing into the console directly, press the T button at the top right of your console. This is recommended for longer commands.
-
Enable the
tangservice insystemdand open the HTTP port in the firewall:[root@nbde1 ~]# systemctl enable tangd.socket --now [root@nbde1 ~]# firewall-cmd --add-service=http [root@nbde1 ~]# firewall-cmd --add-service=http --permanent
Because
tangduses thesystemdsocket activation mechanism, the server starts as soon as it receives the first connection. A new set of cryptographic keys is automatically generated upon initial startup.
Your NBDE3 client is already encrypted. In this section, you install the client packages that allow you to decrypt the root device drive upon boot without manual intervention.
-
Navigate to the lab information page from Lab 0: Setup Steps.
This page has your environment’s power control and consoles.
-
Click the console link for NBDE3:
-
Enter the passphrase r3dh4t1! for the LUKS-encrypted disk on NBDE3 to complete the boot process.
TipTo copy and paste text to send to the console, press the T button:
-
Log in to the NBDE3 server as root using r3dh4t1! as the password:
-
Install the Clevis packages:
[root@nbde3 ~]# yum install clevis clevis-luks clevis-dracut
-
Initialize the LUKS binding to the Tang server.
[root@nbde3 ~]# clevis luks bind -d /dev/vda2 tang '{"url":"http://nbde1.example.com"}'TipTo copy and paste the to send to the console, press the T button:
This command performs four steps:
-
Creates a new key with the same entropy as the LUKS master key
-
Encrypts the new key with Clevis
-
Stores the Clevis JWE object in the LUKS header with LUKSMeta
-
Enables the new key for use with LUKS
-
-
Answer
ywhen asked to trust the keys. -
Enter r3dh4t1!, which is the existing LUKS password.
This disk can now be unlocked with your existing passphrase, as well as with the Clevis policy.
-
Use the
cryptsetup luksDumpcommand on NBDE3 to verify that the Clevis JWE object is successfully placed in a LUKS header:[root@nbde3 ~]# cryptsetup luksDump /dev/vda2 LUKS header information Version: 2 Epoch: 5 Metadata area: 12288 bytes UUID: 65a375f8-16bc-46bd-96a5-d7331e685d9f Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 8388608 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 PBKDF: argon2i Time cost: 4 Memory: 754560 Threads: 2 Salt: c7 be d2 42 3c d0 57 53 65 59 bb 62 1f 21 aa ba 4b 6d c4 82 1f 6b 8f a0 2d 0a 22 5a 4e 5f 4e 88 AF stripes: 4000 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 1: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 PBKDF: argon2i Time cost: 4 Memory: 831696 Threads: 2 Salt: 76 f2 20 9e 37 2f 2d 76 42 05 7f 14 83 30 da bc ae 33 dc fd 6e 5d 7a 74 f1 b6 dc b1 3d 61 f7 a9 AF stripes: 4000 Area offset:290816 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: 0: clevis Keyslot: 1 Digests: 0: pbkdf2 Hash: sha256 Iterations: 83485 Salt: e8 33 a0 97 1b 5d ac 81 29 30 df fa 5e e0 4a e3 8b 12 fd 1d 1d 7f f2 74 b1 b5 c7 56 08 2b 9e 76 Digest: b7 42 05 a6 84 23 e2 26 af d7 2d db bf 21 27 29 b7 23 26 c1 07 08 52 bc e2 a7 93 75 21 7f 80 b1 ```
-
Examine the header and expect to see that there are two key slots in the header.
The
0key slot represents the static password you entered when booting the machine for the first time and key slot1is the newly added entry by theclevis luks bindcommand.
-
Enter the following command on NBDE3 to enable the early boot system to process the disk binding:
[root@nbde3 ~]# dracut -f
TipPass the -vf parameter if you want to see verbose output.
-
Reboot NBDE3:
[root@nbde3 ~]# reboot
-
Wait for the prompt to come up for the LUKS passphrase and expect NBDE3 to automatically begin the boot process without requiring you to enter a password.
This may take up to five minutes in the virtualized environment.
Your NBDE2 server is already encrypted. In this section, you install the client packages that allow you to decrypt the root device drive upon boot without manual intervention.
-
Navigate to the lab information page from Lab 0: Setup Steps.
This page has your environment’s power control and consoles.
-
Click CONSOLE for NBDE2 and use the passphrase r3dh4t1! for the LUKS-encrypted disk on NBDE2:
You must enter the passphrase to complete the boot process. You do not need to log in to the machine after unlocking the disk with the passphrase.
TipTo copy and paste text to send to the console, press the T button:
The
cockpit-storagedpackage is already installed for you, and Cockpit is already enabled as well.
In this section, you initialize the LUKS binding to the Tang server using Cockpit.
-
Go to your Lab Information webpage from Lab 0: Setup Steps and click CONSOLE for your workstation bastion host:
-
Log in as lab-user with r3dh4t1! as the password:
-
Open a Firefox web browser:
-
Open https://nbde2.example.com:9090/:
-
Log in as root, using r3dh4t1! for the password.
-
Click Storage, then click VirtiO Disk:
-
Click Encrypted data for /dev/vda2:
-
Click the Encryption tab for the disk:
-
Expect to see the current keys for the disk, and note that at present there is only one passphrase key:
-
Click the + button to add one more key, and expect the modal window to look like this:
-
Complete the modal window fields as shown, using nbde1.example.com as a key server address and r3dh4t1! for the existing disk passphrase, then click Add:
-
After giving the system some time to process the request, click Trust key:
-
Examine the results, and note both the disk passphrase and the key server as your keys for the disk:
Expect your key to be different from the key shown in the image.
This disk can now be unlocked with your existing passphrase as well as with the Clevis policy.