From a security viewpoint, it's important to encrypt your sensitive data to protect it from prying eyes and hackers. Linux Unified Key Setup (LUKS) is a great tool and a common standard for Linux disk encryption. Because it stores all pertinent setup information in the partition header, it makes migrating data easy.
To configure encrypted disks or partitions with LUKS, you will need to use the cryptsetup utility. Unfortunately, one of the downsides of encrypting your disks is that you have to manually provide the password every time the system is rebooted or the disk is remounted.
However, Network-Bound Disk Encryption (NBDE) can automatically and securely unlock encrypted disks without any user intervention. It is available in several Linux distributions, beginning with Red Hat Enterprise Linux 7.4, CentOS 7.4, and Fedora 24, and in later versions of each.
NBDE is implemented with the following technologies:
- Clevis framework: A pluggable framework tool that automatically decrypts and unlocks LUKS volumes
- Tang server: A service for binding cryptographic keys to network presence
Tang provides the encryption keys to the Clevis client. According to Tang's developers, this provides a secure, stateless, anonymous alternative to key escrow services.
Because NBDE uses the client-server architecture, you must configure both the client and the server. You can use a virtual machine on your local network for your Tang server.
Server installation
Install Tang using sudo:
sudo yum install tang -yEnable the Tang server:
sudo systemctl enable tangd.socket --nowThe Tang server works on port 80 and must be added to firewalld. Add the appropriate firewalld rule:
sudo firewall-cmd --add-port=tcp/80 --perm
sudo firewall-cmd --reloadThe server should now be installed.
Client installation
For this example, assume you have added a new 1GB disk named /dev/vdc to your system.
Create the primary partition using fdisk or parted:
sudo fdisk /dev/vdc
Complete the following steps to install the client.
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x4a6812d4.
Command (m for help):Enter n to create the new partition:
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p):Hit the Enter key to select the primary partition:
Using default response p
Partition number (1-4, default 1):Hit the Enter key to select the default partition number:
First sector (2048-2097151, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-2097151, default 2097151):Hit the Enter key to select the last sector:
Using default value 2097151
Partition 1 of type Linux and of size 1023 MiB is set
Command (m for help): wqType wq to save the changes and exit fdisk:
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.Run partprobe to inform the system of the partition table changes:
sudo partprobeInstall the cryptsetup package using sudo:
sudo yum install cryptsetup -yUse the cryptsetup luksFormat command to encrypt the disk. You will need to type YES when prompted and also choose and enter a passphrase to encrypt the disk:
sudo cryptsetup luksFormat /dev/vdc1
WARNING!
========
This will overwrite data on /dev/vdc1 irrevocably.
Are you sure? (Type uppercase yes):
Enter passphrase for /dev/vdc1:
Verify passphrase:Use the cryptsetup luksOpen command to map the encrypted partition to a logical device. For example, use encryptedvdc1 as the name. You will also need to enter the passphrase again:
sudo cryptsetup luksOpen /dev/vdc1 encryptedvdc1
Enter passphrase for /dev/vdc1:The encrypted partition is now available at /dev/mapper/encryptedvdc1.
Create an XFS filesystem on the encrypted partition:
sudo mkfs.xfs /dev/mapper/encryptedvdc1Create a directory for mounting the encrypted partition:
sudo mkdir /encryptedUse the cryptsetup luksClose command to lock the partition:
cryptsetup luksClose encryptedvdc1Install the Clevis packages using sudo:
sudo yum install clevis clevis-luks clevis-dracut -yModify /etc/crypttab to open the encrypted volume at boot time:
sudo vim /etc/crypttabAdd the following line:
encryptedvdc1 /dev/vdc1 none _netdevModify /etc/fstab to automatically mount the encrypted volume during a reboot or at boot time:
sudo vim /etc/fstabAdd the following line:
/dev/mapper/encryptedvdc1 /encrypted xfs _netdev 1 2For this example, assume the Tang server's IP address is 192.168.1.20. You can also use the hostname or domain if you prefer.
Run the following clevis command:
sudo clevis bind luks -d /dev/vdc1 tang '{"url":"http://192.168.1.20"}'
The advertisement contains the following signing keys:
rwA2BAITfYLuyNiIeYUMBzkhk7M
Do you wish to trust these keys? [ynYN] Y
Enter existing LUKS password: Type Y to accept the keys for the Tang server and provide the existing LUKS password for the initial setup.
Enable clevis-luks-askpass.path via systemctl in order to prevent being prompted for the passphrase for non-root partitions.
sudo systemctl enable clevis-luks-askpass.pathThe client is installed. Now, whenever you reboot the server, the encrypted disk should automatically be decrypted and mounted by retrieving the keys from the Tang server.
If the Tang server is unavailable for any reason, you'll need to provide the passphrase manually in order to decrypt and mount the partition.
1 Comment