Auto mount LUKS Encrypted file system with Network-Bound Disk Encryption NBDE

Introduction

In earlier guide, I have created a encrypted file system using crypt setup, now let’s see how to auto mount a encrypted file system using Network bound disk encryption NBDE. In my lab setup I have used only one tang server, setup more for Highly available.

Installing Tang Server

Install the server disk package on tang server.

# yum install tang -y

Start and enable the service with --now option, check the status.

# systemctl enable --now tangd.socket
# systemctl status tangd.socket

By default tang server will be using port 80, add the firewall exclusion for http service.

# firewall-cmd --add-service=http --permanent
# firewall-cmd --reload
# firewall-cmd --list-all

Client Side Configuration

Search for clevis packages with yum or dnf, Install the below package to configure the client side.

# yum search clevis
# yum install -y clevis-dracut clevis-luks clevis

By running the man page for clevis we will get few of example commands, we need to make sure the required changes to use for our requirement.

# man clevis

Look for below two example at the bottom of man page and replace the tang server details with our tang service information. Make sure to use the double quotes ” for all the elements.

# cfg=$'{"t":1,"pins":{"tang":[{"url":"serverb.linuxsysadmins.local"}]}}'

Once the tang server defined in the variable, bind the encrypted file-system to the clevis.

# clevis luks bind -d /dev/vg_secure/lv_secure sss "$cfg"
  • tang – This option unlock volumes using a network server
  • tpm2 – This option allows to unlock volumes using a TPM2 policy
  • sss – Finally, this will allow to deploy high-availability systems using the Shamir’s Secret Sharing (SSS) cryptographic scheme

Clevis will prompt to trust the key from tang server and initialize the encrypted file system.

[root@servera ~]# clevis luks bind -d /dev/vg_secure/lv_secure sss "$cfg"
The advertisement contains the following signing keys:

NbzZZcAt9Q0mnV5OGd9_8DBlsbU

Do you wish to trust these keys? [ynYN] Y
You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.

Do you wish to initialize /dev/vg_secure/lv_secure? [yn] y
Enter existing LUKS password:
[root@servera ~]#

Right after that, create a crypt tab entry pointing to encrypted disk.

# vim /etc/crypttab
secure  /dev/vg_secure/lv_secure        none _netdev

Create the FSTAB entry to mount the file system persistently.

# vim /etc/fstab
/dev/mapper/secure      /secure         ext4  _netdev   1 2

Finally, enable the clevis luks ask pass to mount the file system during reboots.

# systemctl enable --now clevis-luks-askpass.path

After a reboot the /secure looks mounted, we are good with all previous steps.

[root@servera ~]# lsblk
NAME                  MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda                     8:0    0   20G  0 disk
├─sda1                  8:1    0  200M  0 part  /boot/efi
├─sda2                  8:2    0    1G  0 part  /boot
└─sda3                  8:3    0 18.8G  0 part
  ├─rhel-root         253:0    0 16.8G  0 lvm   /
  └─rhel-swap         253:1    0    2G  0 lvm   [SWAP]
sdb                     8:16   0   10G  0 disk
└─vg_secure-lv_secure 253:2    0    1G  0 lvm
  └─secure            253:3    0 1022M  0 crypt /secure
sr0                    11:0    1  4.3G  0 rom   /mnt
[root@servera ~]#

Be in safer side

In case if we forgot the password for luks it can be restored from a backup, to start the backup use luksHeaderBackup option available from cryptsetup command.

# cryptsetup luksHeaderBackup /dev/vg_secure/lv_secure --header-backup-file=/root/luksheader-backup-file

Forgot the changed password, can’t decrypt the disk. However, I do remember the old password, let’s recover.

# umount /secure/
# cryptsetup luksClose secure
# cryptsetup luksDump /dev/vg_secure/lv_secure
# cryptsetup luksHeaderRestore /dev/vg_secure/lv_secure --header-backup-file=luksheader-backup-file

Open the luks and mount, else take a reboot it should mount automatically using NBDE

That’s it, we have auto mounted encrypted file system with NBDE