Skip to content

Latest commit

 

History

History
98 lines (75 loc) · 5.17 KB

lab3_NBDE.adoc

File metadata and controls

98 lines (75 loc) · 5.17 KB
Raw

Lab 3: How to use Network Bound Disk Encryption (NBDE) to securely decrypt LUKs encrypted volumes

Goal of Lab

The goal of this lab is to understand how to use Network Bound Disk Encryption (NBDE) to securely decrypt LUKs encrypted volumes. You will install the Tang server on our NBDE1 server, and install the Clevis client on NBDE2.

Introduction

Network-Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of hard drives on physical and virtual machines without requiring to manually enter a password when systems are restarted. Red Hat Enterprise Linux implements NBDE with a central server named Tang, and and client framework named Clevis.

Tang is used to bind data to a secure network. It is stateless and does not require TLS or authentication. Tang does not interact with client keys, so it never obtains identifying information from the client. Clevis provides automated unlocking of LUKS volumes.

Clevis and Tang are generic client and server components that provide network bound encryption. In Red Hat Enterprise Linux 7, they are used in conjunction with LUKS to encrypt and decrypt root and non-root storage volumes to accomplish Network Bound Disk Encryption.

Lab 3.1 Installing the Tang server

  1. Navigate to the Lab information page from Lab 0 Setup steps. This page has your environment’s power control and consoles. Click on the console for NBDE1. Login to the NBDE1 server as root using the password r3dh4t1!.

    200

  2. Then, install the tang packages

    [root@nbde1 ~]# yum install tang

    NOTE: If you wanted to copy and paste text to send to the console, you could also press the T button at the top right of your console if you didn’t want to type text into the console directly. This is mainly recommended for longer commands. 500

  3. Finally, enable the tang service in systemd:

    [root@nbde1 ~]# systemctl enable tangd.socket --now

Since tangd uses the systemd socket activation mechanism, the server starts as soon as the first connection comes in. A new set of cryptographic keys is automatically generated at the first start.

Lab 3.2 Installing the Clevis Client

Your NBDE2 server is already encrypted and this exercise will install the client packages that will allow you to un-encrypt the root device drive upon boot without manual intervention.

  1. Navigate to the Lab information page from Lab 0 Setup steps. This page has your environment’s power control and consoles. Click on the console for NBDE2. The passphrase for the LUKs encrypted disk on NBDE2 is r3dh4t1!. You will need to enter the pass phrase to complete the boot process. If you wanted to copy and paste text to send to the console, press the T button at the top right of your console.

    200 500

  2. Login to the NBDE2 server as root using the password r3dh4t1!.

  3. Then, install the clevis packages:

    [root@nbde2 ~]# yum install clevis clevis-luks clevis-dracut

  4. Next, we will initialize the luks binding to the tang server. If you wanted to copy and paste the text below to send to the console, press the T button at the top right of your console (See the picture above on Step #1).

    [root@nbde2 ~]# clevis bind luks -d /dev/vda2 tang '{"url":"http://nbde1.example.com"}'
    Note
    		 This command performs four steps: 1) Creates a new key with the same entropy as the LUKS master key. 2) Encrypts the new key with Clevis. 3) Stores the Clevis JWE object in the LUKS header with LUKSMeta. 4) Enables the new key for use with LUKS.

  5. You will be asked to trust the keys. Answer ‘y’ to this question.

  6. Next, enter the existing LUKS password, which is r3dh4t1!.

  7. This disk can now be unlocked with your existing passphrase as well as with the Clevis policy.

Lab 3.3 Verify LUKS Header

  1. To verify that the Clevis JWE object is successfully placed in a LUKS header, use the luksmeta show command on NBDE2. Slot 0 will be active and empty. This slot represent the prompt to see when the server boots. Slot 1 or 2 will be active with the JSON Web Encryption (JWE) key. This is the slot that enable the unattended boot process. You may see an inactive Slot as well. You can ignore this as it will not be used.

    [root@nbde2 ~]# luksmeta show -d /dev/vda2
0   active empty
1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty

Lab 3.4 Enable Decryption on the Boot Process

  1. To enable the early boot system to process the disk binding, enter the following command on NBDE2.

    [root@nbde2 ~]# dracut -f
    Note
    		 Pass the -vf parameter if you want to see verbose output.

Lab 3.5 Reboot NBDE2 and test that NBDE was successfully configured

  1. Reboot NBDE2. When the prompt comes up for the LUKs passphrase, wait a few seconds and NBDE2 should automatically begin the boot process without requiring you to enter a password.

    [root@nbde2 ~]# reboot