====Network Bound Disk Encryption (NBDE) on CentOS 8 - Rocky 8 - Rocky 9 ==== https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening This is for unlocking LUKS based encrypted volumes at boot without typing in the password. You need a Tang server (a simple setup) and a client on the OS that is LUKS encrypted. Note: this works for CentOS 7 as well, just use yum install, but the boot delay where it asks for the decryption key seems to take almost 2 minutes before it boots. ==== Install && Configure Clevis Client ==== [[https://www.golinuxcloud.com/network-bound-disk-encryption-tang-clevis/]] This will install the client software that will allow the LUKS volume to be unlocked at boot without entering a password. Before doing this make sure your system is updated and rebooted first, since you're going to make changes to initrd if you have a pending kernel update and run the dracut command it might not work... so dnf update then reboot then follow the steps below. == Install Clevis == sudo dnf install clevis clevis-luks clevis-dracut == Identify LUKS device == sudo blkid -t TYPE=crypto_LUKS -o device This will give you your encrypted devices, perform the next step for each device if more than 1. == Bind Clevis Encryption Client to a Tang Server == Change the url to match the IP and port of your Tang server. sudo clevis luks bind -d /dev/sdb1 tang '{"url":"192.168.0.121:7500"}' It will ask for your LUKS decryption password, enter it. If you want to run multiple Tang servers for redundancy the following example will allow an encrypted server to boot when 1 or the other Tang server is up: \\ https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/9/html/security_hardening/deploying-high-availability-nbde-systems_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption clevis luks bind -d /dev/md125 sss '{"t":1,"pins":{"tang":[{"url":"172.18.18.177:7500"},{"url":"172.18.18.189:7500"}]}}' ==== Setup Networking for initrd ==== == Dracut Network Options == Force dracut to add network option to initrd sudo vim /etc/dracut.conf.d/clevis.conf Add: hostonly_cmdline=yes You can add dracut options that will be added to each dracut run after a kernel update. If you don't do this then you're system will go back to DHCP after a kernel update. You only need to do this once. sudo vim /etc/dracut.conf.d/network.conf Add the following kernel_cmdline="ip=10.49.0.240::10.49.0.1:255.255.255.0::enp1s0:none:10.49.0.10" syntax ip=:[]:::::{none|off|dhcp|on|any|dhcp6|auto6|ibft}[:[][:]] OR if you need to use a VLAN kernel_cmdline="vlan=vlan221:enp38s0 ip=172.21.49.241::172.21.49.1:255.255.255.0::vlan221:none:1.1.1.1:9.9.9.9" OR if you need to use a bond, VLAN and bridge kernel_cmdline="bond=bond0:enp38s0,enp39s0:mode=802.3ad vlan=bond0.221:bond0 bridge=br221:bond0.221 ip=172.21.49.241::172.21.49.1:255.255.255.0::br221:none:1.1.1.1:9.9.9.9" So the reason you see :: between the IP and Gateway is we didn't add a , the same is true where you could add Create the new initrd sudo dracut -fv --regenerate-all ==== Reset/Remove Clevis Pin ==== https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/9/html/security_hardening/removing-a-clevis-pin-from-a-luks-encrypted-volume-manually_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption If you change the Tang server configurations and need to update the Clevis client config then remove the existing Clevis pin: sudo clevis luks unbind -d /dev/md125 -s 1 To get a list of the Celvis pins run sudo cryptsetup luksDump /dev/md125 You should see something like: Tokens: 0: clevis Keyslot: 1 If you see more than 1 keyslot, chances are you configured Clevis multiple times instead of remove and reconfiguring slot 1, go ahead and remove them all: sudo clevis luks unbind -d /dev/md125 -s 1 sudo clevis luks unbind -d /dev/md125 -s 2 sudo clevis luks unbind -d /dev/md125 -s 3 sudo clevis luks unbind -d /dev/md125 -s ... ==== Notes ==== If the Tang server(s) is offline the encrypted server won't boot via NBDE, it will stop at the prompt for the LUKS key (and you can manually enter it) but if the Tang server comes online even after the encrypted server has sat at the LUKS prompt for 2+ days then the encrypted server will boot almost as soon at the TANG server comes online... it seems to be constantly polling for the Tang server(s). Note: the instructions below work only up until RHEL 8.2, new installs on 8.3 and later use a network-manager to set initrd settings... OBSOLETE section is for RHEL 8.2 and below ====OBSOLETE==== == Update Initrd == You'll want to put your static IP info because dracut will overwrite your network config once it initializes Backup your network config files as a precaution. Add static IP info to dracut configuration sudo vim /etc/dracut.conf.d/network.conf Add sudo dracut -f --kernel-cmdline "ip=192.168.122.16 netmask=255.255.255.0 gateway=192.168.122.1 nameserver=192.168.122.1 IPV6INIT=no" sudo dracut --regenerate-all --force --verbose ===ABOVE IS OBSOLETE=== == Archive == The below is obsolete but left as is since it has useful info that might apply elsewhere. NOTE: after doing a kernel update it changed the static IP to DHCP, I don't have a work around for this yet, after kernel updates try doing the sudo dracut -f --kernel-cmdline "ip=....." before rebooting caused a broken initrd or whatever... sigh. So must I update the kernel, reboot and lose network access, unlock from console then do the dracut....??? == Workaround for Kernel Updates??? == There is a post-transaction plugin that can be used to run scripts post updates. [[https://access.redhat.com/solutions/4175851]] \\ [[https://dnf-plugins-core.readthedocs.io/en/latest/post-transaction-actions.html]] \\ [[https://jsmith.fedorapeople.org/drafts/SMG/html/Software_Management_Guide/ch06s13s02.html]] Install sudo dnf install python3-dnf-plugin-post-transaction-actions Create action for kernel updates sudo vim /etc/dnf/plugins/post-transaction-actions.d/kernel.action Add the following, adjust to your IP info kernel:any:echo '${state} ${name}-${epoch}:${ver}-${rel}.${arch} repo ${repoid}' >>/tmp/kernel-post-trans-actions-trans.log kernel:any:dracut -f --kver '${ver}.${arch}' '/boot/initramfs-${ver}.${arch}.img' --kernel-cmdline "ip=10.49.100.50 netmask=255.255.255.0 gateway=10.49.100.1 nameserver=10.49.0.10 IPV6INIT=no" Well this doesn't seem to work either, probably because aside from the kernel update there are kernel libraries that are installed so the dracut command can't complete without these, if it would run post kernel/library/etc install then maybe... lets move on to the next attempt.