This is for unlocking LUKS based encrypted volumes at boot without typing in the password. You need a Tang server (a simple setup) and a client on the OS that is LUKS encrypted.
Note: this works for CentOS 7 as well, just use yum install, but the boot delay where it asks for the decryption key seems to take almost 2 minutes before it boots.
https://www.golinuxcloud.com/network-bound-disk-encryption-tang-clevis/
This will install the client software that will allow the LUKS volume to be unlocked at boot without entering a password.
Before doing this make sure your system is updated and rebooted first, since you're going to make changes to initrd if you have a pending kernel update and run the dracut command it might not work… so dnf update then reboot then follow the steps below.
sudo dnf install clevis clevis-luks clevis-dracut
sudo blkid -t TYPE=crypto_LUKS -o device
This will give you your encrypted devices, perform the next step for each device if more than 1.
Change the url to match the IP and port of your Tang server.
sudo clevis luks bind -d /dev/sdb1 tang '{"url":"192.168.0.121:7500"}'
It will ask for your LUKS decryption password, enter it.
If you want to run multiple Tang servers for redundancy the following example will allow an encrypted server to boot when 1 or the other Tang server is up:
https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/9/html/security_hardening/deploying-high-availability-nbde-systems_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption
clevis luks bind -d /dev/md125 sss '{"t":1,"pins":{"tang":[{"url":"172.18.18.177:7500"},{"url":"172.18.18.189:7500"}]}}'
Force dracut to add network option to initrd
sudo vim /etc/dracut.conf.d/clevis.conf
Add:
hostonly_cmdline=yes
You can add dracut options that will be added to each dracut run after a kernel update. If you don't do this then you're system will go back to DHCP after a kernel update. You only need to do this once.
sudo vim /etc/dracut.conf.d/network.conf
Add the following
kernel_cmdline="ip=10.49.0.240::10.49.0.1:255.255.255.0::enp1s0:none:10.49.0.10"
syntax
ip=<client-IP>:[<peer>]:<gateway-IP>:<netmask>:<client_hostname>:<interface>:{none|off|dhcp|on|any|dhcp6|auto6|ibft}[:[<dns1>][:<dns2>]]
OR if you need to use a VLAN
kernel_cmdline="vlan=vlan221:enp38s0 ip=172.21.49.241::172.21.49.1:255.255.255.0::vlan221:none:1.1.1.1:9.9.9.9"
OR if you need to use a bond, VLAN and bridge
kernel_cmdline="bond=bond0:enp38s0,enp39s0:mode=802.3ad vlan=bond0.221:bond0 bridge=br221:bond0.221 ip=172.21.49.241::172.21.49.1:255.255.255.0::br221:none:1.1.1.1:9.9.9.9"
So the reason you see :: between the IP and Gateway is we didn't add a <peer>, the same is true where you could add <client_hostname>
Create the new initrd
sudo dracut -fv --regenerate-all
If you change the Tang server configurations and need to update the Clevis client config then remove the existing Clevis pin:
sudo clevis luks unbind -d /dev/md125 -s 1
To get a list of the Celvis pins run
sudo cryptsetup luksDump /dev/md125
You should see something like:
Tokens:
0: clevis
Keyslot: 1
If you see more than 1 keyslot, chances are you configured Clevis multiple times instead of remove and reconfiguring slot 1, go ahead and remove them all:
sudo clevis luks unbind -d /dev/md125 -s 1 sudo clevis luks unbind -d /dev/md125 -s 2 sudo clevis luks unbind -d /dev/md125 -s 3 sudo clevis luks unbind -d /dev/md125 -s ...
If the Tang server(s) is offline the encrypted server won't boot via NBDE, it will stop at the prompt for the LUKS key (and you can manually enter it) but if the Tang server comes online even after the encrypted server has sat at the LUKS prompt for 2+ days then the encrypted server will boot almost as soon at the TANG server comes online… it seems to be constantly polling for the Tang server(s).
Note: the instructions below work only up until RHEL 8.2, new installs on 8.3 and later use a network-manager to set initrd settings… OBSOLETE section is for RHEL 8.2 and below
You'll want to put your static IP info because dracut will overwrite your network config once it initializes
Backup your network config files as a precaution.
Add static IP info to dracut configuration
sudo vim /etc/dracut.conf.d/network.conf
Add
sudo dracut -f --kernel-cmdline "ip=192.168.122.16 netmask=255.255.255.0 gateway=192.168.122.1 nameserver=192.168.122.1 IPV6INIT=no"
sudo dracut --regenerate-all --force --verbose
The below is obsolete but left as is since it has useful info that might apply elsewhere.
NOTE: after doing a kernel update it changed the static IP to DHCP, I don't have a work around for this yet, after kernel updates try doing the sudo dracut -f –kernel-cmdline “ip=…..” before rebooting caused a broken initrd or whatever… sigh. So must I update the kernel, reboot and lose network access, unlock from console then do the dracut….???
There is a post-transaction plugin that can be used to run scripts post updates.
https://access.redhat.com/solutions/4175851
https://dnf-plugins-core.readthedocs.io/en/latest/post-transaction-actions.html
https://jsmith.fedorapeople.org/drafts/SMG/html/Software_Management_Guide/ch06s13s02.html
Install
sudo dnf install python3-dnf-plugin-post-transaction-actions
Create action for kernel updates
sudo vim /etc/dnf/plugins/post-transaction-actions.d/kernel.action
Add the following, adjust to your IP info
kernel:any:echo '${state} ${name}-${epoch}:${ver}-${rel}.${arch} repo ${repoid}' >>/tmp/kernel-post-trans-actions-trans.log
kernel:any:dracut -f --kver '${ver}.${arch}' '/boot/initramfs-${ver}.${arch}.img' --kernel-cmdline "ip=10.49.100.50 netmask=255.255.255.0 gateway=10.49.100.1 nameserver=10.49.0.10 IPV6INIT=no"
Well this doesn't seem to work either, probably because aside from the kernel update there are kernel libraries that are installed so the dracut command can't complete without these, if it would run post kernel/library/etc install then maybe… lets move on to the next attempt.