Network-Bound Disk Encryption (NBDE)
Network-Bound Disk Encryption (NBDE) allows for hard disks to be encrypted without the need to manually enter the encryption passphrase when systems are rebooted. In RedHat/CentOS 7 and 8, this is achieved using a tang server and the clevis framework.
This guide continues on from the pervious guide regarding LUKS encryption. A particular downside to LUKS is the need to manually enter a passphrase at the console for the server to boot. NBDE is designed to resolve this issue should the server have network access to the tang server.
In this article the tang-server has IP address 192.168.0.160 and tang-client 192.168.0.161. Both servers are running CentOS 8.1.
Tang Server
Firstly, let's setup the tang server.
Install the required tang package.
dnf install tangBy default tang will listen on port 80. Enable the tang socket and permit access through the firewall.
systemctl enable tangd.socket
systemctl start tangd.socket
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=httpThe tang keys will exist in the /var/db/tang directory.
Tang Client
Configuring the client is a little more involved. Firstly, configure a LUKS volume following the previous guide.
Once complete, install the clevis packages.
dnf install 'clevis*'
Bind the encrypted disk to the tang server. The example below uses /dev/vg_luks/lv_luks as logical volume created for the encrypted disk - change as necessary based on your name.
clevis luks bind -d /dev/vg_luks/lv_luks tang '{"url": "http://192.168.0.160"}'Enable clevis-luks-askpass to automate the decryption on boot.
systemctl enable clevis-luks-askpass.pathLocate the UUID of the LUKS encrypted disk.
[root@tang-client ~]# cryptsetup luksUUID /dev/vg_luks/lv_luks
ed6cac0c-bcc8-4ba0-9ce8-6be2680fdb57Finally, add the mount into crypttab and fstab.
vi /etc/crypttab
encrypted UUID=ed6cac0c-bcc8-4ba0-9ce8-6be2680fdb57 none _netdev
vi /etc/fstab
/dev/mapper/encrypted /mnt/encrypted xfs defaults,_netdev 0 0Now on reboot the encrypted disk should be automatically decrypted and mounted. If network access to the tang server is broken the passphrase will need to be entered at the console to allow the server to boot.