Network-Bound Disk Encryption (NBDE)

Network-Bound Disk Encryption (NBDE)

Network-Bound Disk Encryption (NBDE) allows for hard disks to be encrypted without the need to manually enter the encryption passphrase when systems are rebooted. In RedHat/CentOS 7 and 8, this is achieved using a tang server and the clevis framework.

This guide continues on from the pervious guide regarding LUKS encryption.  A particular downside to LUKS is the need to manually enter a passphrase at the console for the server to boot. NBDE is designed to resolve this issue should the server have network access to the tang server.

In this article the tang-server has IP address and tang-client Both servers are running CentOS 8.1.

Tang Server

Firstly, let's setup the tang server.

Install the required tang package.

dnf install tang

By default tang will listen on port 80. Enable the tang socket and permit access through the firewall.

systemctl enable tangd.socket
systemctl start tangd.socket
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=http

The tang keys will exist in the /var/db/tang directory.

Tang Client

Configuring the client is a little more involved. Firstly, configure a LUKS volume following the previous guide.

Once complete, install the clevis packages.

dnf install 'clevis*'

Bind the encrypted disk to the tang server. The example below uses /dev/vg_luks/lv_luks as logical volume created for the encrypted disk - change as necessary based on your name.

clevis luks bind -d /dev/vg_luks/lv_luks tang '{"url": ""}'

Enable clevis-luks-askpass to automate the decryption on boot.

systemctl enable clevis-luks-askpass.path

Locate the UUID of the LUKS encrypted disk.

[root@tang-client ~]# cryptsetup luksUUID /dev/vg_luks/lv_luks

Finally, add the mount into crypttab and fstab.

vi /etc/crypttab
encrypted	UUID=ed6cac0c-bcc8-4ba0-9ce8-6be2680fdb57	none	_netdev
vi /etc/fstab
/dev/mapper/encrypted	/mnt/encrypted	xfs	defaults,_netdev	0 0

Now on reboot the encrypted disk should be automatically decrypted and mounted. If network access to the tang server is broken the passphrase will need to be entered at the console to allow the server to boot.