- Enabling Network-Bound Disk Encryption
- Perform Automated Encryption and Decryption With Clevis
- Install and Test Clevis
Install and Test Clevis
The following instructions describe how to install the Clevis client software on an Oracle Linux instance, how to test the Clevis software by performing a basic encryption task using keys provided by a Tang server, and how to update existing initrd boot images to integrate with the Clevis client for automatic decryption of LUKS encrypted partitions at boot time.
- Install the
clevispackage and related dependencies.sudo dnf install -y clevis clevis-luks clevis-udisks2 clevis-dracutEach package has a different function:
-
clevisprovides the basic decryption client that can communicate with a Tang server -
clevis-luksis required to integrate Clevis with LUKS to perform automatic disk or volume decryption -
clevis-udisks2is required to integrate Clevis with the udisks framework that's used for removable storage so the Clevis can trigger to perform LUKS decryption on removable disks -
clevis-dracutis required to integrate Clevis with Dracut so that the Clevis tools can be included in initrd images for early boot integration
-
- Test Clevis.
To test that Clevis can encrypt data using the keys provided by the Tang server, follow these steps:
- Create a plain text file with some content that you intend
to encrypt.
echo "this is my secret message" > unencrypted.txt - Encrypt the plain text file using the Tang server that you have set up and configured on
the trusted network and pipe the output into an a separate file. Note that the command also prompts you to trust the signing
key.
clevis encrypt tang '{"url":"http://tang-server.example.org:7500"}' < unencrypted.txt > secret.jwe ... The advertisement contains the following signing keys: i9sPMu_sn6vMjzyJm8ZALj7opDE Do you wish to trust these keys? [ynYN] YThe Tang server responds to the request by providing a signing key that's used to restore the strong cryptographic key that's used to encrypt the data during the provisioning process.
- Inspect the encrypted content that's returned by the clevis
encrypt command.
cat secret.jwe eyJhbGciOiJFQ0RILUVTIiwiY2xldmlzIjp7InBpbiI6InRhbmciLCJ0YW5n Ijp7ImFkdiI6eyJrZXlzIjpbeyJhbGciOiJFQ01SIiwiY3J2IjoiUC01MjEi LCJrZXlfb3BzIjpbImRlcml2ZUtleSJdLCJrdHkiOiJFQyIsIngiOiJBUVNs ... bTJIWkpva19ETXZXTzVBejN0Zzg0dzBRd01xam9pczVnVFNzZlhTbERyNUVI - Decrypt the data in the encrypted file to ensure that
decryption is possible.
cat secret.jwe |clevis decrypt this is my secret messageThe clevis decrypt command uses metadata that's stored during the encryption process to derive the key used to decrypt the data through information returned from a POST request to the Tang server.
- Create a plain text file with some content that you intend
to encrypt.
- Update initrd boot images for Clevis integration.
The
clevis-dracutpackage is installed so that Clevis operations can be introduced into the initrd boot image for early boot decryption operations. After you have installed this package, you can run the dracut command to rebuild an existing initrd boot image to integrate it with Clevis:sudo dracut -fThis step makes it possible for Clevis to unlock a LUKS encrypted partition at boot time, if the Tang server is accessible. Note that you're still prompted for a LUKS passphrase at boot; but, if one isn't provided and Clevis can contact the Tang server, LUKS can unlock the device and the passphrase prompt closes after a period.