Disk encryption: LUKS ( Linux Unified Key Setup) with Tang
Key component tang server is responsible for helping dracut to decrypt the target disk. It won’t store any client key. encrypted server is required to use clevis, dracut. It provide a easier way that integrate with tang server to decrypt LUKS disk. Network topology |-------------------------| |------------| |LUKS encrypted server |-- disk decryption -->|tang server | |(clevis, dracut) [env] |<----- response ------|[tang] | |-------------------------| |____________| Tang server software installation via apt on x86x64 Ubuntu 20.04 adm@tang:~$ sudo apt-get install tang -y ## check version adm@tang:~$ apt list --installed | grep tang tang/focal,now 7-1build1 amd64 [installed] ## Enable the tangd service adm@tang:~$ sudo systemctl enable tangd.socket Create an override file with 7500 to prevent port conflict adm@tang:~$ sudo systemctl edit tangd.socket # tangd.socket [Socket] ListenStream= ListenStream=7500 adm@tang:~$ sudo systemctl daemon-reload ## Check that your configuration is working: adm@tang:~$ sudo systemctl show tangd.socket -p Listen Listen=[::]:7500 (Stream) ## Start the tangd service adm@tang:~$ sudo systemctl restart tangd.socket adm@tang:~$ sudo systemctl status tangd.socket ● tangd.socket - Tang Server socket Loaded: loaded (/lib/systemd/system/tangd.socket; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/tangd.socket.d └─override.conf Active: active (listening) since Mon 2022-03-14 00:54:03 UTC; 1h 25min ago Triggers: ● tangd@0.service Listen: [::]:7500 (Stream) Accepted: 0; Connected: 0; Tasks: 0 (limit: 984) Memory: 44.0K CGroup: /system.slice/tangd.socket Mar 14 00:54:03 d systemd[1]: Listening on Tang Server socket. encrypted server: try clevis, luks to bind with tang Assume that tang server is now running on 192.168.100.10:7500, we need to run clevis to bind local encrypted disk (/dev/md0 in this case) with tang.
Encryption · Linux Unified Key Setup
1782 words
9 minutes