Encrypting all data at rest
Encrypting your data in motion is great, but you also need to encrypt the data at rest. This is especially important in the cloud, where you are sharing storage with many other users. While your cloud provider may offer automatic encryption, it is important to remember that if they can decrypt the data automatically, they also have access to the keys. To truly protect your data, you need to encrypt the data with keys that your cloud does not have access to. This can be done easily with Linux Unified Key Setup (LUKS). Large organizations will also want to use Clevis, which enables the automatic decryption of data from keys managed by a Tang server. The Tang server is used to store and manage the encryption keys. In the cloud, this allows you to manage your boot encryption without the cloud provider having access to your keys. This process is called Network Bound Disk Encryption (NBDE).
NBDE is a security feature used in Oracle Linux that provides disk encryption keys during the boot process. NBDE is an extension of regular disk encryption and uses a network server to store and provide the encryption keys rather than the local machine. Combined with NUKS, this allows both a local key (that requires a manual passphrase to use) and an automatic key from the Tang server to decrypt the boot drive. This gives you the simplicity of a secure automated boot, but in an emergency, you can still boot without the Tang server.
Getting ready
Unlike other recipes, this one will need a minimum of two VMs: one to act as the Tang server and the other to act as a client. Both systems should be updated to the latest software.
How to do it…
In this recipe, we will do the following:
• Create a server named tang:
• Install and configure a Tang server
• Build another server named clevis:
• Install and configure Clevis
• Configure LUKS to work with Clevis to encrypt a data volume
Configuring a Tang server
The Tang server is used by Oracle Linux to provide encryption keys during the boot process. Here’s a basic overview of how it operates:
• During the boot process, the remote system contacts the Tang server and requests an encryption key
• The Tang server generates a random encryption key and sends it back to the remote system
• The remote system uses the encryption key to unlock its encrypted drive, allowing it to boot
• The Tang server discards the encryption key so it cannot be used again
One of the key benefits of using a Tang server is that it can provide encryption keys to remote systems even if the main encryption key is compromised. This can improve the security of the system by limiting the amount of damage that can be done if the main encryption key is compromised.
- To install the Tang server as the root, we will simply install the software with dnf, open up the firewall ports, and set the server to run. This is all done as the root user.
Installing via dnf is easy; just run the following command:
dnf install -y tang
- We will add ports to the firewall. The trusted network will be the subnet that you are booting from. In this case, 192.168.56.0/24 is my boot subnet. Don’t forget to update the subnet to your subnet when running the following firewall commands:
firewall-cmd –zone=trusted –add-source=192.168.56.0/24
firewall-cmd –zone=trusted –add-service=http
firewall-cmd –runtime-to-permanent
- Configure the service to start upon booting and also start now with the following command:
systemctl enable –now tangd.socket
You can verify that the service is running with the following command:
systeemctl status tangd command;
# systemctl status tangd.socket
●
tangd.socket – Tang Server socket
Loaded: loaded (/usr/lib/systemd/system/tangd.socket; enabled; vendor preset: disabled)
Active: active (listening) since Mon 2023-07-17 13:52:58 EDT; 2min 46s ago
Listen: [::]:80 (Stream)
Accepted: 0; Connected: 0;
Tasks: 0 (limit: 48611)
Memory: 0B
CGroup: /system.slice/tangd.socket
Jul 17 13:52:58 tang.m57.local systemd[1]: Listening on Tang Server socket.
- Once Tang is running, there should be key files in /var/db/tang. You can also run the command tang-show-keys. This will show all of the thumbprints of the keys in the system:
[root@tang ~]# tang-show-keys
RxdbjAY7_N19UEYBO6XIUVosv0s
[root@tang ~]#
Next, let’s set up the client system with LUKS to encrypt the data drive.
