?

Log in

No account? Create an account
entries friends calendar profile Previous Previous Next Next
May 29th, 2018 - Ed's journal

A new feature in RHEL and Centos 7.4+ is the Network Bound Disk Encryption.


Specifically - it extends a LUKS encrypted volume, such that you can use some servers on the local network to perform the decryption automatically.


And in particular - this can be done on root volumes, meaning that _all_ of your 'at rest' data is encrypted. 


Why encrypt root? 


- Cloud hosts - you might very well want to have proprietary information encrypted at rest when being hosted in the cloud


- Desktops - if your machines are physically accessible they can be stolen or have drives removed. (Or just booted into 'recovery' mode and bypass audit controls)


- Laptops - losing them on the train. 


But all these things come with a pretty significant drawback - in order to reboot them, you need someone to physically enter a password a boot time. That ends up being a pretty big problem if you - for example - want to patch and restart a batch of servers. 


So enter NBDE - the client 'talks' to some servers on the local network, and uses a key exchange to generate a passphrase for drive decryption. It can do this at boot time, by enabling the network and appropriate modules in dracut


Centos/RHEL 7.4+ ship with the packages needed to do this: 


Clevis (and clevis-dracut) for the client side decryption.


Tang - the authentication/decryption server.


To set this up you will need 3 things:


A test host that you can reformat to encrypt as 'client'


A decryption server (to run tang). Ideally 2 - or more - for resilience. 


Read more...Collapse )

Tags:

Leave a comment