Log in

No account? Create an account
entries friends calendar profile Previous Previous Next Next
May 29th, 2018 - Ed's journal — LiveJournal

A new feature in RHEL and Centos 7.4+ is the Network Bound Disk Encryption.

Specifically - it extends a LUKS encrypted volume, such that you can use some servers on the local network to perform the decryption automatically.

And in particular - this can be done on root volumes, meaning that _all_ of your 'at rest' data is encrypted. 

Why encrypt root? 

- Cloud hosts - you might very well want to have proprietary information encrypted at rest when being hosted in the cloud

- Desktops - if your machines are physically accessible they can be stolen or have drives removed. (Or just booted into 'recovery' mode and bypass audit controls)

- Laptops - losing them on the train. 

But all these things come with a pretty significant drawback - in order to reboot them, you need someone to physically enter a password a boot time. That ends up being a pretty big problem if you - for example - want to patch and restart a batch of servers. 

So enter NBDE - the client 'talks' to some servers on the local network, and uses a key exchange to generate a passphrase for drive decryption. It can do this at boot time, by enabling the network and appropriate modules in dracut

Centos/RHEL 7.4+ ship with the packages needed to do this: 

Clevis (and clevis-dracut) for the client side decryption.

Tang - the authentication/decryption server.

To set this up you will need 3 things:

A test host that you can reformat to encrypt as 'client'

A decryption server (to run tang). Ideally 2 - or more - for resilience. 

Read more...Collapse )


Leave a comment