Note:

Use Network Bound Disk Encryption on Oracle Linux 8

Introduction

The following tutorial shows you how to configure an Oracle Linux system with disk encryption that is dependent on a network based key service.

Background

In this lab you create an encrypted XFS file system that is automatically unlocked at boot when on the same network as your key server. This lab uses Oracle Linux 8 but the same tools are available on Oracle Linux 7.

Components

What Do You Need?

(Hands-on Lab) Connect to the Compute Instance

Note: This step is specific to the Oracle provided free lab environment.

The Desktop environment will display before the instance(s) are ready. Deployment of this environment can take two to five minutes, depending on the number of resources and provisioning steps needed.

First, to access the lab compute instance(s), connect to the Oracle Cloud Console and copy the compute instance Public IP address.

  1. Sign in to Oracle Cloud Console, and select your Compartment.

  2. Click Instances.

  3. Copy the Public IP to a temporary location (such as a text file) on your computer.

    copy public ip

    To copy, highlight the IP address with the mouse and press Ctrl+C.

  4. Right-click the Virtual Desktop and select Open Terminal Here.

  5. Connect to each instance in a separate terminal session or terminal tab.

    ssh oracle@<IP_ADDRESS_OF_COMPUTE_INSTANCE>
    

    Where <IP_ADDRESS_OF_COMPUTE_INSTANCE> is the IP address copied from the Oracle Cloud Console.

  6. Accept the ECDSA key fingerprint by typing yes at the prompt.

  7. You are now connected to the compute instance for this lab.

If the connection fails with the Permission denied (publickey,gssapi-keyex,gssapi-with-mic) message, wait a bit longer for the provisioning process to complete and try making the ssh connection again.

Install and Configure Tang on the Server Instance

Install Tang, allow it to receive requests on port 80 and start the service.

  1. Open a terminal and connect to your server instance.

  2. Install the Tang package

    sudo dnf install -y tang
    
  3. Note the IP address of the server instance in the local network:

    ip addr sh|grep inet
    

    In this lab environment, the server IP address is configured to be 10.0.0.150 by default.

  4. Add a trusted zone for the network and allow the required port through the firewall for systems in the trusted zone

    sudo firewall-cmd --zone=trusted --add-source=10.0.0.0/24
    sudo firewall-cmd --zone=trusted --add-service=http
    sudo firewall-cmd --runtime-to-permanent
    
  5. Enable the service

    sudo systemctl enable --now tangd.socket
    

Create an Encrypted File System on the Client Instance

Create a passphrase based encrypted disk device, a file system on top of that device and mount it as /encrypted.

  1. Open a terminal and connect to your client instance.

  2. Install the cryptsetup package

    sudo dnf install -y cryptsetup
    
  3. Check the available block devices to make sure that an empty disk is available to host the encrypted file system.

    lsblk
    

    The output displays similarly to the following:

    NAME               MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
    sda                  8:0    0 46.6G  0 disk
    ????/sda1               8:1    0  100M  0 part /boot/efi
    ????/sda2               8:2    0    1G  0 part /boot
    ????/sda3               8:3    0 45.5G  0 part
    ????/ocivolume-root 252:0    0 35.5G  0 lvm  /
    ????/ocivolume-oled 252:1    0   10G  0 lvm  /var/oled
    sdb                  8:16   0   50G  0 disk 
    

    Note that sdb is listed as an empty disk. This block device is preconfigured and attached to the client compute instance for this tutorial.

  4. Encrypt the disk by using LUKS.

    sudo cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 \
     --key-size 512 --hash sha256 --use-random --force-password /dev/sdb
    

    The following warning is displayed and you must confirm that you wish to continue by entering ‘YES’ in uppercase. You must also specify a LUKS passphrase that can be used to decrypt the disk. Make sure you note down this passphrase for future use.

    WARNING!
    ========
    This will overwrite data on /dev/sdb irrevocably.
    
    Are you sure? (Type uppercase yes): YES
    Enter passphrase for /dev/sdb: 
    Verify passphrase:
    Key slot 0 created.
    Command successful.
    

    The options presented in this example are demonstrative and you may need to alter the cipher, hash and key size to fit your environment on a production system. Note that we used the --force-password option in this tutorial to allow you to specify a low quality passphrase for the LUKS key. If this option is not specified, LUKS uses the pwquality.so module to enforce passphrase complexity.

  5. Unlock the block device using the passphrase that you created in the previous step.

    sudo cryptsetup --verbose luksOpen /dev/sdb demodisk 
    

    You are prompted for your passphrase:

    Enter passphrase for /dev/sdb:
    Key slot 0 unlocked.
    Command successful.
    

    A device named demodisk is available under /dev/mapper.

    ls -la /dev/mapper/demodisk
    

    The following output is displayed:

    lrwxrwxrwx. 1 root root 7 Jun  7 10:20 /dev/mapper/demodisk -> ../dm-2
    
  6. Create a file system on the encrypted disk

    sudo mkfs.xfs /dev/mapper/demodisk
    
  7. Identify the UUID of the new filesytem

    blkid -s UUID  /dev/mapper/demodisk
    

    The UUID is displayed as follows:

    /dev/mapper/demodisk: UUID="4057664e-122f-421d-bcb6-2cb5a068a4d8"
    

    Note the UUID for the next step. The easiest way to do this is to store the value in an environment variable that can be re-used in subsequent steps. For example:

    DEMODISK_ID=$(sudo blkid -s UUID /dev/mapper/demodisk |grep -oP 'UUID="\K[^"]+')
    
  8. Create a fstab entry for the file system using the UUID for the new file system that you created

    echo "UUID=$DEMODISK_ID /encrypted xfs defaults 0 0" | sudo tee -a /etc/fstab
    
  9. Mount the file system

    sudo mkdir /encrypted
    sudo mount /encrypted
    

Add a remote key to the encrypted device

Use Clevis to add an additional passphrase to open the encrypted device.

  1. Install the required Clevis packages

    sudo dnf install -y clevis-systemd clevis-luks
    
  2. View the keys

    Note there is one keyslot in use, keyslot 0. In the next step you use an additional keyslot.

    sudo cryptsetup luksDump /dev/sdb
    

    The following output is displayed

    LUKS header information
    Version:       	2
    Epoch:         	3
    Metadata area: 	16384 [bytes]
    Keyslots area: 	16744448 [bytes]
    UUID:          	61ff409e-6e38-4172-8756-e9f6fadf58c1
    Label:         	(no label)
    Subsystem:     	(no subsystem)
    Flags:       	(no flags)
    
    Data segments:
      0: crypt
    	offset: 16777216 [bytes]
    	length: (whole device)
    	cipher: aes-xts-plain64
    	sector: 512 [bytes]
    
    Keyslots:
      0: luks2
    	Key:        512 bits
    	Priority:   normal
    	Cipher:     aes-xts-plain64
    	Cipher key: 512 bits
    	PBKDF:      argon2i
    	Time cost:  4
    	Memory:     609527
    	Threads:    2
    	Salt:       b4 3c b8 ac 9a ff 50 c1 5a 4d 3b 61 23 6f 0b 12 
    	            bf 63 1f c5 7b db 17 2f d1 a4 63 98 02 80 8c e7 
    	AF stripes: 4000
    	AF hash:    sha256
    	Area offset:32768 [bytes]
    	Area length:258048 [bytes]
    	Digest ID:  0
    Tokens:
    Digests:
      0: pbkdf2
    	Hash:       sha256
    	Iterations: 81209
    	Salt:       8f 67 0e e1 4f 4f 25 c6 6e 9a 4c 39 17 8a 7d 72 
    	            d3 6e 60 fd e6 19 81 69 d5 0b 92 9f 8a 5c f5 80 
    	Digest:     8c 1d c2 13 cf a6 91 9c 01 37 9c 42 a9 7e 4d e1 
    	            22 94 7d 63 44 8b e2 5a 5c b7 a0 ab dc 4a 32 99
    
  3. Bind the remote tang key to a LUKS slot using Clevis.

    sudo clevis luks bind -d /dev/sdb tang '{"url":"http://10.0.0.150"}'
    

    You are prompted to confirm that you trust the key provided by the Tang server. Note that you connect to the Tang server on a trusted network IP address. If you bind the LUKS slot to the Tang server on a public IP address the disk can be unlocked from anywhere on the Internet, which is more than likely not desirable.

    The advertisement contains the following signing keys:
    
    9PZH7moczWcBukwc8esiW-dMAJs
    
    Do you wish to trust these keys? [ynYN] y
    Enter existing LUKS password: 
    

    Because no private keys are exchanged between the keyserver and the host with the encrypted disk you may determine TLS is not required in your environment. A reverse proxy may be used to do SSL/TLS termination for Tang as Clevis supports HTTPS.

    If you choose to use HTTPS then your host with the encrypted disk must trust the Certificate Authority used to sign the reverse proxy, see update-ca-trust(8)

  4. Show that a new keyslot in use by Clevis in slot 1

    sudo cryptsetup luksDump /dev/sdb
    

    Output similar to the following is displayed.

    LUKS header information
    Version:       	2
    Epoch:         	5
    Metadata area: 	16384 [bytes]
    Keyslots area: 	16744448 [bytes]
    UUID:          	61ff409e-6e38-4172-8756-e9f6fadf58c1
    Label:         	(no label)
    Subsystem:     	(no subsystem)
    Flags:       	(no flags)
    
    Data segments:
      0: crypt
    	offset: 16777216 [bytes]
    	length: (whole device)
    	cipher: aes-xts-plain64
    	sector: 512 [bytes]
    
    Keyslots:
      0: luks2
    	Key:        512 bits
    	Priority:   normal
    	Cipher:     aes-xts-plain64
    	Cipher key: 512 bits
    	PBKDF:      argon2i
    	Time cost:  4
    	Memory:     609527
    	Threads:    2
    	Salt:       b4 3c b8 ac 9a ff 50 c1 5a 4d 3b 61 23 6f 0b 12 
                bf 63 1f c5 7b db 17 2f d1 a4 63 98 02 80 8c e7 
    	AF stripes: 4000
    	AF hash:    sha256
    	Area offset:32768 [bytes]
    	Area length:258048 [bytes]
    	Digest ID:  0
      1: luks2
    	Key:        512 bits
    	Priority:   normal
    	Cipher:     aes-xts-plain64
    	Cipher key: 512 bits
    	PBKDF:      argon2i
    	Time cost:  4
    	Memory:     475561
    	Threads:    2
    	Salt:       d8 fb 40 68 9c ed fa 65 c5 53 a3 3a f6 25 75 98 
    	            c9 39 9d e2 b8 78 56 6a 02 24 60 55 96 8d 68 18 
    	AF stripes: 4000
    	AF hash:    sha256
    	Area offset:290816 [bytes]
    	Area length:258048 [bytes]
    	Digest ID:  0
    Tokens:
      0: clevis
    	Keyslot:  1
    Digests:
      0: pbkdf2
    	Hash:       sha256
    	Iterations: 81209
    	Salt:       8f 67 0e e1 4f 4f 25 c6 6e 9a 4c 39 17 8a 7d 72 
    	            d3 6e 60 fd e6 19 81 69 d5 0b 92 9f 8a 5c f5 80 
    	Digest:     8c 1d c2 13 cf a6 91 9c 01 37 9c 42 a9 7e 4d e1 
    	            22 94 7d 63 44 8b e2 5a 5c b7 a0 ab dc 4a 32 99
    

Mount the encrypted file system on boot

Configure the system to unlock the encrypted device and mount the file system on boot.

  1. Identify the block device UUID for later use

    sudo blkid -s UUID  /dev/sdb
    

    Output similar to the following is displayed:

    /dev/sdb: UUID="74f0faf1-9cb9-45f9-a3d8-ef276263d729"
    

    Note the UUID for the next step. The easiest way to do this is to store the value in an environment variable that can be re-used in subsequent steps. For example:

    SDB_ID=$(sudo blkid -s UUID /dev/sdb |grep -oP 'UUID="\K[^"]+')
    
  2. Enable the clevis-luks-askpass Systemd service:

    sudo systemctl enable clevis-luks-askpass.path
    
  3. Have the block device unlocked during boot

    The file /etc/crypttab defines how encrypted devices are handled during boot

    echo "encrypteddisk UUID=$SDB_ID - _netdev" | sudo tee -a /etc/crypttab
    
  4. Mount the file system later in the boot

    To ensure the disk is unlocked before the file system is mounted, update the /etc/fstab

    sudo vi /etc/fstab
    

    and change the line for the /encrypted mount from

    UUID=4057664e-122f-421d-bcb6-2cb5a068a4d8 /encrypted xfs defaults 0 0
    

    to

    /dev/mapper/encrypteddisk /encrypted xfs _netdev 0 0
    

    Use the /dev/mapper path for readability and ensure systemd dependencies are generated and _netdev to indicate it is dependent on network devices being available.

    This step can be achieved directly from the command line by running:

    sudo sed -i '/\/encrypted/d' /etc/fstab
    echo '/dev/mapper/encrypteddisk /encrypted xfs _netdev 0 0'|sudo tee -a /etc/fstab
    
  5. Restart the client instance to verify the file system is mounted at boot

    sudo reboot
    

    Once the instance has restarted and you are able to reconnect, confirm that the encrypted file system is mounted correctly.

    df -h /encrypted/
    

    The following output is displayed:

    Filesystem               Size  Used Avail Use% Mounted on
    /dev/mapper/demodisk   50G  389M   50G   1% /encrypted
    

Appendix: Unlock encrypted root during boot

If you have a system with an encrypted root disk you can register a key with the clevis luks bind command described above. To allow an early unlocking you must install a RPM and rebuild the initramfs image as described in the following step.

The Oracle Linux Cloud Infrastructure instances used in this lab do not have an encrypted root disks so it is not possible to demonstrate this functionality in this lab.

  1. Install the clevis-dracut package

    sudo dnf install -y clevis-dracut
    
  2. Rebuild boot files

    sudo dracut -fv
    

If your system does not use DHCP then you must also pass network configuration information to initramfs so it can access your Tang server before root is mounted. For more information see the Network section of dracut.cmdline(7)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

Other resources specific to this tutorial:

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.