Confirm Tang Key Implementation on Encrypted Device
Follow these steps to confirm that the Tang Key configuration applied to a host encrypted partition or volume was successfully implemented.
What Do You Need?
- Successful completion of the Tang server key configuration on a encrypted host device. For details, see Create a Tang Key for Encrypted Device
- Administrator privileges.
Steps
-
In the Cockpit web console Storage page, select a drive from the Drives table.
- In the Storage [model name] page, navigate to the Partitions table.
- In the Partitions table, find the row with the encrypted partition
or volume and then click the down arrow icon to expand the table information.
An Encryption tab appears.
- Click the Encryption tab and navigate to Key section.
-
In the Keys section, verify that the Tang server properties appear in the Keys list, for example:
Keys Passphrase Slot 0 Keyserver: tangserver.example.com:7500 Slot 1
- Perform the following steps to verify that the bindings are available for early boot:
- In the Cockpit web console, click Terminal to access the terminal window.
- Use the
lsinitrdcommand to verify that the host Clevis bindings are available for early boot, for example:sudo lsinitrd | grep clevis
Output similar to the following appears:
clevis clevis-pin-sss clevis-pin-tang clevis-pin-tpm2 -rwxr-xr-x 1 root root 1600 May 3 16:30 usr/bin/clevis -rwxr-xr-x 1 root root 1654 May 3 16:30 usr/bin/clevis-decrypt ... -rwxr-xr-x 2 root root 45 May 3 16:30 usr/lib/dracut/hooks/initqueue/settled/60-clevis-hook.sh -rwxr-xr-x 1 root root 2257 May 3 16:30 usr/libexec/clevis-luks-askpass