1. Using the Cockpit Web Console
  2. Storage Management Tasks
  3. Unlock Encrypted Devices Using Tang Server Key
  4. Create a Tang Key for Encrypted Device

Create a Tang Key for Encrypted Device

For host systems that support a network-bound disk encryption (NBDE) environment, Cockpit administrators can use the Storage page to configure a Tang server key address and passphrase.

What Do You Need?

  • The Cockpit web console must be installed and accessible.

    For details, see these topics: Install and Enable Cockpit and Log in to the Cockpit Web Console.

  • The cockpit-storaged package must be installed.

    Note:

    If the cockpit-storaged package isn't installed, see this section Install and Manage Add-on Applications
  • Configuration requirements for adding a Tang server key include:
    • A LUKS encrypted partition or volume on the host system.
    • A Tang server configuration on the host network.
    • A host with decryption client software (Clevis) installed.

    Note:

    LUKS provides the facility to store multiple keys in different slots to decrypt data. System administrators can maintain the primary passphrase that locks a disk or a volume alongside the NBDE Tang server key. For host systems with LUKS encryption, users are prompted for a passphrase entry to gain access to data stored on the encrypted disk partition. For hosts systems with LUKS and an NBDE environment, user input isn't required to gain access to data stored on the encrypted partition or volume. The LUKS passphrase prompt closes automatically after the Tang key is decrypted and users are granted access to the data.

    For more information about how to set up network-bound disk encryption, see Oracle Linux: Enabling Network-Bound Disk Encryption. For more information about configuring LUKS encryption using the Cockpit web console, see Encrypt Block Devices With LUKS.

  • An unmounted LUKS1 formatted file system.

    Important:

    You can re-encrypt encrypted devices while the devices are in use (change encryption key or algorithm) using the LUKS2 format. The LUKS1 format doesn't provide online re-encryption. In this case, devices encrypted with LUKS1 format might require you to unmount the file system to apply encryption property changes.
  • Administrator privileges.

Steps

Using the Cockpit web console, follow these steps to add Tang key properties to an existing encrypted partition or volume configuration.

  1. In the Storage page, select a drive from the Drives table.

  2. In the Storage [model name] page, navigate to the Partitions table.
  3. In the Partitions table, find the row with the encrypted partition or volume and then click the down arrow icon to expand the table information.

    An Encryption tab appears.

  4. Click the Encryption tab and navigate to Key section.

  5. In the Keys section, click the plus [+] icon to add a Tang key.

    The Add Key dialog appears.

  6. In the Add Key dialog, specify the following information and then click Add.

    Important:

    For information about configuring multiple passphrase keys for LUKS encryption, see Change Passphrase Key for LUKS Encryption.
    Key Source Select the Tang keyserver radio button.
    Keyserver address

    In the Keyserver address text box, specify the fully qualified domain name (FQDN) or IP address of the Tang server including the port number that the server uses, for example, tangserver.example.com:7500.

    Note:

    By default, the Tang server uses port 80. However, you can configure the server to use a different port number. For instructions, see Oracle Linux: Enabling Network-Bound Disk Encryption.
    Disk passphrase In the Disk passphrase text box, if the LUKS passphrase isn't already entered, specify the current LUKS passphrase for the encrypted device.
    The Verify key dialog appears displaying a generated key hash with instructions for verifying the hash key.
  7. Perform these steps to verify the hash key:

    1. Click Terminal. A host terminal window appears.

    2. Obtain the key hash that the Tang server provided by typing the following command.

      sudo curl -s tangserver.example.com:7500/adv | jose fmt -j- -g payload -y -o- | jose jwk use -i- -r -u verify -o- | jose jwk thp -i-

      Verify that the key hash that's generated matches the key that's displayed in the Verify key window.

  8. In the Verify key dialog, click Trust key.

  9. Access the Terminal window from the Cockpit web console and enable early boot decryption. 

    sudo dracut -fv --regenerate-all
  10. Confirm that the Tang server key configuration is successful, see Confirm Tang Key Implementation on Encrypted Device