1. Enabling Network-Bound Disk Encryption
  2. Install and Configure a Tang Server
  3. Initialize Tang Signing Keys

Initialize Tang Signing Keys

  1. Initialize keys for Tang to use.
    sudo /usr/libexec/tangd-keygen /var/db/tang
  2. Verify that the keys are advertised on the Tang server.

    Check that one of the keys in /var/db/tang is advertised by the Tang server on the port for which you have configured it to listen, for example: 

    sudo tang-show-keys 7500

    You can use the output from this command to validate the key hash that's used when you configure a client to use this Tang server.

For better security, rotate the Tang keys periodically so that they don't become stale. See Rotate Tang Keys for more information.

If the Tang server is configured and running, you can install Clevis on client systems and configure automatic decryption for any LUKS encrypted devices on these host systems. See Perform Automated Encryption and Decryption With Clevis for more information.