Network Disk Decryption #
In essence, an encrypted payload is transformed with some ECDH key exchange magic with the tang server and the disk is decrypted automatically. If however the tang server is unavailable, this method fails and you must fall back to manually entering a passphrase.
I decided this is a nice addition to my systemd decryption target, so here’s how I implemented it:
First of all, install a release of the
tang server. There’s a package for CentOS and
a package in the AUR for Arch Linux. There are probably others, too. But it shouldn’t
be too hard to build it yourself either.
yum install tang
I didn’t like tang running on port 80 by default, so I changed it with
systemctl edit tangd.socket:
Start and enable the service. Make sure to open the firewall on that port.
systemctl enable --now tangd.socket
You can now make sure that a key is present and print the public key:
Now for the client part on my fileserver. There is a nice post on the RedHat blog describing the entire procedure. I’m assuming you already have some encrypted disks that you want to set up for network-bound decryption. First, install clevis:
yum install clevis clevis-luks
And make sure that you can reach your tang server:
curl -f tang.yourdomain:51653/adv | jq .
Now we bind a secret to this tang server and add it as a new key on our LUKS disks. This will use the luksmeta storage, so you might want to take header backups on all disks to avoid data loss:
cryptsetup luksHeaderBackup /dev/disk/by-id/ata-... --header-backup-file ...
Then bind the disks to the tang server:
clevis luks bind -d /dev/disk/by-id/ata-... \
The advertisement contains the following signing keys:
Do you wish to trust these keys? [ynYN] y
Make sure the key matches the
tang-show-keys output above! You’ll be asked to initialize the LUKS
metadata storage and must then enter an existing passphrase to add the newly bound secret as a new
encryption key to your disk.
I didn’t bother to setup automatic decryption on boot since I already have a semi-automatic decryption
environment in place with my systemd decryption target. I’m fine with decrypting disks with
clevis luks unlock -d /dev/disk/by-id/ata-... -n mappername
However, I automated this for all four disks in my array with a small script, which reads the disks and
/etc/crypttab and then starts
# unlock disks with tang and clevis
echo "+ unlock disks"
while read name disk opts; do
echo " $disk"
clevis luks unlock -d "$disk" -n "$name"
done < /etc/crypttab
# continue system startup
echo "+ continue startup"
systemctl start continue.service