Shulou(Shulou.com)06/02 Report--

In this issue, Xiaobian will bring you about how to automatically unlock the encrypted disk on Linux. The article is rich in content and analyzes and narrates from a professional perspective. After reading this article, I hope you can gain something.

By using Network Bound Disk Encryption (NBDE), encrypted disks can be opened without manually entering a password.

From a security perspective, it is important to encrypt sensitive data to protect it from snooping and hacking. Linux Unified Key Setup (LUKS) is a great tool and a common standard for Linux disk encryption. Because it stores all relevant settings information in the partition header, it makes data migration simple.

To configure encrypted disks or partitions using LUKS, you need to use the cryptsetup tool. Unfortunately, one disadvantage of encrypted disks is that you have to manually supply the password every time the system restarts or the disk is remounted.

Network-Bound Disk Encryption (NBDE), however, can automatically and securely unlock encrypted disks without any user intervention. It can be used in a number of Linux distributions, starting with Red Hat Enterprise Linux 7.4, CentOS 7.4, and Fedora 24, as well as later versions.

NBDE is implemented using the following technologies:

Frame: A pluggable frame tool that automatically decrypts and unlocks LUKS volumes

Tang Server: A service for binding encryption keys to network states

Tang provides encryption keys to Clevis clients. According to Tang's developers, this provides a secure, stateless, anonymous alternative to key escrow services.

Since NBDE uses a client-server architecture, you must configure both client and server. You can use a virtual machine on your local network as a Tang server.

server installation

Install Tang with sudo:

sudo yum install tang -y

Enable Tang Server:

sudo systemctl enable tangd.socket --now

Tang server works on port 80 and needs to be added to firewalld firewall. Add the corresponding firewalld rule:

sudo firewall-cmd --add-port=tcp/80 --permsudo firewall-cmd --reload

The server is now installed.

client installation

In this example, assume that you have added a new 1GB disk named/dev/vdc to your system.

Create a primary partition using fdisk or parted:

sudo fdisk /dev/vdc

Complete the following steps to install the client:

Welcome to fdisk (util-linux 2.23.2). Changes will remain in memory only, until you decide to write them.Be careful before using the write command. Device does not contain a recognized partition tableBuilding a new DOS disklabel with disk identifier 0x4a6812d4. Command (m for help):

Enter n to create a new partition:

Partition type: p primary (0 primary, 0 extended, 4 free) e extended Select (default p):

Press Enter to select Main Partition:

Using default response pPartition number (1-4, default 1):

Press Enter to select the default partition number:

First sector (2048-2097151, default 2048):Using default value 2048Last sector, +sectors or +size{K,M,G} (2048-2097151, default 2097151):

Press Enter to select the last sector:

Using default value 2097151Partition 1 of type Linux and of size 1023 MiB is set Command (m for help): wq

Enter wq to save changes and exit fdisk:

The partition table has been altered! Calling ioctl() to re-read partition table.Syncing disks.

Run partprobe to notify system partition table changes:

sudo partprobe

Install cryptsetup package using sudo:

sudo yum install cryptsetup -y

Encrypt the disk using the cryptsetup luksFormat command. When prompted, you need to enter a capital YES and enter the password to encrypt the disk:

sudo cryptsetup luksFormat /dev/vdc1WARNING!======== This will overwrite data on /dev/vdc1 irrevocably. Are you sure? (Type uppercase yes): Enter passphrase for /dev/vdc1:Verify passphrase:

Use the cryptsetup luksOpen command to map encrypted partitions to a logical device. For example, use encryptedvdc1 as the name. You also need to enter the password again:

sudo cryptsetup luksOpen /dev/vdc1 encryptedvdc1Enter passphrase for /dev/vdc1:

Encrypted partitions are now available in/dev/mapper/encryptedvdc1.

Create an XFS file system on an encrypted partition:

sudo mkfs.xfs /dev/mapper/encryptedvdc1

Create a directory to mount encrypted partitions:

sudo mkdir /encrypted

Lock the partition using the cryptsetup luksClose command:

cryptsetup luksClose encryptedvdc1

Install Clevis package using sudo:

sudo yum install clevis clevis-luks clevis-dracut -y

Modify/etc/crypttab to open encrypted volumes at boot time:

sudo vim /etc/crypttab

Add the following line:

encryptedvdc1 /dev/vdc1 none _netdev

Modify/etc/fstab to mount encrypted volumes automatically on restart or boot:

sudo vim /etc/fstab

Add the following line:

/dev/mapper/encryptedvdc1 /encrypted xfs _netdev 1 2

In this example, assume that the IP address of the Tang server is 192.168.1.20. You can also use a host name or domain name if you prefer.

Run the following clevis command:

sudo clevis bind luks -d /dev/vdc1 tang '{"url":"http://192.168.1.20"}'The advertisement contains the following signing keys: rwA2BAITfYLuyNiIeYUMBzkhk7M Do you wish to trust these keys? [ynYN] YEnter existing LUKS password:

Enter Y to accept the Tang server key and provide the existing LUKS password for initial setup.

Enable clevis-luks-askpass.path via systemctl to prevent non-root partitions from being prompted for passwords.

sudo systemctl enable clevis-luks-askpass.path

The client has been installed. Now, every time you restart the server, the encrypted disk should be decrypted automatically and mounted via Tang Server retrieving the key.

If the Tang server is unavailable for any reason, you will need to manually supply the password to decrypt and mount the partition.

The above is how to automatically unlock the encrypted disk on Linux shared by Xiaobian. If you happen to have similar doubts, you may wish to refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.