Shulou(Shulou.com)06/01 Report--

This article is about how to automatically unlock encrypted disks on Linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

By using Network bound disk encryption (NBDE), you can open an encrypted disk without manually entering a password.

From a security point of view, it is important to encrypt sensitive data to protect it from snooping and hackers. Linux Unified key setup Linux Unified Key Setup (LUKS) is a good tool and a general standard for Linux disk encryption. Because it stores all relevant setting information in the partition header, it makes data migration easier.

To use LUKS to configure encrypted disks or partitions, you need to use the cryptsetup tool. Unfortunately, one of the disadvantages of encrypted disks is that you have to provide the password manually every time the system is rebooted or the disk is remounted.

However, network-bound disk encryption Network-Bound Disk Encryption (NBDE) can automatically and securely unlock encrypted disks without any user intervention. It can be used in a number of Linux distributions, including starting with Red Hat Enterprise Linux 7.4, CentOS 7.4, and Fedora 24, and subsequent versions.

NBDE is implemented using the following technologies:

Clevis framework: a pluggable framework tool that automatically decrypts and unlocks LUKS volumes

Tang server: a service for binding encryption keys to network state

Tang provides the encryption key to the Clevis client. According to Tang developers, this provides a secure, stateless, anonymous alternative to key escrow services.

Because NBDE uses a client-server architecture, you must configure both the client and the server. You can use a virtual machine as a Tang server on your local network.

Server installation

Install Tang with sudo:

Sudo yum install tang-y

Enable the Tang server:

Sudo systemctl enable tangd.socket-now

The Tang server works on port 80 and needs to be added to the firewalld firewall. Add the appropriate firewalld rules:

Sudo firewall-cmd-add-port=tcp/80-permsudo firewall-cmd-reload

The server is now installed.

Client installation

In this example, suppose you have added a new 1GB disk called / dev/vdc to your system.

Create a primary partition using fdisk or parted:

Sudo fdisk / dev/vdc

Complete the following steps to install the client:

Welcome to fdisk (util-linux 2.23.2). Changes will remain in memory only, until you decide to write them.Be careful before using the write command. Device does not contain a recognized partition tableBuilding a new DOS disklabel with disk identifier 0x4a6812d4. Command (m for help):

Enter n to create a new partition:

Partition type: P primary (0 primary, 0 extended, 4 free) e extended Select (default p):

Press enter to select the primary partition:

Using default response pPartition number (1-4, default 1):

Press enter to select the default partition number:

First sector (2048-2097151, default 2048): Using default value 2048Last sector, + sectors or + size {Kreco Mmeng} (2048-2097151, default 2097151):

Press enter to select the last sector:

Using default value 2097151Partition 1 of type Linux and of size 1023 MiB is set Command (m for help): wq

Enter wq to save the changes and exit fdisk:

The partition table has been altered! Calling ioctl () to re-read partition table.Syncing disks.

Run partprobe to notify the system of changes in the partition table:

Sudo partprobe

Install the cryptsetup package using sudo:

Sudo yum install cryptsetup-y

Use the cryptsetup luksFormat command to encrypt the disk. When prompted, you need to enter an uppercase YES and enter a password to encrypt the disk:

Sudo cryptsetup luksFormat / dev/vdc1 irrevocably / VDc1WARNINGGUBG this will overwrite data on. Are you sure? (Type uppercase yes): Enter passphrase for / dev/vdc1:Verify passphrase:

Use the cryptsetup luksOpen command to map the encrypted partition to a logical device. For example, use encryptedvdc1 as the name. You also need to enter the password again:

Sudo cryptsetup luksOpen / dev/vdc1 encryptedvdc1Enter passphrase for / dev/vdc1:

Encrypted partitions are now available in / dev/mapper/encryptedvdc1.

Create a XFS file system on the encrypted partition:

Sudo mkfs.xfs / dev/mapper/encryptedvdc1

Create a directory where the encrypted partition is mounted:

Sudo mkdir / encrypted

Use the cryptsetup luksClose command to lock the partition:

Cryptsetup luksClose encryptedvdc1

Install the Clevis package using sudo:

Sudo yum install clevis clevis-luks clevis-dracut-y

Modify / etc/crypttab to open the encrypted volume at startup:

Sudo vim / etc/crypttab

Add the following line:

Encryptedvdc1 / dev/vdc1 none _ netdev

Modify / etc/fstab to mount the encrypted volume automatically on reboot or startup:

Sudo vim / etc/fstab

Add the following line:

/ dev/mapper/encryptedvdc1 / encrypted xfs _ netdev 1 2

In this example, assume that the IP address of the Tang server is 192.168.1.20. If you like, you can also use the hostname or domain name.

Run the following clevis command:

Sudo clevis bind luks-d / dev/vdc1 tang'{"url": "http://192.168.1.20"}'The advertisement contains the following signing keys: rwA2BAITfYLuyNiIeYUMBzkhk7M Do you wish to trust these keys? [ynYN] YEnter existing LUKS password:

Enter Y to accept the key of the Tang server and provide the existing LUKS password for initial setup.

Enable clevis-luks-askpass.path through systemctl to prevent non-root partitions from being prompted for a password.

Sudo systemctl enable clevis-luks-askpass.path

The client has been installed. Now, every time you restart the server, the encrypted disk should be automatically decrypted and the key retrieved from the Tang server for mounting.

If the Tang server is not available for any reason, you need to provide a password manually to decrypt and mount the partition.

Thank you for reading! This is the end of the article on "how to automatically unlock the encrypted disk on Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.