Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use Stratis network-bound disk encryption, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's learn about it!

precondition

NBDE requires Stratis 2.3 or later. The examples in this article use a pre-release version of Fedora Linux 34. The final version of Fedora Linux 34 will include Stratis 2.3.

Overview of Network bound disk encryption (NBDE)

One of the main challenges of encrypted storage is to have a secure way to unlock storage again after the system is rebooted. Entering an encrypted password manually does not scale well in a large environment. NBDE solves this problem by allowing encrypted storage to be unlocked in an automatic manner.

At a higher level, NBDE requires a Tang server in the environment. The client system (using Clevis Pin) can automatically decrypt the storage as long as it can establish a network connection with the Tang server. If the network is not connected to the Tang server, you must manually decrypt the storage.

The idea behind this is that the Tang server can only be used on the internal network, so if the encryption device is lost or stolen, it will no longer be able to access the internal network to connect to the Tang server, so it will not be automatically decrypted.

For more information about Tang and Clevis, see the man pages (man tang, man clevis), Tang's GitHub page, and Clevis's GitHub page.

Set up the Tang server

This example uses another Fedora Linux system as the Tang server with the hostname tang-server. Install the tang package first.

Dnf install tang

Then enable and start tangd.socket with systemctl.

Systemctl enable tangd.socket-now

Tang uses port TCP 80, so you also need to open that port in the firewall.

Firewall-cmd-add-port=80/tcp-permanentfirewall-cmd-add-port=80/tcp

Finally, run tang-show-keys to display the output signature key fingerprint. You're gonna need this later.

# tang-show-keysl3fZGUCmnvKQF_OA6VZF9jf8z2s creates an encrypted Stratis pool

The previous article on Stratis encryption detailed how to set up encrypted Stratis pools, so this article won't go any further.

The first step is to capture a key that will be used to decrypt the Stratis pool. You need to set this even if you use NBDE, because you can use it to manually unlock the pool if the NBDE server is unreachable. Use the following command to capture the pool1 key.

# stratis key set-- capture-key pool1keyEnter key data followed by the return key:

Then I'll use the / dev/vdb device to create an encrypted Stratis pool (using the pool1key I just created), named pool1.

# stratis pool create-key-desc pool1key pool1 / dev/vdb.

Next, create a file system called filesystem1 in the Stratis pool, create a mount point, mount the file system, and create a test file in it:

# stratis filesystem create pool1 filesystem1# mkdir / filesystem1# mount / dev/stratis/pool1/filesystem1 / filesystem1# cd / filesystem1# echo "this is a testfile" > testfile binds the Stratis pool to the Tang server

At this point, we have created an encrypted Stratis pool and created a file system in the pool. The next step is to bind your Stratis pool to the Tang server you just set up. Use the stratis pool bind nbde command.

When you do Tang binding, you need to pass several parameters to the command:

Pool name (in this case, pool1)

The name of the key descriptor (pool1key in this case)

Tang server name (in this case, http://tang-server)

Remember that on the Tang server, you ran tang-show-keys and showed that the signature key fingerprint of the Tang output was l3fZGUCmnvKQF_OA6VZF9jf8z2s. In addition to the previous parameters, you need to pass the fingerprint with the parameter-thumbprint l3fZGUCmnvKQF_OA6VZF9jf8z2s, or skip the verification of the fingerprint with the-trust-url parameter.

It is more secure to use the-thumbprint parameter. For example:

# stratis pool bind nbde pool1 pool1key http://tang-server-- thumbprint l3fZGUCmnvKQF_OA6VZF9jf8z2s unlocks the Stratis pool with NBDE

Then restart the host and verify that you can unlock the Stratis pool with NBDE without using a key password. After restarting the host, the pool is no longer available:

# stratis pool listName Total Physical Properties

To unlock the pool using NBDE, run the following command:

# stratis pool unlock clevis

Note that you do not need to use a key password. This command can be run automatically when the system starts.

At this point, the Stratis pool is ready to use:

# stratis pool listName Total Physical Propertiespool1 4.98 GiB / 583.65 MiB / 4.41 GiB ~ Ca, Cr

You can mount the file system and access the previously created files:

# mount / dev/stratis/pool1/filesystem1 / filesystem1/# cat / filesystem1/testfilethis is a testfile rotate the Tang server key

It is a good idea to periodically rotate the Tang server key and update the Stratis client server to use the new Tang key.

To generate a new Tang key, first log in to the Tang server and view the current status of the / var/db/tang directory. Then, run the tang-show-keys command:

# ls-al / var/db/tangtotal 8drwxmuri. 1 tang tang 124 Mar 15 15:51. Drwxr-xr-x. 1 root root 16 Mar 15 15:48.-rw-r--r--. 1 tang tang 361 Mar 15 15:51 hbjJEDXy8G8wynMPqiq8F47nJwo.jwk-rw-r--r--. 1 tang tang 367 Mar 15 15:51 l3fZGUCmnvKQF_OA6VZF9jf8z2s.jwk# tang-show-keysl3fZGUCmnvKQF_OA6VZF9jf8z2s

To generate a new key, run tangd-keygen and point it to the / var/db/tang directory:

# / usr/libexec/tangd-keygen / var/db/tang

If you look at the / var/db/tang directory again, you will see two new files:

# ls-al / var/db/tangtotal 16drwxMurray. 1 tang tang 248Mar 22 10:41. Drwxr-xr-x. 1 root root 16 Mar 15 15:48.-rw-r--r--. 1 tang tang 361 Mar 15 15:51 hbjJEDXy8G8wynMPqiq8F47nJwo.jwk-rw-r--r--. 1 root root 354 Mar 22 10:41 iyG5HcF01zaPjaGY6L_3WaslJ_E.jwk-rw-r--r--. 1 root root 349 Mar 22 10:41 jHxerkqARY1Ww_H_8YjQVZ5OHao.jwk-rw-r--r--. 1 tang tang 367 Mar 15 15:51 l3fZGUCmnvKQF_OA6VZF9jf8z2s.jwk

If you run tang-show-keys, the key published by Tang will be displayed:

# tang-show-keysl3fZGUCmnvKQF_OA6VZF9jf8z2siyG5HcF01zaPjaGY6L_3WaslJ_E

You can prevent the old key (starting with l3fZ) from being published by renaming the two original files to hidden files that begin with a period. In this way, the old key will no longer be published, but it can still be used by any existing client that has not been updated to use the new key. Once all clients update and use the new key, these old key files can be deleted.

# cd / var/db/tang# mv hbjJEDXy8G8wynMPqiq8F47nJwo.jwk .hbjJEDXy8G8wynMPqiq8F47nJwo.jwk # mv l3fZGUCmnvKQF_OA6VZF9jf8z2s.jwk .l3fZGUCmnvKQF _ OA6VZF9jf8z2s.jwk

At this point, if you run tang-show-keys,Tang again, only the new key will be published:

# tang-show-keysiyG5HcF01zaPjaGY6L_3WaslJ_E

Next, switch to your Stratis system and update it to use the new Tang key. Stratis supports this when the file system is online.

First, unbind the pool:

# stratis pool unbind pool1

Next, set the key with the original password you used to create the encryption pool:

# stratis key set-- capture-key pool1keyEnter key data followed by the return key:

Finally, bind the Stratis pool to the Tang server with the updated key fingerprint:

# stratis pool bind nbde pool1 pool1key http://tang-server-- thumbprint iyG5HcF01zaPjaGY6L_3WaslJ_E

The Stratis system is now configured to use the updated Tang key. Once any other client system that uses the old Tang key is updated, the two original key files renamed to hidden files in the / var/db/tang directory on the Tang server can be backed up and deleted.

What if the Tang server is not available?

Next, shut down the Tang server, simulate it as unavailable, and then restart the Stratis system.

After restarting, the Stratis pool is unavailable again:

# stratis pool listName Total Physical Properties

If you try to unlock it with NBDE, you will fail because the Tang server is not available:

# stratis pool unlock clevisExecution failed:An iterative command generated one or more errors: The operation 'unlock' on a resource of type pool failed. The following errors occurred:Partial action "unlock" failed for pool with UUID 4d62f840f2bb4ec9ab53a44b49da3f48: Cryptsetup error: Failed with error: Error: Command failed: cmd: "clevis"luks"unlock"- d" / dev/vdb "- n"stratis-1-private-42142fedcb4c47cea2e2b873c08fcf63-crypt", exit reason: 1 stdout: stderr: / dev/vdb could not be opened.

At this point, in the event that the Tang server is unreachable, the only option for unlocking the pool is to use the original key password:

# stratis key set-- capture-key pool1keyEnter key data followed by the return key:

Then you can use the key to unlock the pool:

# stratis pool unlock keyring

Next, verify that the pool is successfully unlocked:

# stratis pool listName Total Physical Propertiespool1 4.98 GiB / 583.65 MiB / 4.41 GiB ~ Ca, the above Cr is all the contents of this article entitled "how to use Stratis's Network-bound disk encryption". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.