Encrypting a Volume with NBDE

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Security Training Architect I in Content

Length

00:30:00

Difficulty

Intermediate

In this hands-on lab, we will use Network-Bound Disk Encryption (NBDE) to encrypt a volume on a host. The volume has already been created and encrypted with LUKS. Now we need to implement NBDE so the volume can be automatically decrypted at boot.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Encrypting a Volume with NBDE

Introduction

In this hands-on lab, we will use Network-Bound Disk Encryption (NBDE) to encrypt a volume on a host. The volume has already been created and encrypted with LUKS. Now we need to implement NBDE so the volume can be automatically decrypted at boot.

Connecting to the Lab

Log In to Server 1

  1. Open your terminal application, and run the following command (remember to replace <SERVER1_PUBLIC_IP> with the Server 1 public IP you were provided on the lab instructions page):
    ssh cloud_user@<SERVER1_PUBLIC_IP>
  2. Type yes at the prompt.
  3. Enter your cloud_user password at the prompt.
  4. Become the root user.
    sudo su -

Log In to Server 2

  1. Open a new terminal window, and run the following command (remember to replace <SERVER2_PUBLIC_IP> with the Server 2 public IP you were provided on the lab instructions page):
    ssh cloud_user@<SERVER2_PUBLIC_IP>
  2. Type yes at the prompt.
  3. Enter your cloud_user password at the prompt.
  4. Become the root user.
    sudo su -

Set Up Tang on Server 2

  1. In your Server 1 terminal window, check the status of the LUKS-encrypted volume (payroll).
    cryptsetup -v status payroll
  2. Determine where the volume is mounted.
    df -h
  3. List the contents of the payroll directory.
    ls /payroll
  4. Switch to your Server 2 terminal window.
  5. Install Tang.
    yum install -y tang
  6. Configure Tang to run at boot.
    systemctl enable tangd.socket --now
  7. Verify that the installation and configuration were successful.
    systemctl status tangd.socket
  8. Verify that two Tang keys were created.
    ls /var/db/tang 
  9. Determine the IP address of Server 2.
    ip addr

Encrypt /dev/xvdg using NBDE

  1. Switch to your Server 1 terminal window.
  2. Install the necessary Clevis packages.
    yum install -y clevis clevis-luks clevis-dracut
  3. Encrypt the /dev/xvdg disk with the Tang key from Server 2.
    clevis bind luks -d /dev/xvdg tang '{"url":"http://10.0.0.<SERVER2_IP>"}'
  4. Type Y at the prompt.
  5. Type y at the prompt.
  6. Enter the LUKS passphrase at the prompt.
  7. Verify that the key was entered into the LUKS header of /dev/xvdg.
    luksmeta show -d /dev/xvdg
  8. Ensure that the NBDE key will be automatically retrieved at boot time.
    dracut -f

Conclusion

Congratulations, you've successfully completed this hands-on lab!