RH415 - ch03s04

Bookmark this page

Guided Exercise: Automating Storage Device Decryption with NBDE

Use NBDE to automatically decrypt a LUKS device at boot time, by using three Tang servers if they are available, and falling back to manual decryption by password if they are not.

Outcomes

Install and configure a Tang server.
Decrypt a LUKS partition with multiple Tang servers.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

Note

You must complete the the section called “Guided Exercise: Managing Storage Device Encryption with LUKS ” before starting this section.

[student@workstation ~]$ lab start luks-nbde

Instructions

Use Ansible to configure the serverb, serverc, and serverd machines as Tang servers. Those hosts are in the servers group in the /home/student/nbde_servers.yml inventory file. Write and run an Ansible Playbook that uses the nbde_server system role to complete this task.

Use a text editor to write the /home/student/nbde_servers.yml Ansible Playbook that configures hosts in the servers group by using the nbde_server system role. Add the following content:

---
- hosts: servers
  become: true
  become_method: sudo

  vars:
    nbde_server_rotate_keys: yes
    nbde_server_manage_firewall: true
    nbde_server_manage_selinux: true

  roles:
    - rhel-system-roles.nbde_server

Run the /home/student/nbde_servers.yml Ansible Playbook by using the ansible-playbook command. Include the --ask-become-pass option to provide the student sudo password interactively. Use the /home/student/RH415/labs/luks-nbde/inventory inventory file.

[student@workstation ~]$ ansible-playbook \
    -i /home/student/RH415/labs/luks-nbde/inventory \
    --ask-become-pass ~/nbde_servers.yml
...output omitted...
PLAY RECAP ***********************************************************************************
serverb                    : ok=26   changed=5    unreachable=0    failed=0    skipped=29   rescued=0    ignored=0
serverc                    : ok=26   changed=5    unreachable=0    failed=0    skipped=29   rescued=0    ignored=0
serverd                    : ok=25   changed=5    unreachable=0    failed=0    skipped=30   rescued=0    ignored=0

Configure the encrypted partition to automatically decrypt and mount its file system on the /encrypted directory at boot time.
1. Log in to the servera machine as the student user.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$
```
2. Change to the root user. Use student as the password.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#
```
3. Edit the /etc/crypttab file to open the encrypted partition at boot time. Add the following content:
```
encryptedvdb1       /dev/vdb1  none   _netdev
```
4. Update the /etc/fstab file to mount the file system in the encrypted partition on the /encrypted directory.
```
...output omitted...
/dev/mapper/encryptedvdb1   /encrypted       xfs    _netdev        1 2
```
  Note
  A problem in /etc/fstab might bring the machine to an unusable state. If this problem happens, then rebuild the classroom environment.
5. Return to the workstation machine as the student user.
```
[root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$
```
Configure the hosts in the clients section in the /home/student/RH415/labs/luks-nbde/inventory Ansible inventory file as NBDE (Clevis) clients. Write and run an Ansible Playbook that uses the nbde_client system role to complete this task.
1. Use a text editor to write the /home/student/nbde_clients.yml Ansible Playbook. Configure hosts in the clients group as NBDE clients of your Tang servers by using the nbde_client system role. Set the threshold for the minimum number of available Tang servers to three. Add the following content:
```
---
- hosts: clients
  become: true
  become_method: sudo

  vars:
    nbde_client_bindings:
      - device: /dev/vdb1
        encryption_password: redhatRHT
        servers:
          - http://serverb.lab.example.com
          - http://serverc.lab.example.com
          - http://serverd.lab.example.com
        threshold: 3

  roles:
    - rhel-system-roles.nbde_client
```
2. Run the /home/student/nbde_clients.yml Ansible Playbook by using the ansible-playbook command. Include the --ask-become-pass option to provide the student sudo password interactively. Use the /home/student/RH415/labs/luks-nbde/inventory inventory file.
```
[student@workstation ~]$ ansible-playbook \
    -i /home/student/RH415/labs/luks-nbde/inventory \
    --ask-become-pass ~/nbde_clients.yml
PLAY RECAP ***********************************************************************************
servera  : ok=20  changed=9  unreachable=0  failed=0  skipped=1  rescued=0  ignored=0
```
Turn off one of the Tang servers to test manual authentication at boot. Disable socket activation for the Tang server on serverb. Reboot servera, one of the NBDE clients. Verify that the /dev/vdb1 LUKS-encrypted partition on the servera machine is decrypted, and that its file system is mounted automatically on the /encrypted directory, by providing the encrypted partition passphrase at boot time. The system asks for the passphrase at boot time because only two Tang servers are available.
1. Log in to the serverb machine as the student user. You do not need to enter any password.
```
[student@workstation ]$ ssh student@serverb
[student@serverb ~]$
```
2. Change to the root user. Use student as the password.
```
[student@serverb ]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#
```
3. Disable socket activation for the Tang server. When done, log out of the serverb machine.
```
[root@serverb ~]# systemctl disable tangd.socket --now
Removed symlink /etc/systemd/system/multi-user.target.wants/tangd.socket.
[root@serverb ~]# logout
[student@serverb ~]$ logout
Connection to serverb closed.
[student@workstation ~]$
```
4. Log in to the servera machine as the student user. You do not need to enter any password.
```
[student@workstation ]$ ssh student@servera
[student@servera ~]$
```
5. Change to the root user and reboot the machine. Use student as the password.
```
[student@servera ]$ sudo -i
[sudo] password for student: student
[root@servera ~]# reboot
```
6. Open the servera console. The console prompts you to manually enter the passphrase for the encrypted partition. Enter redhatRHT as the passphrase.
7. On workstation, log in to servera as the student user. You do not need to enter any password.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$
```
8. Use the sudo -i command to change to the root user. Use student as the password.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#
```
9. Verify that the file system in the encrypted partition is mounted on the /encrypted directory. When done, log out of the servera machine.
```
[root@servera ~]# mount | grep /encrypted
/dev/mapper/encryptedvdb1 on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,noquota,_netdev)
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$
```
Make sure that all the Tang servers are running, to test automatic authentication and decryption at boot. Enable socket activation for the Tang server on the serverb machine. Reboot the servera machine to verify that the /dev/vdb1 LUKS-encrypted partition is decrypted and that its file system is mounted automatically on the /encrypted directory.
1. Log in to the serverb machine as the student user. You do not need to enter any password.
```
[student@workstation ]$ ssh student@serverb
[student@serverb ~]$
```
2. Change to the root user. Use student as the password.
```
[student@serverb ]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#
```
3. Enable socket activation for the Tang server. When done, log out of the serverb machine.
```
[root@serverb ~]# systemctl enable tangd.socket --now
Created symlink /etc/systemd/system/multi-user.target.wants/tangd.socket → /usr/lib/systemd/system/tangd.socket.
[root@serverb ~]# logout
[student@serverb ~]$ logout
Connection to serverb closed.
[student@workstation ~]$
```
4. After the servera machine completes the reboot, log in as the student user. You do not need to enter any password.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$
```
5. Verify that the file system in the encrypted partition is mounted on the /encrypted directory.
```
[student@servera ~]$ mount | grep /encrypted
/dev/mapper/encryptedvdb1 on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,noquota,_netdev)
```
6. Verify that the previously created file, testfile, is still available in the /encrypted directory. When done, log out of the servera machine.
```
[student@servera ~]$ ls /encrypted
testfile
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$
```

Rotate the keys for the Tang servers by running the /home/student/nbde_servers.yml playbook again.

[student@workstation ~]$ ansible-playbook \
    -i /home/student/RH415/labs/luks-nbde/inventory \
    --ask-become-pass ~/nbde_servers.yml
...output omitted...
PLAY RECAP ***********************************************************************************
serverb                    : ok=25   changed=1    unreachable=0    failed=0    skipped=30   rescued=0    ignored=0
serverc                    : ok=26   changed=1    unreachable=0    failed=0    skipped=29   rescued=0    ignored=0
serverd                    : ok=26   changed=1    unreachable=0    failed=0    skipped=29   rescued=0    ignored=0

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish luks-nbde

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299