RH415 - ch12s02

Bookmark this page

Lab: Protecting Data with LUKS and NBDE

Create and encrypt a storage device with LUKS and configure it to automatically decrypt at boot time securely by using NBDE.

Outcomes

Encrypt a partition with LUKS.
Decrypt a LUKS partition by using multiple Tang servers.
Rotate the keys for Tang servers.

If you did not reset your workstation and server machines at the end of the last chapter, then save any work you want to keep from earlier exercises on those machines, and reset them now.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compreview-nbde

Specifications

Create and mount the encrypted /dev/vdb1 partition and file system on the serverb machine with the following parameters:
Parameter Value
Size Full Disk (1 GB)
Encryption Password redhatRHT
Mapper Name storage
File System XFS
Mount Point /encrypted
Create the encryption-test.txt text file in the /encrypted directory.
Edit the /home/student/RH415/labs/compreview-nbde/nbde_setup.yml Ansible Playbook with the following parameters. This playbook associates the LUKS-encrypted partition to the Tang servers.
Parameter Value
Tang Servers serverc, serverd
Partition /dev/vdb1
Minimum Threshold 2
Encryption Password redhatRHT
Use the /home/student/RH415/labs/compreview-nbde/inventory inventory file when applying the Ansible Playbook.
Configure the encrypted partition to automatically decrypt and mount the /encrypted directory on the serverb machine at boot time.
Rotate the keys for the Tang server on the serverc and serverd machines.

Parameter	Value
Size	Full Disk (1 GB)
Encryption Password	`redhatRHT`
Mapper Name	`storage`
File System	XFS
Mount Point	`/encrypted`

Parameter	Value
Tang Servers	`serverc`, `serverd`
Partition	`/dev/vdb1`
Minimum Threshold	2
Encryption Password	`redhatRHT`

Verify that the /dev/vdb disk is available on the serverb machine.

Open a new terminal window and log in to the serverb machine as the student user.

[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

Change to the root user. Use student as the password.

[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

Verify that the /dev/vdb disk is available and has no partitions.

[root@serverb ~]# parted -l
Error: /dev/vdb: unrecognised disk label
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:
...output omitted...

Create a 1 GB partition on the /dev/vdb disk on the serverb machine.

Use the parted command to create a partition on the /dev/vdb disk on the serverb machine.

[root@serverb ~]# parted /dev/vdb \
  mklabel msdos mkpart primary xfs 1M 1G
Information: You may need to update /etc/fstab.

Verify that the partition is available.

[root@serverb ~]# parted /dev/vdb print
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  1074MB  1073MB  primary

Encrypt the /dev/vdb1 partition with LUKS. Use redhatRHT as the password for the encryption.

Use the cryptsetup luksFormat command to encrypt the /dev/vdb1 partition with LUKS.

[root@serverb ~]# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/vdb1: redhatRHT
Verify passphrase: redhatRHT

Use storage as the name for the partition.
1. Use the cryptsetup open command to use storage as the name for the storage partition.
```
[root@serverb ~]# cryptsetup open /dev/vdb1 storage
Enter passphrase for /dev/vdb1: redhatRHT
```
2. Verify that the /dev/mapper/storage partition is now available.
```
[root@serverb ~]# ls /dev/mapper/storage
/dev/mapper/storage
```

Create an XFS file system on the storage partition, and then mount the new file system on the /encrypted directory. Create the encryption-test.txt text file in the /encrypted directory.

Create an XFS file system on the /dev/mapper/storage partition.

[root@serverb ~]# mkfs.xfs /dev/mapper/storage
meta-data=/dev/mapper/storage    isize=512    agcount=4, agsize=64448 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=1, rmapbt=0
         =                       reflink=1    bigtime=1 inobtcount=1
data     =                       bsize=4096   blocks=257792, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
log      =internal log           bsize=4096   blocks=1566, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

Create the /encrypted directory.
```
[root@serverb ~]# mkdir /encrypted
```
Mount the /dev/mapper/storage partition on the /encrypted directory.
```
[root@serverb ~]# mount -t xfs /dev/mapper/storage /encrypted
```

Verify that the /dev/vdb1 partition is correctly mounted.

[root@serverb ~]# mount | grep /encrypted
/dev/mapper/storage on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

Create the encryption-test.txt text file in the /encrypted directory.
```
[root@serverb ~]# touch /encrypted/encryption-test.txt
```

Unmount the file system and lock the storage partition.
1. Unmount the file system that is mounted on the /encrypted directory.
```
[root@serverb ~]# umount /encrypted
```
2. Lock the storage partition.
```
[root@serverb ~]# cryptsetup close storage
```

Return to the terminal window on the workstation machine. Edit the /home/student/RH415/labs/compreview-nbde/nbde_setup.yml Ansible Playbook to associate the LUKS-encrypted partition on the /dev/vdb1 device with the Tang servers on the serverc and serverd machines. Use the /home/student/RH415/labs/compreview-nbde/inventory file as the inventory for running the Ansible Playbook. Configure SSS encryption so that at least two Tang servers must be available to decrypt the partition.

Use a text editor to edit the /home/student/RH415/labs/compreview-nbde/nbde_setup.yml Ansible Playbook. Add the following content:

---
- hosts: servers
  become: yes
  become_method: sudo

  vars:
    nbde_server_rotate_keys: true
    nbde_server_manage_firewall: true
    nbde_server_manage_selinux: true

  roles:
    - rhel-system-roles.nbde_server
- hosts: clients
  become: yes
  become_method: sudo

  vars:
    nbde_client_bindings:
      - device: /dev/vdb1
        encryption_password: redhatRHT
        servers:
          - http://serverc.lab.example.com
          - http://serverd.lab.example.com
        threshold: 2

  roles:
    - rhel-system-roles.nbde_client

Apply the /home/student/RH415/labs/compreview-nbde/nbde_setup.yml Ansible Playbook.

[student@workstation ~]$ ansible-playbook \
  -i ~/RH415/labs/compreview-nbde/inventory \
  --ask-become-pass ~/RH415/labs/compreview-nbde/nbde_setup.yml
BECOME password: student
...output omitted...

Return to the terminal window of the serverb machine. Configure the encrypted partition to automatically decrypt and mount on the /encrypted directory at boot time on the serverb machine. Reboot the serverb machine.
1. Edit the /etc/crypttab file to open the encrypted partition at boot time. Add the following content:
```
storage       /dev/vdb1  none   _netdev
```
2. Edit the /etc/fstab file to mount the encrypted partition on the /encrypted directory persistently.
```
...output omitted...
/dev/mapper/storage   /encrypted       xfs    _netdev        1 2
```
3. Reboot the serverb machine.
```
[root@serverb ~]# reboot
[root@serverb ~]# Connection to serverb closed by remote host.
Connection to serverb closed.
[student@workstation ~]$
```
After the serverb machine reboots, verify that the LUKS-encrypted partition on the /dev/vdb1 device is decrypted and is mounted automatically on the /encrypted directory.
1. Log in to the serverb machine as the student user. The serverb host might take a few minutes to boot. You can check the boot progress by clicking Open Console on the lab control page. If the serverb machine fails to boot, then you might need to rebuild your lab environment.
```
[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$
```
2. Change to the root user. Use the student sudo password.
```
[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#
```
3. Verify that the LUKS-encrypted partition is mounted on the /encrypted directory.
```
[root@serverb ~]# mount | grep /encrypted
/dev/mapper/storage on /encrypted type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota,_netdev)
```
4. Verify that the encryption-test.txt file is present in the /encrypted directory.
```
[root@serverb ~]# ls /encrypted
encryption-test.txt
```
5. Exit the serverb terminal window.
```
[root@serverb ~]# logout
[student@serverb ~]$ logout
[student@workstation ~]$
```
Rotate the keys for the Tang servers by running the /home/student/RH415/labs/compreview-nbde/nbde_setup.yml Ansible Playbook again.
1. Apply the /home/student/RH415/labs/compreview-nbde/nbde_setup.yml Ansible Playbook.
```
[student@workstation ~]$ ansible-playbook \
  -i ~/RH415/labs/compreview-nbde/inventory \
  --ask-become-pass ~/RH415/labs/compreview-nbde/nbde_setup.yml
BECOME password: student
...output omitted...
```

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-nbde

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-nbde

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299