Clevis and Tang - Network-bound disk encryption

To make the management of the LUKS encrypted disk(s), I think Clevis/Tang method is the easiest way. Clevis/Tang can decrypt and mount the disk(s) at boot. This is great for NAS servers that have multiple disks. Here is a link to a great presentation from DebConf explaining and demo-ing the Clevis and Tang.

Figure 1 is the topology that I have in my environment.

The assumption with this method is that you already have configured LUKS on your disk(s). We are only going to install and configure Clevis on the client side and Tang on the server side.

Setting up the Tang
Setting up the Clevis clients

Installing Tang

I am using CentOS Stream for the primary Tang server and Debian 10 for the secondary Tang server.

# CentOS
dnf install -y tang

# Debian
apt install -y tang 

# Enable the tangd.socket
systemctl enable tangd.socket

By default Tang uses HTTP which is port 80/tcp. In this post, we are changing the port to 7575/tcp.

systemctl edit tangd.socket

Copy and paste the parameters below then exit and save the file.

[Socket]
ListenStream=
ListenStream=7575

Reload the system manager to activate the changes.

systemctl daemon-reload

Start the tangd.socket. Check the listening port

systemctl start tangd.socket

# Check the listening port
systemctl show tangd.socket -p Listen

I use firewalld on my hosts, so make sure to allow the tangd port inbound on the Tang server.

firewall-cmd --permanent --zone=public --add-port=7575/tcp
firewall-cmd --reload

Keep tabs of the content of the /var/db/tang because we will need to compare the content of this directory when we bind the Clevis to the Tang server.

ls /var/db/tang

Installing Clevis

The Tang server is done, we need to install Clevis on the host(s) requires LUKS decrypting and auto-mounting the encrypted disk(s). In this scenario. I am using Fedora as my workstation and Debian as my NAS. For the Fedora install, I have the root drive encrypted by LUKS during the installation of Fedora. The Debian NAS the root disk is not encrypted by LUKS, but the data disks.

I just want to throw this info, I could not get the Fedora workstation to work if it is connected to the Wi-Fi network. However, when the workstation is connected to the LAN it works.

This post assumption that you already opened the LUKS partition.

Just a note on the Debian side. I could not get the Clevis to work when I installed Clevis via apt. The only time that I get Clevis to work is to install the .deb package version 15.

Install Clevis
Add the LUKS encrypted volume(s) to the /etc/crypttab
Add the decrypted volume(s) to the /etc/fstab
Bind the volume(s) to the Tang server
Enable clevis for non-root disk(s) and enable dracut for root disk

Clevis on non-root disks

To install Clevis on Debian, Fedora and openSUSE.

# Debian
wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis_15-5_amd64.deb
wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis-luks_15-5_amd64.deb
wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis-systemd_15-5_amd64.deb
wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis-dracut_15-5_amd64.deb # Download this only if the root disk is encrypted by LUKS
gdebi clevis_15-5_amd64.deb
gdebi clevis-luks_15-5_amd64.deb
gdebi clevis-systemd_15-5_amd64.deb
gdebi clevis-dracut_15-5_amd64.deb # Install this only if the root disk is encrypted by LUKS

# CentOS/Fedora
dnf install clevis clevis-luks clevis-dracut

# openSUSE Leap
zypper addrepo https://download.opensuse.org/repositories/home:ArturGaspar:clevis/openSUSE_Leap_15.2/home:ArturGaspar:clevis.repo
zypper refresh
zypper install clevis clevis-luks clevis-systemd

This only applies to the non-root disk. We need to edit the /etc/crypttab and add all the LUKS partition to be automatically decrypted and mounted during the late boot. To edit the /etc/crypttab, you will have to use your favorite text editor. I’ll be using vim.

When you opened the LUKS partition (disk), you gave it a name. The LUKS name is the Target-name. You can find these LUKS name under the /dev/mapper/.

# edit the /etc/crypttab
vim /etc/crypttab

# Enter the your 
# <target name>	<source device>		<key file>	<options>
luks_parity1    UUID=1aa0965-98d5-4e26-b7a9-2c2fcae9f4e2 none  _netdev
luks_disk1      UUID=eb4ma10-9c3c-4cdd-8ac8-8ahd134a8abb       none    _netdev
luks_disk2      UUID=dd12355-cf21-418e-8e22-9ea466bc1479       none    _netdev

For automatically mount the decrypted partitions, we need to edit the /etc/fstab. If you have multiple disks, you will have to add each one.

# At the bottom of the fstab

/dev/mapper/luks_parity1        /mnt/parity1    xfs     _netdev,defaults        0       0
/dev/mapper/luks_disk1  /mnt/disk1      xfs     _netdev,defaults        0       0
/dev/mapper/luks_disk2  /mnt/disk2      xfs     _netdev,defaults        0       0

It is time to bind the each partition to the Tang server. You will need to match the binding keys from Tang server to make sure you are binding to the right Tang server. If you have more than one Tang server, you will have to repeat for each LUKS partition.

# First Tang server
clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.38:7575"}'

# Second Tang server
clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.39:7575"}'

Enable the Clevis unlocker service, clevis-luks-askpass.path.

systemctl enable clevis-luks-askpass.path

Mount the disk(s) to make sure that the /etc/fstab is working correctly. Run df -h to make sure

mount -a

Clevis on the root disk

Just like the data disk, the root disk need to be bind to the tang server. To do so:

# First Tang server
clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.38:7575"}'

# Second Tang server
clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.39:7575"}'

Since I am using Fedora as my workstation and I have to run dracut -f. Now, there is two scenarios with these. the first one is workstation that gets its IP address via DHCP and the second one is the workstation with static IP address. If you are using DHCP to get an IP address, run this command once.

dracut -f --kernel-cmdline "ip=dhcp"

For a workstation that uses static IP address. Replace the values if necessary.

dracut -f --kernel-cmdline "ip=192.168.1.10 netmask=255.255.255.0 gateway=192.168.1.1 nameserver=1.1.1.1"

Clevis LUKS Unbind

If you need to unbind the disk from the Tang server(s) or planning to migrate the disk(s) to a different Tang server, you can remove the disk(s) from the existing Tang server by using the unbind option. Just be careful about unbinding the keys because you don’t want to lose access to it. To view the Clevis Tokens use the command cryptsetup luksDump.

# Check the Clevis Token keyslot
cryptsetup luksDump /dev/sdf1
...
... omitted for brevity
...
Tokens:
  0: clevis
        Keyslot:  1
...
... omitted for brevity

# Unbinding the keyslot
clevis luks unbind -d /dev/sdf1 -s 1
The unbind operation will wipe a slot. This operation is unrecoverable.
Do you wish to erase LUKS slot 2 on /dev/sdf1? [ynYN] y
Enter any remaining passphrase:

That is it. Cheers!

3 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

amazIngstories

1 year ago

How do I make this automatic on kernel upgrades? (Fedora 35 – I’ve tried to do the same but I failed – there was something about needing to remove the crypttab when using luks command lines so I’m a little confused. The original /etc/default/grub contains luks entries, and the crypttab contains entries. There was also some mention on the web about _netdev and stuff so I was wondering if you could share your /etc/default/grub and your /etc/fstab and your /etc/crypttab)

Karlo Abaga

Author

Reply to amazIngstories

You need to enter the UUID of the LUKS disk in /etc/crypttab. You need to grab the /dev/mapper/ for the /etc/fstab. I didn’t mess around with grub.

Tom

11 days ago

The documentation on Clevis and Tang must be one of the worst.
I couldn’t find anywhere that completely documented.

Last edited 11 days ago by Tom