Automatic Disk Decryption with Tang

Published by Patrick

Automatic Disk Decryption with Tang

Introduction

If you're setting up disk encryption on your Red Hat Enterprise Linux 9 (RHEL9) servers, using a Tang server can be a smart choice to streamline the unlocking process without requiring a passphrase for every reboot. In this blog post, I'll guide you through how to deploy a Tang server using Ansible, which makes managing your encryption keys much easier, especially in automated or large-scale environments.

Prerequisites

Before following this guide, ensure that you have the following prerequisites in place:

  1. Red Hat Enterprise Linux 9 (RHEL9) Server: This tutorial assumes that you are using RHEL9. Make sure the system is installed and configured.
  2. Root or Sudo Access: You will need root privileges to install packages and configure services.
  3. Ansible Installed: Ansible should be installed on the control node to automate the deployment process.
  4. FirewallD Installed and Configured: The playbook assumes you are using FirewallD for managing firewall rules.
  5. Network Connectivity: Ensure that the Tang server and any client machines can communicate over the network.
  6. Clevis Installed on Clients: If you plan to use Tang to automate decryption, Clevis must be installed on the client systems.

The Dilemma of Disk Encryption in Server Farms

One of the biggest challenges when managing server farms is ensuring data security while also keeping maintenance tasks, like rebooting servers, as seamless as possible. Disk encryption at rest is crucial for protecting sensitive data from unauthorized access, but it presents a practical dilemma: how can servers automatically decrypt their disks after a reboot without compromising security?

In a typical scenario, servers require a passphrase or key to decrypt the encrypted storage during boot. This requirement makes it challenging to automate server restarts, especially in large-scale environments where manually entering a passphrase for each server would be impractical and error-prone. As a result, IT teams face a trade-off between robust data encryption and operational efficiency.

The Solution: Automating Decryption with Tang

Tang is a lightweight key distribution server that helps solve this dilemma by allowing encrypted volumes to be automatically unlocked without human intervention. With Tang, you can securely automate the decryption of encrypted disks, ensuring that servers can restart autonomously while maintaining strong encryption practices.

Tang works by pairing with Clevis, a client-side tool that integrates with Linux Unified Key Setup (LUKS) encryption to retrieve the decryption key over the network from the Tang server. This allows servers to automatically unlock their encrypted volumes during boot, as long as they can communicate with the Tang server.

Using Tang not only improves efficiency but also preserves the integrity of your data security. It strikes a perfect balance between convenience and security, making it an ideal choice for environments like data centers or remote edge locations.

The Importance of Encryption at Rest

Data encryption at rest is a fundamental security practice for any server handling sensitive information. It ensures that data stored on disk is protected from unauthorized access, even if physical access to the storage device is obtained by an attacker. In today’s world, where data breaches and security incidents are increasingly common, encryption at rest provides an essential layer of security that helps organizations protect their customers, employees, and intellectual property.

For servers, encrypting data at rest means that even if a server is compromised or if a disk is stolen, the data remains unreadable without the decryption keys. This is particularly important in environments such as data centers, remote edge locations, or anywhere with physical security risks. Beyond just compliance requirements, encryption at rest demonstrates a proactive stance on data protection.

Using a Tang server for managing decryption keys adds even more benefits to the mix. With Tang, you can securely automate the decryption of encrypted disks without human intervention. This strikes a perfect balance between security and usability—making it easy for your servers to restart autonomously while maintaining strong encryption practices.

What is Tang?

Tang is a simple and lightweight key distribution server that is often paired with Clevis, a client-side tool that automates decryption. Together, they allow encrypted volumes to be automatically unlocked without human intervention, provided the client can reach the Tang server. This makes Tang ideal for environments where security is paramount, but you also need automated startup processes—like data centers or edge computing environments.

Why Use Ansible for Tang Deployment?

Manually setting up Tang can be a repetitive task, particularly if you need multiple servers for redundancy. Ansible, as an automation tool, can help you simplify the setup, ensuring consistency across deployments. Below, I'll share an Ansible playbook that will install Tang, configure it properly, and ensure that the required firewall rules are in place.

The Ansible Playbook

Here is an example Ansible playbook that sets up a Tang server:

- hosts: tang_server
  become: true

  tasks:
    # Install packages required for Tang server
    - name: Install required packages for Tang server
      package:
        name:
          - tang
          - httpd
        state: present

    # Configure firewall rules for Tang server
    - name: Configure firewall for Tang server
      firewalld:
        service: http
        permanent: true
        state: enabled
      notify: Reload firewall

    # Start and enable Tang server
    - name: Start and enable Tang server
      systemd:
        name: tangd.socket
        enabled: true
        state: started

  handlers:
    - name: Reload firewall
      command: firewall-cmd --reload

Playbook Breakdown

  1. Install Required Packages: The playbook installs tang and httpd, which are necessary for running the Tang service. This ensures that the Tang server can serve the cryptographic material over HTTP.
  2. Configure Firewall Rules: Since Tang communicates over HTTP, the playbook opens the HTTP port (usually port 80) in the firewall to allow incoming requests. This is crucial for allowing client machines to reach the Tang server.
  3. Start and Enable Tang Server: The playbook ensures that the tangd.socket service is both started and enabled, meaning it will automatically start on boot, ensuring that your server is always ready to handle decryption requests.

Obtaining the Volume UUID During the Kickstart Process

If you plan to set up disk encryption during the RHEL9 Kickstart process and use Tang as the key provider, you will need to reference the UUID of the encrypted LUKS volume. Here is how you can obtain the volume UUID during the Kickstart process:

  1. Accessing the Kickstart Terminal: During the Kickstart installation, open a terminal by pressing Ctrl+Alt+F2. This will provide you with a command-line interface to interact with the system.
  2. Identifying the LUKS Partition: Use the lsblk command to list all available block devices. Locate the device you want to encrypt (e.g., /dev/sda3).

Retrieving the Volume UUID: Once you identify the partition, use the following command to retrieve the LUKS UUID:

sudo cryptsetup luksUUID /dev/sda3

Replace /dev/sda3 with the appropriate device name. The command will return the unique volume-UUID for that LUKS partition.

This UUID can then be used in your Kickstart configuration to ensure that the Tang server can correctly identify and unlock the volume during the boot process.

Using Tang for LUKS Decryption in Kickstart

Once your Tang server is up and running, you need to ensure that your client systems are properly configured to use the Tang server for LUKS decryption. This involves installing the necessary Clevis package and configuring the system during the Kickstart installation.

Here is an extended Kickstart configuration snippet that includes all the necessary steps to configure the client side for Tang integration:

# Install Clevis for client-side automation
%packages
@core
clevis
clevis-dracut
%end

# Partition and encrypt the logical volume
part pv.01 --size=1 --grow --encrypted --passphrase=<dummy-passphrase>
volgroup vg01 pv.01
logvol / --fstype="ext4" --name=root --vgname=vg01 --size=20480 --encrypted --passphrase=<dummy-passphrase>

# Set up Clevis to use Tang for decryption
%post
# Bind the LUKS volume to Tang server for automatic decryption
clevis luks bind -d /dev/mapper/vg01-root tang '{"url": "http://<Tang-server-IP>:80"}'
%end

Breakdown of the Kickstart Snippet

  1. Install Clevis: The %packages section includes clevis and clevis-dracut, which are required for configuring the client to use Tang for LUKS decryption.
  2. Partition and Encrypt the Volume: The part and logvol commands create an encrypted logical volume.
  3. Bind the Encrypted Volume to Tang: The %post section runs a script after the initial system setup. It uses clevis luks bind to bind the encrypted LUKS volume to the Tang server. This configuration allows the system to automatically retrieve the decryption key from the Tang server during boot, ensuring seamless decryption without manual intervention.

Once your Tang server is up and running, you can integrate it into your RHEL9 Kickstart process to automate disk encryption. During the Kickstart setup, you'll configure LUKS to use the Tang server for unlocking encrypted volumes.

An example of a Kickstart configuration snippet might look like this:

part pv.01 --size=1 --grow --encrypted --passphrase=<dummy-passphrase>
volgroup vg01 pv.01
logvol / --fstype="ext4" --name=root --vgname=vg01 --size=20480 --encrypted --keyfile-size=256 --keyfile-offset=2 --keyfile=network://<Tang-server-IP>:80

In this configuration, the Tang server is specified as the key provider for unlocking the encrypted logical volume during the boot process, eliminating the need for a manual passphrase.

Why This Matters

Deploying Tang with Ansible allows you to manage your encryption keys effectively across multiple servers, maintaining a good balance between security and convenience. By eliminating manual intervention during server reboots, you not only save time but also minimize the risk of human error. This approach is particularly beneficial in environments where uptime is critical, and systems need to be able to reboot autonomously.

Conclusion

With just a few lines of Ansible, you can set up a Tang server that seamlessly integrates into your automated disk encryption strategy. Whether you're working in a small environment or managing hundreds of servers, this approach provides an efficient and secure method to handle encrypted volumes without compromising on security.

Give this Ansible playbook a try, and let me know how it works for you! If you have any questions or run into any challenges, feel free to leave a comment—I'm always here to help!