Article Summary:
Using Linux System Roles on Fedora to automate the implementation of Clevis/Tang for automated LUKS volume unlocking
Article Description:
This article will cover how to use the Linux System Roles (https://linux-system-roles.github.io/ and also available as the linux-system-roles RPM in Fedora) to automate the implementation of Clevis and Tang. Clevis (GitHub - latchset/clevis: Automated Encryption Framework) and Tang (GitHub - latchset/tang: Tang binding daemon) can automate unlocking of LUKS encrypted volumes, including for the root filesystem.
The article will have an example that uses the NBDE client and server Linux System Roles to implement the following in an automated manner:
- A Raspberry Pi, running Fedora, will operate as the Ansible control node and will have the linux-system-roles RPM package installed
- The NBDE server Linux System Role (GitHub - linux-system-roles/nbde_server: Ansible role for configuring Network-Bound Disk Encryption servers (e.g. tang)) will automate the installation of Tang on the Raspberry Pi
- The NBDE client Linux System Role (GitHub - linux-system-roles/nbde_client: Ansible role for configuring Network Bound Disk Encryption clients (e.g. clevis)) will automate the implementation of Clevis on several managed nodes (including Fedora and CentOS Stream nodes).
- The Firewall Linux System Role (GitHub - linux-system-roles/firewall: Configure firewalld and system-config-firewall) will automate the implementation of the firewall configuration on the Tang server
- This configuration will enable the managed nodes, which have encrypted root filesystems, to boot up in an automated manner without require someone to manually type in the LUKS passphrase at each boot
