Chapter 5. Enabling disk encryption
You can enable encryption of installation disks using either the TPM v2 or Tang encryption modes.
In some situations, when you enable TPM disk encryption in the firmware for a bare-metal host and then boot it from an ISO that you generate with the Assisted Installer, the cluster deployment can get stuck. This can happen if there are left-over TPM encryption keys from a previous installation on the host. For more information, see BZ#2011634. If you experience this problem, contact Red Hat support.
5.1. Enabling TPM v2 encryption
Prerequisites
-
Check to see if TPM v2 encryption is enabled in the BIOS on each host. Most Dell systems require this. Check the manual for your computer. The Assisted Installer will also validate that TPM is enabled in the firmware. See the
disk-encruption
model in the Assisted Installer API for additional details.
Verify that a TPM v2 encryption chip is installed on each node and enabled in the firmware.
Procedure
- Optional: Using the web console, in the Cluster details step of the user interface wizard, choose to enable TPM v2 encryption on either the control plane nodes, workers, or both.
Optional: Using the API, follow the "Modifying hosts" procedure. Set the
disk_encryption.enable_on
setting toall
,masters
, orworkers
. Set thedisk_encryption.mode
setting totpmv2
.Refresh the API token:
$ source refresh-token
Enable TPM v2 encryption:
$ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \ -X PATCH \ -H "Authorization: Bearer ${API_TOKEN}" \ -H "Content-Type: application/json" \ -d ' { "disk_encryption": { "enable_on": "none", "mode": "tpmv2" } } ' | jq
Valid settings for
enable_on
areall
,master
,worker
, ornone
.
5.2. Enabling Tang encryption
Prerequisites
- You have access to a Red Hat Enterprise Linux (RHEL) 8 machine that can be used to generate a thumbprint of the Tang exchange key.
Procedure
- Set up a Tang server or access an existing one. See Network-bound disk encryption for instructions. You can set multiple Tang servers, but the Assisted Installer must be able to connect to all of them during installation.
On the Tang server, retrieve the thumbprint for the Tang server using
tang-show-keys
:$ tang-show-keys <port>
Optional: Replace
<port>
with the port number. The default port number is80
.Example thumbprint
1gYTN_LpU9ZMB35yn5IbADY5OQ0
Optional: Retrieve the thumbprint for the Tang server using
jose
.Ensure
jose
is installed on the Tang server:$ sudo dnf install jose
On the Tang server, retrieve the thumbprint using
jose
:$ sudo jose jwk thp -i /var/db/tang/<public_key>.jwk
Replace
<public_key>
with the public exchange key for the Tang server.Example thumbprint
1gYTN_LpU9ZMB35yn5IbADY5OQ0
- Optional: In the Cluster details step of the user interface wizard, choose to enable Tang encryption on either the control plane nodes, workers, or both. You will be required to enter URLs and thumbprints for the Tang servers.
Optional: Using the API, follow the "Modifying hosts" procedure.
Refresh the API token:
$ source refresh-token
Set the
disk_encryption.enable_on
setting toall
,masters
, orworkers
. Set thedisk_encryption.mode
setting totang
. Setdisk_encyrption.tang_servers
to provide the URL and thumbprint details about one or more Tang servers:$ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \ -X PATCH \ -H "Authorization: Bearer ${API_TOKEN}" \ -H "Content-Type: application/json" \ -d ' { "disk_encryption": { "enable_on": "all", "mode": "tang", "tang_servers": "[{\"url\":\"http://tang.example.com:7500\",\"thumbprint\":\"PLjNyRdGw03zlRoGjQYMahSZGu9\"},{\"url\":\"http://tang2.example.com:7500\",\"thumbprint\":\"XYjNyRdGw03zlRoGjQYMahSZGu3\"}]" } } ' | jq
Valid settings for
enable_on
areall
,master
,worker
, ornone
. Within thetang_servers
value, comment out the quotes within the object(s).