Chapter 6. Enabling disk encryption


You can enable encryption of installation disks using either the TPM v2 or Tang encryption modes.

Note

In some situations, when you enable TPM disk encryption in the firmware for a bare-metal host and then boot it from an ISO that you generate with the Assisted Installer, the cluster deployment can get stuck. This can happen if there are left-over TPM encryption keys from a previous installation on the host. For more information, see BZ#2011634. If you experience this problem, contact Red Hat support.

6.1. Enabling TPM v2 encryption

You can enable TPM v2 encryption from the Assisted Installer web console or API.

Prerequisites

  • Check to see if TPM v2 encryption is enabled in the BIOS on each host. Most Dell systems require this. Check the manual for your computer. The Assisted Installer will also validate that TPM is enabled in the firmware. See the disk-encruption model in the Assisted Installer API for additional details.
Important

Verify that a TPM v2 encryption chip is installed on each node and enabled in the firmware.

Procedure

  1. Optional: Using the web console, in the Cluster details step, enable the encryption of installation disks for any of the following nodes: control plane nodes, workers, or arbiter.
  2. Optional: Using the API, include the following settings in the "Modifying hosts" procedure to enable TPM v2 encryption:

    1. Set the disk_encryption.enable_on setting to one of the following:

      • "none"
      • "all"
      • "masters"
      • "arbiters"
      • "workers"
      • "masters,arbiters"
      • "masters,workers"
      • "arbiters,workers"
      • "masters,arbiters,workers"
    2. Set the disk_encryption.mode setting to tpmv2.

      Example

      $ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \
      -X PATCH \
      -H "Authorization: Bearer ${API_TOKEN}" \
      -H "Content-Type: application/json" \
      -d '
      {
        "disk_encryption": {
          "enable_on": "none",
          "mode": "tpmv2"
        }
      }
      ' | jq
      Copy to Clipboard Toggle word wrap

6.2. Enabling Tang encryption

You can enable Tang encryption from the Assisted Installer web console or API.

Prerequisites

  • You have access to a Red Hat Enterprise Linux (RHEL) 8 machine that can be used to generate a thumbprint of the Tang exchange key.

Procedure

  1. Set up a Tang server or access an existing one. See Network-bound disk encryption for instructions. You can set multiple Tang servers, but the Assisted Installer must be able to connect to all of them during installation.
  2. On the Tang server, retrieve the thumbprint for the Tang server using tang-show-keys:

    $ tang-show-keys <port>
    Copy to Clipboard Toggle word wrap

    Optional: Replace <port> with the port number. The default port number is 80.

    Example thumbprint

    1gYTN_LpU9ZMB35yn5IbADY5OQ0
    Copy to Clipboard Toggle word wrap

  3. Optional: Retrieve the thumbprint for the Tang server using jose.

    1. Ensure jose is installed on the Tang server:

      $ sudo dnf install jose
      Copy to Clipboard Toggle word wrap
    2. On the Tang server, retrieve the thumbprint using jose:

      $ sudo jose jwk thp -i /var/db/tang/<public_key>.jwk
      Copy to Clipboard Toggle word wrap

      Replace <public_key> with the public exchange key for the Tang server.

      Example thumbprint

      1gYTN_LpU9ZMB35yn5IbADY5OQ0
      Copy to Clipboard Toggle word wrap

  4. Optional: Using the web console, in the Cluster details step, enable the encryption of installation disks for any of the following nodes: control plane nodes, workers, or arbiter. You will be required to enter URLs and thumbprints for the Tang servers.
  5. Optional: Using the API, include the following settings in the "Modifying hosts" procedure to enable Tang encryption:

    1. Set the disk_encryption.enable_on setting to one of the following:

      • "none"
      • "all"
      • "masters"
      • "arbiters"
      • "workers"
      • "masters,arbiters"
      • "masters,workers"
      • "arbiters,workers"
      • "masters,arbiters,workers"
    2. Set the disk_encryption.mode setting to tang.
    3. Set disk_encyrption.tang_servers to provide the URL and thumbprint details about one or more Tang servers. Within the tang_servers value, comment out the quotes within the object(s).

      Example

      $ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \
      -X PATCH \
      -H "Authorization: Bearer ${API_TOKEN}" \
      -H "Content-Type: application/json" \
      -d '
      {
        "disk_encryption": {
          "enable_on": "all",
          "mode": "tang",
          "tang_servers": "[{\"url\":\"http://tang.example.com:7500\",\"thumbprint\":\"PLjNyRdGw03zlRoGjQYMahSZGu9\"},{\"url\":\"http://tang2.example.com:7500\",\"thumbprint\":\"XYjNyRdGw03zlRoGjQYMahSZGu3\"}]"
        }
      }
      ' | jq
      Copy to Clipboard Toggle word wrap

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat