Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 6. Enabling disk encryption

You can enable encryption of installation disks by using either the TPM v2 or Tang encryption modes.

Note

In some situations, when you enable TPM disk encryption in the firmware for a bare-metal host and then boot it from an ISO that you generate with the Assisted Installer, the cluster deployment can get stuck. This can happen if there are left-over TPM encryption keys from an earlier installation on the host. For more information, see "Bug BZ#2011634" in Additional resources. If you experience this problem, contact Red Hat Support.

6.1. Enabling TPM v2 encryption
Copy link

You can enable Trusted Platform Module (TPM) v2 encryption from the Assisted Installer web console or API.

Prerequisites

  • Ensure that TPM v2 encryption is enabled in the BIOS firmware on each host. Most Dell systems require this. Check the manual for your computer. The Assisted Installer will also validate that TPM is enabled in the firmware. See the disk-encryption model in the Assisted Installer API for additional details.
  • Verify that a TPM v2 encryption chip is installed on each node and enabled in the firmware.

Procedure

  1. Optional: Using the web console, in the Cluster details step, enable the encryption of installation disks for any of the following nodes: control plane nodes, workers, or arbiter.

  2. Optional: Using the API, include the following settings in the "Modifying hosts" procedure to enable TPM v2 encryption:

    1. Set the disk_encryption.enable_on setting to one of the following:

      • "none"
      • "all"
      • "masters"
      • "arbiters"
      • "workers"
      • "masters,arbiters"
      • "masters,workers"
      • "arbiters,workers"
      • "masters,arbiters,workers"

    2. Set the disk_encryption.mode setting to tpmv2.

      Example

      $ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \
-X PATCH \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
-d '
{
  "disk_encryption": {
    "enable_on": "none",
    "mode": "tpmv2"
  }
}
' | jq

6.2. Enabling Tang encryption
Copy link

You can enable Tang encryption from the Assisted Installer web console or API.

Prerequisites

  • You have access to a Red Hat Enterprise Linux (RHEL) 8 machine that you can use to generate a thumbprint of the Tang exchange key.

Procedure

  1. Set up a Tang server or access an existing one. See Network-bound disk encryption for instructions. You can set multiple Tang servers, but the Assisted Installer must be able to connect to all of them during installation.

  2. On the Tang server, retrieve the thumbprint for the Tang server using tang-show-keys: 

    $ tang-show-keys <port>

    Optional: Replace <port> with the port number. The default port number is 80.

    Example thumbprint

    1gYTN_LpU9ZMB35yn5IbADY5OQ0

  3. Optional: Retrieve the thumbprint for the Tang server using jose.

    1. Ensure jose is installed on the Tang server: 

      $ sudo dnf install jose

    2. On the Tang server, retrieve the thumbprint using jose: 

      $ sudo jose jwk thp -i /var/db/tang/<public_key>.jwk

      Replace <public_key> with the public exchange key for the Tang server.

      Example thumbprint

      1gYTN_LpU9ZMB35yn5IbADY5OQ0

  4. Optional: Using the web console, in the Cluster details step, enable the encryption of installation disks for any of the following nodes: control plane nodes, workers, or arbiter. You will be required to enter URLs and thumbprints for the Tang servers.

  5. Optional: Using the API, include the following settings in the "Modifying hosts" procedure to enable Tang encryption:

    1. Set the disk_encryption.enable_on setting to one of the following:

      • "none"
      • "all"
      • "masters"
      • "arbiters"
      • "workers"
      • "masters,arbiters"
      • "masters,workers"
      • "arbiters,workers"
      • "masters,arbiters,workers"
    2. Set the disk_encryption.mode setting to tang.

    3. Set disk_encyrption.tang_servers to provide the URL and thumbprint details about one or more Tang servers. Within the tang_servers value, comment out the quotes within the object(s).

      Example

      $ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \
-X PATCH \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
-d '
{
  "disk_encryption": {
    "enable_on": "all",
    "mode": "tang",
    "tang_servers": "[{\"url\":\"http://tang.example.com:7500\",\"thumbprint\":\"PLjNyRdGw03zlRoGjQYMahSZGu9\"},{\"url\":\"http://tang2.example.com:7500\",\"thumbprint\":\"XYjNyRdGw03zlRoGjQYMahSZGu3\"}]"
  }
}
' | jq

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top