Chapter 7. Configure disk encryption

Prerequisites

• Define configuration in the luks_tang_inventory.yml playbook: Section 7.2.1, “Defining disk encryption configuration details”.
• Hyperconverged hosts must have encrypted boot disks.

Verify

• Reboot each host and verify that they are able to boot to a login prompt without requiring manual entry of the decryption passphrase.
• Note that the devices that use disk encryption have a path of /dev/mapper/luks_sdX when you continue with Red Hat Hyperconverged Infrastructure for Virtualization setup.

Troubleshooting

• The given boot device /dev/sda2 is not encrypted.

  TASK [Check if root device is encrypted] 
  fatal: [server1.example.com]: FAILED! => {"changed": false, "msg": "The given boot device /dev/sda2 is not encrypted."}

  Copy to Clipboard Toggle word wrap

  Solution: Reinstall the hyperconverged hosts using the process outlined in Section 3.1, “Installing hyperconverged hosts”, ensuring that you select Encrypt my data during the installation process and follow all directives related to disk encryption.

• The output has been hidden due to the fact that no_log: true was specified for this result.

  TASK [gluster.infra/roles/backend_setup : Encrypt devices using key file] 
  failed: [host1.example.com] (item=None) => {"censored": "the output has been hidden due to the fact that no_log: true was specified for this result", "changed": true}

  Copy to Clipboard Toggle word wrap

  This output has been censored in order to not expose a passphrase. If you see this output for the Encrypt devices using key file task, the device failed to encrypt. You may have provided the incorrect disk in the inventory file.

  Solution: Clean up the deployment attempt using Cleaning up Network-Bound Disk Encryption after a failed deployment. Then correct the disk names in the inventory file.

• Non-zero return code from Tang server

  TASK [gluster.infra/roles/backend_setup : Download the advertisement from tang server for IPv4] * failed: [host1.example.com] (item={url: http://tang-server.example.com}) => {"ansible_index_var": "index", "ansible_loop_var": "item", "changed": true, "cmd": "curl -sfg \"http://tang-server.example.com/adv\" -o /etc/adv0.jws", "delta": "0:02:08.703711", "end": "2020-06-10 18:18:09.853701", "index": 0, "item": {"url": "http://tang-server.example.com"}, "msg": "non-zero return code*", "rc": 7, "start": "2020-06-10 18:16:01.149990", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

  Copy to Clipboard Toggle word wrap

  This error indicates that the server cannot access the url provided, either because the FQDN provided is incorrect or because it cannot be found from the host.

  Solution: Correct the url value provided for the NBDE key server or ensure that the url value is accessible from the host. Then run the playbook again with the bindtang tag:

  # ansible-playbook -i luks_tang_inventory.yml tasks/luks_tang_setup.yml --ask-vault-pass --tags=bindtang

  Copy to Clipboard Toggle word wrap
• For any other playbook failures, use the instructions in Cleaning up Network-Bound Disk Encryption after a failed deployment to clean up your deployment. Review the playbook and inventory files for incorrect values and test access to all servers before executing the configuration playbook again.