Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 5. Optional: Enabling disk encryption

You can enable encryption of installation disks using either the TPM v2 or Tang encryption modes.

Note

In some situations, when you enable TPM disk encryption in the firmware for a bare-metal host and then boot it from an ISO that you generate with the Assisted Installer, the cluster deployment can get stuck. This can happen if there are left-over TPM encryption keys from a previous installation on the host. For more information, see BZ#2011634. If you experience this problem, contact Red Hat support.

5.1. Enabling TPM v2 encryption
Copia collegamento

Prerequisites

  • Check to see if TPM v2 encryption is enabled in the BIOS on each host. Most Dell systems require this. Check the manual for your computer. The Assisted Installer will also validate that TPM is enabled in the firmware. See the disk-encruption model in the Assisted Installer API for additional details.
Important

Verify that a TPM v2 encryption chip is installed on each node and enabled in the firmware.

Procedure

  1. Optional: Using the UI, in the Cluster details step of the user interface wizard, choose to enable TPM v2 encryption on either the control plane nodes, workers, or both.

  2. Optional: Using the API, follow the "Modifying hosts" procedure. Set the disk_encryption.enable_on setting to all, masters, or workers. Set the disk_encryption.mode setting to tpmv2.

    1. Refresh the API token: 

      $ source refresh-token
      Copy to Clipboard Toggle word wrap

    2. Enable TPM v2 encryption: 

      $ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \
-X PATCH \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
-d '
{
  "disk_encryption": {
    "enable_on": "none",
    "mode": "tpmv2"
  }
}
' | jq
      Copy to Clipboard Toggle word wrap

      Valid settings for enable_on are all, master, worker, or none.

5.2. Enabling Tang encryption
Copia collegamento

Prerequisites

  • You have access to a Red Hat Enterprise Linux (RHEL) 8 machine that can be used to generate a thumbprint of the Tang exchange key.

Procedure

  1. Set up a Tang server or access an existing one. See Network-bound disk encryption for instructions. You can set multiple Tang servers, but the Assisted Installer must be able to connect to all of them during installation.

  2. On the Tang server, retrieve the thumbprint for the Tang server using tang-show-keys: 

    $ tang-show-keys <port>
    Copy to Clipboard Toggle word wrap

    Optional: Replace <port> with the port number. The default port number is 80.

    Example thumbprint

    1gYTN_LpU9ZMB35yn5IbADY5OQ0
    Copy to Clipboard Toggle word wrap

  3. Optional: Retrieve the thumbprint for the Tang server using jose.

    1. Ensure jose is installed on the Tang server: 

      $ sudo dnf install jose
      Copy to Clipboard Toggle word wrap

    2. On the Tang server, retrieve the thumbprint using jose: 

      $ sudo jose jwk thp -i /var/db/tang/<public_key>.jwk
      Copy to Clipboard Toggle word wrap

      Replace <public_key> with the public exchange key for the Tang server.

      Example thumbprint

      1gYTN_LpU9ZMB35yn5IbADY5OQ0
      Copy to Clipboard Toggle word wrap

  4. Optional: In the Cluster details step of the user interface wizard, choose to enable Tang encryption on either the control plane nodes, workers, or both. You will be required to enter URLs and thumbprints for the Tang servers.

  5. Optional: Using the API, follow the "Modifying hosts" procedure.

    1. Refresh the API token: 

      $ source refresh-token
      Copy to Clipboard Toggle word wrap

    2. Set the disk_encryption.enable_on setting to all, masters, or workers. Set the disk_encryption.mode setting to tang. Set disk_encyrption.tang_servers to provide the URL and thumbprint details about one or more Tang servers: 

      $ curl https://api.openshift.com/api/assisted-install/v2/clusters/${CLUSTER_ID} \
-X PATCH \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
-d '
{
  "disk_encryption": {
    "enable_on": "all",
    "mode": "tang",
    "tang_servers": "[{\"url\":\"http://tang.example.com:7500\",\"thumbprint\":\"PLjNyRdGw03zlRoGjQYMahSZGu9\"},{\"url\":\"http://tang2.example.com:7500\",\"thumbprint\":\"XYjNyRdGw03zlRoGjQYMahSZGu3\"}]"
  }
}
' | jq
      Copy to Clipboard Toggle word wrap

      Valid settings for enable_on are all, master, worker, or none. Within the tang_servers value, comment out the quotes within the object(s).

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat