9.15. Deployment of virtual machines in a NBDE network

When you configure Network-bound Disc Encryption (NBDE) for virtual machines, use only secure practices in production environments.

The clevis luks bind command does not change the LUKS master key. This implies that if you create a LUKS-encrypted image for use in a virtual machine or cloud environment, all the instances that run this image share a master key. This is extremely insecure and should be avoided at all times.

This is not a limitation of Clevis but a design principle of LUKS. If your scenario requires having encrypted root volumes in a cloud, perform the installation process for each instance of Red Hat Enterprise Linux in the cloud as well. The images cannot be shared without also sharing a LUKS master key.

To deploy automated unlocking in a virtualized environment, use tools such as Lorax or virt-install together with a Kickstart file or another automated provisioning tool to ensure that each encrypted VM has a unique master key. See Configuring automated enrollment of LUKS-encrypted volumes by using Kickstart) for detailed instructions.