Many Linux environments require data to be encrypted at rest but that can add administrative overhead to the boot process. Oracle Linux has supported disk encryption since version 5 but a feature was added in 7 update 4 to allow the automatic unlocking of devices based on external network services. Network Bound Disk Encryption (NBDE) uses a network based key service to validate a system is on a trusted network and unlock encrypted disks upon boot. By combining NBDE and a keyboard entered passphrase the system will unlock a disk automatically during boot but allow administrators to use a passphrase during maintenance operations.
A new hands-on lab Oracle Linux Disk Encryption Using Network Based Key Services is now available for anyone to learn the concepts of Linux disk encryption. The lab begins with the creation of a encrypted block device dependent on a passphrase and continues to an example of network based keys to unlock the device. Oracle Linux 8 is used but the same tools are available on Oracle Linux 7. The base components involved include dm-crypt which allows arbitrary block devices to be encrypted, Linux Unified Key Setup (LUKS) a disk encryption standard and cryptsetup which is used to configure our disks. We continue to include Tang, a network service that provides cryptographic services over HTTP and Clevis, an encryption framework. Clevis can use keys provided by Tang as a passphrase to unlock LUKS volumes.
After following this lab you can extend the XFS example to encrypt other filesystems such as Gluster to create an encrypted distributed file system. For examples on enabling the encryption of Gluster network traffic see our earlier lab, Creating a highly available NFS service with Oracle Linux 7