Full Disk Encryption (FDE)

[kaotika]

Hi, does anyone has experiences with Microos and full disk encryption and provisioning on a hcloud server?

A few years ago I setup some remote systems using ubuntu and full disk encryption and automatic unlock mechanisms using mandos. I'am also aware of and tested tang/clevis that just worked fine.
I tested Clevis on Microos with success but didn't manage automatic unlock during boot.

[kaotika]

I experimented around and found a solution for an encrypted data partition with automatic tang/clevis decryption at boot time.

tang server

# create a new ubuntu vm in the same private network
apt update
apt install tang
systemctl enable tangd.socket
systemctl start tangd.socket

# test the tang server
curl http://localhost/adv
# and with the private ip
curl http://10.0.0.3/adv

encrypted partition

• reboot an existing k3s node in rescue mode

# shrink the btrfs filesystem on /dev/sda2
mount /dev/sda2 /mnt
btrfs filesystem resize -20G /mnt
umount /mnt

# shrink partition /dev/sda2 and add a new partition
parted /dev/sda
resizepart 2 62G
mkpart p.data ext2 62G 81,9G
print

# setup encryption and format partition
cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat /dev/sda3`
cryptsetup open /dev/sda3 data
mkfs.btrfs /dev/mapper/data
mount /dev/mapper/data /mnt
btrfs subvolume create /mnt/@data

reboot

# ssh into the rebooted node

# open an interactive shell for installation
transactional-update shell

# activate network and clevis explicitly in the dracut config
cat << EOF | tee /etc/dracut.conf.d/10-network.conf
install_items+=" /etc/NetworkManager/system-connections/* "
add_dracutmodules+=" network network-manager "
EOF

cat << EOF | tee /etc/dracut.conf.d/11-clevis.conf
add_dracutmodules+=" clevis "
EOF

# due to inconsistencies with netcfg and dracut
# otherwise dracut -f will fail
mkdir /etc/services

# install clang components
zypper install clevis clevis-luks clevis-dracut nano luksmeta netcfg

# update grub
nano /etc/default/grub
#>> add GRUB_CMDLINE_LINUX="rd.neednet=1 ip=dhcp"

# regenerate grub config
grub2-mkconfig -o /boot/grub2/grub.cfg

# enable systemd clevis module
systemctl enable clevis-luks-askpass.path

# check, that clevis exists in initramfs
lsinitrd | grep clevis
lsinitrd | grep jose
lsinitrd | grep nmconnection

# setup config
echo "data /dev/sda3 none" | tee -a /etc/crypttab

# bind the data partition to clevis
curl -sfg http://10.0.0.2/adv -o /tmp/adv.jws
clevis luks bind -d /dev/sda3 tang '{"url": "http://10.0.0.2", "adv": "/tmp/adv.jws"}'

# create mount point and update the selinux permissions
mkdir -p /data
chcon -R system_u:object_r:usr_t:s0 /data
ls -lZ /opt
echo "/dev/mapper/data /data btrfs defaults,subvol=@data,compress=lzo 0 0" | tee -a /etc/fstab

cryptsetup open /dev/sda3 data
mount -a
chcon -R system_u:object_r:usr_t:s0 /opt/data
ls -lZ /opt

# finish the transaction and reboot
# /dev/sda3 should be unlocked automatically
exit
reboot