Photo by London Scout on Unsplash

Photo by London Scout on Unsplash

Automatic data encryption and decryption with Clevis and Tang

Passing Secrets

Article from ADMIN 43/2018
By
Encrypting hard disk partitions during the installation of an operating system is standard procedure. When booting the computer, you then need to enter a matching passphrase to unlock the hard drive. We show you how to automate this process and link it to a policy.

The device mapper with the dm-crypt target [1] and the Linux Unified Key Setup (LUKS) [2] extension are normally used to encrypt entire hard disks under Linux. Both components can easily handle any kind of block devices. Therefore, it does not matter whether the device to be encrypted is a hard disk, an LVM volume, or a USB stick. LUKS usually uses a 256-bit AES key that is protected with a passphrase to encrypt the data. If required, several of these passphrases can be stored in the LUKS metadata, which enables access to the key that decodes the data again.

To discover how many of these keys exist for a device and to add new keys, you call:

cryptsetup luksDump <LUKS device>
cryptsetup luksAddKey <LUKS device>

Each key is stored in its own key-slot, or a total of eight areas.

Users need to enter the passphrases manually, which is inconvenient. For example, if the root volume of a computer is encrypted, the system does not start until one of the previously defined passphrases has been entered. In this article, I show you how to automate this process.

Managing Secrets

Vaults are typically used to store and manage all kinds of secrets; they primarily serve as key escrows. If a secret is lost, it can be recovered through an escrow service. The terms "vault" and "key escrow" are merely modern terms for a data storage device that stores particularly sensitive data, such as passwords, certificates, or tokens. In most cases, an API is available for accessing such a service. One well-known representative of these data storage devices is HashiCorp Vault [3].

However, vaults have many problems. No one would want a secret stored in a vault to be transferred between the

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lead Image © Barmaliejus, Fotolia.com
    Rebuilding the Linux ramdisk
    If your Linux system is failing to boot, the dracut tool can be a convenient way to build a new ramdisk.
    more »
  • Lead Image © Marqs, photocase.com
    Password management with FreeIPA
    Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA.
    more »
  • Lead Image © Yoichi Shimizu, 123RF.com
    Encrypting files
    Encrypting your data is becoming increasingly important, but you don't always have to use an encrypted filesystem. Sometimes just encrypting files is enough.
    more »
  • Safe Files

    Encrypting your data is becoming increasingly important, but you don’t always have to use an encrypted filesystem. Sometimes just encrypting files is enough.

    more »
  • Credential management with HashiCorp Vault
    Admin teams can use secret sharing to centrally manage shared access to user accounts and services. HashiCorp Vault is one of the few tools that has proven effective when it comes to implementing this solution. Here's how to use this open source tool and keep important credentials safe.
    more »
comments powered by Disqus