Using crypttab This basically caried on from the "linux_dmcrypt.txt" file ------------------------------------------------------------------------------- Boot time cryptographic file system mounting Required packages dnf install cryptsetup First create a LUKS partition as per "linux_dmcrypt.txt" (The force password option disables the antiquated password rules) device=/dev/rootvg/lv_app cryptsetup --force-password luksFormat $device # OPTIONAL: Add a extra password cryptsetup --force-password luksAddKey $device # Other key changes # cryptsetup luksRemoveKey $device # cryptsetup --force-password luksChangeKey $device # generate file system #luks=luks-$(cryptsetup luksUUID $device) luks=enc_app cryptsetup luksOpen /dev/mapper/rootvg-lv_app $luks mkfs -t ext4 -L Encrypted_Disk /dev/mapper/$luks tune2fs -c 0 -i 0 -m 0 /dev/mapper/$luks cryptsetup luksClose $luks Add a line to the "/etc/crypttab" so the mapper is created on boot vi /etc/crypttab enc_app /dev/rootvg/lv_app none _netdev # Add entry to "/etc/fstab" to mount it vi /etc/fstab /dev/mapper/enc_app /app ext4 defaults,_netdev 1 2 # get systemctl to re-read... # this runs systemd-cryptsetup-generator systemctl daemon-reload # see systemd units used to create /dev/mapper systemctl list-units | grep systemd-cryptsetup # => systemd-cryptsetup@enc_app.service generated # get systemd to create the mapper file and mount luks=enc_app systemctl start systemd-cryptsetup@$luks journalctl -u systemd-cryptsetup@$luks # see the mapped decrypted device ls -Fla /dev/mapper/$luks mount /app Now it should now ask for the password on boot PROBLEM... It asks, and boots as long as is does not try to mount the partition from fstab! If I add the fstab entry it just locks up of "Switch to root!" without even asking for the password! Still mounts fine after the system is booted. It WORKS once a automatic password file was added (see next) Solution Adding "_netdev" options to both crypttab and fstab for LVM volumes This causes the mount to be handled later in boot sequence This is needed for all non-root volumes From "cryptsetup" manual... Hint: if this device is used for a mount point that is specified in fstab(5), the _netdev option should also be used for the mount point. Root volumes are: /, /tmp, /var, and /usr/local/ which requires dracut initramfs to decrypt. dracut -f No password asking -- See Tang/Clevis, NBDE below At the moment the only option is a secured password file vi /etc/crypttab enc_app /dev/rootvg/lv_app /root/app_crypt_key _netdev echo -n {password} > /root/app_crypt_key # must be done without a return in the file # otherwise the password will fail, and you will be ask for it. ------------------------------------------------------------------------------- Tang / Clevis -or- NBDE Network Bound Disk Encryption Client Machines (using clevis) make a remote call to a decryption key server (tang). If keys match the LUKS disks are decrypted and mounted otherwise it falls back to normal manual password requests. https://opensource.com/article/20/11/nbde-linux https://www.redhat.com/en/blog/easier-way-manage-disk-decryption-boot-red-hat-enterprise-linux-75-using-nbde https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening Set up LUKS disk (crypttab & fstab) as above... --- Set up Tang on some server dnf install tang systemctl enable tangd.socket # move port from port 80 to 7500 semanage port -a -t tangd_port_t -p tcp 7500 systemctl edit tangd.socket [Socket] ListenStream= ListenStream=7500 systemctl daemon-reload # start it systemctl start tangd.socket # ALSO Open firewall for port 7500 systemctl show tangd.socket -p Listen # => Listen=[::]:7500 (Stream) # check it is up curl http://tang-server:7500/adv To check on cryptographic operations use "jose" utility??? Multiple Tang servers can be enabled. --- Set up Clevis on the client dnf install clevis clevis-luks clevis-systemd #clevis-dracut # clevis-systemd has the 'askpass' used to supply the password during boot # clevis-dracut needed for initramfs # download tang server advertisements (may be multiple) #curl http://tang1/adv:7500 > adv1.jws #curl http://tang2/adv:7500 > adv2.jws # bind disk to clevis the above tang server device=/dev/rootvg/lv_app clevis luks bind -d $device tang '{"url":"http://tang-server:7500"}' ... trust key: Y luks password: **** # repeat the above for other tang servers (multiple) # so they may be used if first isn't available # enable clevis to supply password to LUKS on boot systemctl enable clevis-luks-askpass.path # check disks for clevis tokens -- RHEL 8 clevis luks list -d $device # => 1: tang '{"url":"http://tang-server:7500"}' # check disks for clevis tokens -- RHEL 7 luksmeta show -d $device # => 0 active empty # normal LUKS key # 1 active cb6e8904-81ff-40da-a84a-07ab9ab5715e # a Tang key # 2 inactive # unused key # OR... RHEL8 cryptsetup luksDump $device | sed '/^Tokens:/,/^D/!d; /^D/d' # Tokens: # 0: clevis # Keyslot: 1 # does it work? - RHEL8 clevis luks pass -d $device -s 1 Boots will now cause "clevis-luks-askpass" to try to set password from the registered tang servers. If the tang server is unavailable, the passphrase will be asked on console for manual entry, just as it was before. (Fallback) ------------------------------------------------------------------------------- Disable crypttab completely vi /etc/grub2.cfg GRUB_CMDLINE_LINUX_DEFAULT="quiet luks.crypttab=no" grub2-install /dev/sda ------------------------------------------------------------------------------- DIY 'unlock-and-mount' service sed -n '/^ *|/!d; s///; s/^ //; p' <<<' | [Unit] | Description=Unlock and mount encrypted FS | | [Service] | Type=oneshot | ExecStart=/usr/local/sbin/unlock-n-mount.sh | | [Install] | WantedBy=multiuser.target | ' >> /usr/lib/systemd/system/unlock-n-mount.service Script /usr/local/sbin/unlock-n-mount.sh =======8<--------CUT HERE---------- #!/bin/bash # get password from a USB # UUID=219bfa8b-8cf2-4939-aafc-5d7fe55970be filesystem="/dev/disk/by-uuid/$UUID" # Wait for USB to be plugged in... for i in {1..20}; do [ -b $filesystem ] && break; sleep 0.1 done if [ \! -b $filesystem ]; then echo 1>&2 "usb password drive NOT found" exit 10 fi mkdir /mnt/key 2>/dev/null mount $filesystem /mnt/key device=/dev/rootvg/lv_app luks=luks-$(cryptsetup luksUUID $device) cryptsetup luksOpen $device $luks --key-file /mnt/key/app_key_passwd umount /mnt/key mount /dev/mapper/$luks /app =======8<--------CUT HERE---------- Now enable... systemctl enable unlock-n-mount -------------------------------------------------------------------------------