NBDE client booting even when tang server is missing.

Latest response

I am testing the Network-Bound disk encryption framework and I've been following a series of documents available both in and out RedHat's knowledge base.

One of the documents I've been following:

USING NETWORK-BOUND DISK ENCRYPTION

I have a kickstart that binds the encrypted disk to a tang server next remove the password, here is the %post section of the kickstart file:

** kickstart **

%post
   clevis bind luks  -f -k- -d /dev/sda2 tang '{"url":"http://192.168.1.20","thp":"lQvJI-QgwTBV6rn0bNimB6rnCUI"}' <<< "temppass"
   echo -n "temppass" | cryptsetup luksRemoveKey  /dev/sda2 -
%end

** Client **

[root@server ~]# luksmeta show -d /dev/sda2
0 inactive empty
1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty

However, I am able to boot the server up typing the encyrping password, at boot time and at the console, when the tang server is not available.
I stop the tang server using this command:

systemctl disable  tangd.socket   --now

According to the documentation, this should not happen, I am looking for help and feedback.

Responses

Your syntax is slightly different than what is show in Redhat's documentation.

%post

clevis bind luks -f -k- -d /dev/vda2 \
tang '{"url":"http://tang.srv","thp":"_OsIk0T-E2l6qjfdDiwVmidoZjA"}' \

<<< "temppass"
cryptsetup luksRemoveKey /dev/vda2 - <<< "temppass"

%end

Yes, for some reason the redirect format would not work for me, I modified the syntax in an attempt to keep my sanity and that seemed to work.