Chapter 23. Configuring automated unlocking using a Tang key in the web console
Configure automated unlocking of a LUKS-encrypted storage device using a key provided by a Tang server.
The RHEL 8 web console has been installed.
For details, see Installing the web console.
cockpit-storagedpackage is installed on your system.
cockpit.socketservice is running at port 9090.
clevis-dracutpackages are installed.
- A Tang server is running.
Open the RHEL web console by entering the following address in a web browser:
Replace the localhost part by the remote server’s host name or IP address when you connect to a remote system.
- Provide your credentials and click Content part: . Select an encrypted device and click in the
Click Keys section to add a Tang key:in the
Provide the address of your Tang server and a password that unlocks the LUKS-encrypted device. Clickto confirm:
The following dialog window provides a command to verify that the key hash matches. RHEL 8.2 introduced the
tang-show-keysscript, and you can obtain the key hash using the following command on the Tang server running on the port 7500:
# tang-show-keys 7500 3ZWS6-cDrCG61UPJS2BMmPU4I54
On RHEL 8.1 and earlier, obtain the key hash using the following command:
# curl -s localhost:7500/adv | jose fmt -j- -g payload -y -o- | jose jwk use -i- -r -u verify -o- | jose jwk thp -i- 3ZWS6-cDrCG61UPJS2BMmPU4I54
Clickwhen the key hashes in the web console and in the output of previously listed commands are the same:
To enable the early boot system to process the disk binding, clickat the bottom of the left navigation bar and enter the following commands:
# yum install clevis-dracut # grubby --update-kernel=ALL --args="rd.neednet=1" # dracut -fv --regenerate-all
Check that the newly added Tang key is now listed in the Keys section with the
Verify that the bindings are available for the early boot, for example:
# lsinitrd | grep clevis clevis clevis-pin-sss clevis-pin-tang clevis-pin-tpm2 -rwxr-xr-x 1 root root 1600 Feb 11 16:30 usr/bin/clevis -rwxr-xr-x 1 root root 1654 Feb 11 16:30 usr/bin/clevis-decrypt ... -rwxr-xr-x 2 root root 45 Feb 11 16:30 usr/lib/dracut/hooks/initqueue/settled/60-clevis-hook.sh -rwxr-xr-x 1 root root 2257 Feb 11 16:30 usr/libexec/clevis-luks-askpass