Menu Close

13.2.3. Encrypting disks during installation

During OpenShift Container Platform installation, you can enable disk encryption on all master and worker nodes. This feature:

  • Is available for installer-provisioned infrastructure and user-provisioned infrastructure deployments
  • Is supported on Red Hat Enterprise Linux CoreOS (RHCOS) systems only
  • Sets up disk encryption during the manifest installation phase so all data written to disk, from first boot forward, is encrypted
  • Encrypts data on the root filesystem only (/dev/mapper/coreos-luks-root on /)
  • Requires no user intervention for providing passphrases
  • Uses AES-256-CBC encryption

There are two different supported encryption modes:

  • TPM v2: This is the preferred mode. TPM v2 stores passphrases in a secure cryptoprocessor. To implement TPM v2 disk encryption, create an Ignition config file as described below.
  • Tang: To use Tang to encrypt your cluster, you need to use a Tang server. Clevis implements decryption on the client side. Tang encryption mode is only supported for bare metal installs.

Follow one of the two procedures to enable disk encryption for the nodes in your cluster.

13.2.3.1. Enabling TPM v2 disk encryption

Use this procedure to enable TPM v2 mode disk encryption during OpenShift Container Platform deployment.

Procedure

  1. Check to see if TPM v2 encryption needs to be enabled in the BIOS on each node. This is required on most Dell systems. Check the manual for your computer.
  2. Generate the Kubernetes manifests for the cluster:

    $ ./openshift-install create manifests --dir=<installation_directory>
  3. In the openshift directory, create master or worker files to encrypt disks for those nodes.

    • To create a worker file, run the following command:

      $ cat << EOF > ./99-openshift-worker-tpmv2-encryption.yaml
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        name: worker-tpm
        labels:
          machineconfiguration.openshift.io/role: worker
      spec:
        config:
          ignition:
            version: 2.2.0
          storage:
            files:
            - contents:
                source: data:text/plain;base64,e30K
              filesystem: root
              mode: 420
              path: /etc/clevis.json
      EOF
    • To create a master file, run the following command:

      $ cat << EOF > ./99-openshift-master-tpmv2-encryption.yaml
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        name: master-tpm
        labels:
          machineconfiguration.openshift.io/role: master
      spec:
        config:
          ignition:
            version: 2.2.0
          storage:
            files:
            - contents:
                source: data:text/plain;base64,e30K
              filesystem: root
              mode: 420
              path: /etc/clevis.json
      EOF
  4. Make a backup copy of the YAML file. You should do this because the file will be deleted when you create the cluster.
  5. Continue with the remainder of the OpenShift Container Platform deployment.