Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.10.4. 使用 Tang 为 NBDE 系统部署加密客户端

先决条件

流程

要将 Clevis 加密客户端绑定到 Tang 服务器,请使用 clevis encrypt tang 子命令:
~]$ clevis encrypt tang '{"url":"http://tang.srv"}' < PLAINTEXT > JWE
The advertisement contains the following signing keys:

_OsIk0T-E2l6qjfdDiwVmidoZjA

Do you wish to trust these keys? [ynYN] y
更改上例中的 http://tang.srv URL,使其与安装 tang 的服务器的 URL 匹配。JWE 输出文件包含您的加密密码文本。此密码文本是从 PLAINTEXT 输入文件中读取的。
要解密数据,请使用 clevis 解密命令并提供密码文本 (JWE):
~]$ clevis decrypt < JWE > PLAINTEXT
如需更多信息,请参阅 clevis-encrypt-tang(1) man page,或使用内置 CLI 帮助:
~]$ clevis
Usage: clevis COMMAND [OPTIONS]

  clevis decrypt      Decrypts using the policy defined at encryption time
  clevis encrypt http Encrypts using a REST HTTP escrow server policy
  clevis encrypt sss  Encrypts using a Shamir's Secret Sharing policy
  clevis encrypt tang Encrypts using a Tang binding server policy
  clevis encrypt tang Encrypts using a Tang binding server policy
  clevis luks bind    Binds a LUKSv1 device using the specified policy
  clevis luks unlock  Unlocks a LUKSv1 volume

~]$ clevis decrypt
Usage: clevis decrypt < JWE > PLAINTEXT

Decrypts using the policy defined at encryption time

~]$ clevis encrypt tang
Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE

Encrypts using a Tang binding server policy

This command uses the following configuration properties:

  url: <string>   The base URL of the Tang server (REQUIRED)

  thp: <string>   The thumbprint of a trusted signing key

  adv: <string>   A filename containing a trusted advertisement
  adv: <object>   A trusted advertisement (raw JSON)

Obtaining the thumbprint of a trusted signing key is easy. If you
have access to the Tang server's database directory, simply do:

    $ jose jwk thp -i $DBDIR/$SIG.jwk

Alternatively, if you have certainty that your network connection
is not compromised (not likely), you can download the advertisement
yourself using:

    $ curl -f $URL/adv > adv.jws