Excerpt

Encrypted servers and workstations using Fedora or Red Hat Linux can be unlocked at boot time using Tang and Clevis. In this article I will show how its done using Cockpit on Fedora 32 Server Edition.

Part one covers the installation and setup of Tang service. Part two covers how to use Tang to unlock encrypted partitions.

My Environment

For testing I have already created two virtual machines running Fedora 32 Server Edition.

  • Machine number 1, the Tang server, has the IP address 192.168.100.2.
  • Machine number 2, the server unlocking it’s disk with Tang and Clevis, has the IP address 192.168.100.3.

In this article I will show the configuration of the server using 2 options , which are Cockpit and the Linux command line (bash). If you like to follow my steps please select “Headless Management” during your installation of Fedora 32 Server Edition. Alternatively install the Headless Management software group with DNF after installation:

$ sudo dnf groupinstall "Headless Management"
Screenshot of  Fedora 32 Server Edition software selection during installation.
Screenshot of Fedora 32 Server Edition software selection during installation.

1 Configuration of Tang service

1.1 Installation

To install the Tang package run

$ sudo dnf -y install tang

1.2 Service configuration

The default port of Tang is 7406. After installation of Tang it is set to 80. This has to be changed. To edit the systemctl configuration for Tang type

 $ sudo systemctl edit --full tangd.socket

Change the configuration of the socket to 7406:

[Socket]
ListenStream=
ListenStream=7406
Accept=true

Also disable the dependencies on tangd-keygen and tangd-update. Re-enable these entries, if you are using these services. This is not covered by this article.

Screenshot: Tangd.service configuration

Save and exit the editor. Then run

$ sudo systemctl enable --now tangd.socket

to start and permanently enable the service.

1.3 SELinux policy

The default port for Tang is 7406/tcp. If you choose to configure the service to listen on another port then you need to change the SELinux policy. Skip this section if you set your port to 7406.

To view the current policy:

$ sudo semanage port -l | grep tang
tangd_port_t                   tcp      7406

To change it to another port (here 7500):

$ sudo semanage port -a -t tangd_port_t -p tcp 7500

1.4 Firewall configuration

To open the port on the firewall for Tang either run this command

sudo firewall-cmd zone=FedoraServer --add-port:7406/tcp --permanent
sudo systemctl reload firewalld.service

or configure the port in Cockpit:

1.5 Generate keys

To generate a pair of keys for Tang run this command:

$ sudo /usr/libexec/tangd-keygen /var/db/tang

Hint: Check the Red Hat documentation (link below) for more information how to rotate keys.

Background reading

Tags:

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *