Encrypted servers and workstations using Fedora or Red Hat Linux can be unlocked at boot time using Tang and Clevis. In this article I will show how its done using Cockpit on Fedora 32 Server Edition.
Part one covers the installation and setup of Tang service. Part two covers how to use Tang to unlock encrypted partitions.
For testing I have already created two virtual machines running Fedora 32 Server Edition.
- Machine number 1, the Tang server, has the IP address 192.168.100.2.
- Machine number 2, the server unlocking it’s disk with Tang and Clevis, has the IP address 192.168.100.3.
In this article I will show the configuration of the server using 2 options , which are Cockpit and the Linux command line (bash). If you like to follow my steps please select “Headless Management” during your installation of Fedora 32 Server Edition. Alternatively install the Headless Management software group with DNF after installation:
$ sudo dnf groupinstall "Headless Management"
1 Configuration of Tang service
To install the Tang package run
$ sudo dnf -y install tang
1.2 Service configuration
The default port of Tang is 7406. After installation of Tang it is set to 80. This has to be changed. To edit the systemctl configuration for Tang type
$ sudo systemctl edit --full tangd.socket
Change the configuration of the socket to 7406:
[Socket] ListenStream= ListenStream=7406 Accept=true
Also disable the dependencies on tangd-keygen and tangd-update. Re-enable these entries, if you are using these services. This is not covered by this article.
Save and exit the editor. Then run
$ sudo systemctl enable --now tangd.socket
to start and permanently enable the service.
1.3 SELinux policy
The default port for Tang is 7406/tcp. If you choose to configure the service to listen on another port then you need to change the SELinux policy. Skip this section if you set your port to 7406.
To view the current policy:
$ sudo semanage port -l | grep tang tangd_port_t tcp 7406
To change it to another port (here 7500):
$ sudo semanage port -a -t tangd_port_t -p tcp 7500
1.4 Firewall configuration
To open the port on the firewall for Tang either run this command
sudo firewall-cmd zone=FedoraServer --add-port:7406/tcp --permanent sudo systemctl reload firewalld.service
or configure the port in Cockpit:
1.5 Generate keys
To generate a pair of keys for Tang run this command:
$ sudo /usr/libexec/tangd-keygen /var/db/tang
Hint: Check the Red Hat documentation (link below) for more information how to rotate keys.
- Red Hat documentation on network-bound disk encryption: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening
- How to create an internal network with libvirt: https://gist.github.com/atomtigerzoo/d6929b5e42cab5909ee6