Encrypting a Volume with NBDE

Check the Server 1 status first:

1. In your Server 1 terminal window, check the status of the LUKS-encrypted volume (payroll) by running the following command:

   cryptsetup -v status payroll
   

2. Determine where the volume is mounted by running the following command:

   df -h
   

3. List the contents of the payroll directory by running the following command:

   ls /payroll
   

Switch to your Server 2 terminal window:

1. Install Tang by running the following command:

   sudo yum install -y tang
   

2. Generate the keys for Tang by running the following command:

   /usr/libexec/tangd-keygen /var/db/tang
   

3. Configure Tang to run at boot by running the following command:

   sudo systemctl enable tangd.socket --now
   

4. Verify that two Tang keys were created by running the following command:

   sudo ls /var/db/tang
   

5. Determine the IP address of Server 2 by running the following command:

   ip addr
   

1. First, install the necessary Clevis packages on Server 1 by running the following command:

   sudo yum install -y clevis clevis-luks clevis-dracut
   

2. Next, encrypt the /dev/xvdg disk with the Tang key from Server 2 by running the following command:

   sudo clevis bind luks -d /dev/xvdg tang '{"url":"http://10.0.0.<SERVER2_IP>"}'
   

3. Verify that the key was entered into the LUKS header of /dev/xvdg by running the following command:

   sudo luksmeta show -d /dev/xvdg
   

4. Verify that slot 1 is active and there is a key value next to it.
5. Lastly, run the sudo dracut -f command to force to retrieval of the Tang key at boot.