Automated unlocking of encrypted volumes using Policy-Based Decryption (PBD)
2 min readMay 26, 2023
- Glossary:
NBDE: Network-Bound Disk Encryption
The Network-Bound Disk Encryption allows the user to encrypt root volumes of hard drives on physical or virtual machines without
requiring to manually enter a password when systems are restarted.
Tang: Tang is a server for binding data to network presence. It makes a system containing your data available when the system is bound to a certain secure network. / Tang is a network server that is used for decrypting LUKS devices.
Clevis: Clevis is a pluggable framework for automated decryption. In NBDE, Clevix provides automated unlocking of LUKS volumes. The clevis package provides the client side of the feature. / Clevis is the framework that allows for decrypting LUKS volumes and connects the Tand server to do so.
Clevis Pin: A Clevis pin is a plug-in into the Clevis framework. One of such pins is a plug-in that implements interactions with the NBDE server — Tang. - How it works:
Clevis and Tang are used in conjunction with LUKS to encrypt and decrypt root and non-root storage volumes to accomplish NBDE.
Both client- and server-side componenets use the Jose library to perform encryption and decrtyption operations.
When you begin provisioning NBDE, the Clevis pin for Tang server gets a list of the Tang server’s advertised asymmetric keys. Alternatively, since the keys are asymmetric, a list of Tans’s public keys can be distributed out of band so that clients can operate without access to the Tand server. This mode is called offline provisioning.
The Clevis pin for Tand uses one of the public keys to generate a unique, cryptographically strong encryption key. Once the data is encrypted using this key, the key is discarded.
Sources:
