Manage disk decryption at boot using NBDE
May 26, 2023
- Glossory:
LUKS: Linux Unified Key Setup-on-disk-format - How it works:
An additional component has been implemented which can be leveraged to enable LUKS remotely. This is called NBDE (Network Bound Disk Encryption) — the client with a LUKS mount makes a remote call to a decryption key server. If the keys match, thge mount happens all without human input.
On the client side (the system with the LUKS mount) there is a framework called Clevis. On the server side (the system that will do the remote unlocking) we utilize a Tang service.
