rmkraus
commented
3 years ago Installing a tang server
- dnf install tang
- replace port in /usr/lib/systemd/system/tangd.socket, using 8082
- semanage port -a -t tangd_port_t -p tcp 8082
- systemctl enable tangd.socket --now
- firewall-cmd --zone=internal --add-port=8082/tcp --permanent
- create thumbprint
echo nifty random wordwords \ > | clevis-encrypt-tang \ > '{"url":"http://192.168.8.1:8082"}' - put thumbprint in encryption config.
Drive encryption on OCP:
You can encrypt root disks with TPM modules using LUKS and your choice of cipher (so easy to hit FIPS 140-X compliance). The MachineConfig looks like this: https://docs.openshift.com/container-platform/4.7/installing/install_config/installing-customizing.html#installation-special-config-encrypt-disk-tpm2_installing-customizing
There is little to no documentation around doing it in Ignition, but it can be done. Presumably this will be exposed via install-config.yaml at some point, but it's not yet. This is important because using TPM to encrypt root disks on masters means you get free etcd encryption (it's like a 2-3% overhead on the disks, barely noticable). Free etcd encryption means that keeping encryption keys for other things in etcd works - so you can use regular Secrets.
https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.7/html-single/deploying_openshift_container_storage_using_bare_metal_infrastructure/index#creating-openshift-container-storage-cluster-on-bare-metal_rhocs
Here's how to set up encryption for OCS. I would personally recommend cluster-wide encryption, as this encrypts the block device from the Local Storage Operator entirely, and then lays the bluestore on top of that encrypted volume. You don't need to use an external key management service if etcd is encrypted via TPM-backed root disk encryption on masters.
Two things to note about this setup: If you wipe or lose OpenShift, you lose the LUKS keys to your Ceph volumes. If the data has a chance of being more important to the workload/application than the cluster itself, then you should ensure you have a good, safe, etcd backup - or at least that you export those LUKS secrets and keep them somewhere safe.
If you don't use TPM-backed encryption, but do use LUKS on the root disks, you will require an external security key (can just be a flash drive) or a password to reboot.