Using encrypted Stratis pool with Network Bound Disk Encryption (NBDE)

Welcome to this guide on how to use the encrypted Stratis pool with Network Bound Disk Encryption (NBDE). Our previous guide taught us how to configure Stratis Storage on Rocky Linux 8 | AlmaLinux 8. Stratis is a local storage management service that enables one to manage pools from physical storage devices easily. here are several concepts involved here:

• Pool: this is the chief component of Stratis. It is made up of one or more block devices and its total size is the sum of the block devices’ size.
• blockdev: these are the block devices on Stratis. The supported block devices here are:
  • HDDs and SSDs
  • LVM logical volumes
  • MD RAID
  • iSCSI
  • DM Multipath
  • LUKS
• Filesystem: A pool can contain one or more file systems that are formatted to XFS and used to store files. Normally, the filesystems are thinly provisioned. In other words, they do not have a fixed total size, and their size grows as data is saved to them.

There are many features associated with Stratis pool, these include:

• Pool-based management
• File system snapshots
• Monitoring
• Thin provisioning
• Tiering

Stratis allows one to create either encrypted or unencrypted pools. Encrypted pools are created on Stratis to improve security. When this type of pool is created, the kernel keyring is used as the primary encryption mechanism. After a system reboot, you are required to provide the created kernel keyring to access the pool.

This guide provides you with the required knowledge on how to use encrypted Stratis pool with Network Bound Disk Encryption (NBDE).

Prerequisites

This guide requires you to have:

• Block devices that are not in use/mounted. In this guide, we will use several disks attached to the system.

Identify the block devices using the command:

$ lsblk
NAME        MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda           8:0    0  40G  0 disk 
├─sda1        8:1    0   1G  0 part /boot
└─sda2        8:2    0  39G  0 part 
  ├─cs-root 253:0    0  35G  0 lvm  /
  └─cs-swap 253:1    0   4G  0 lvm  [SWAP]
sdb           8:16   0  10G  0 disk 
sdc           8:32   0  10G  0 disk 
sdd           8:48   0  10G  0 disk

I have 3 disks each of 10GB attached to my system which will be used to create the encrypted Stratis pool.

Step 1 – Install Stratis on Your System

Stratis resides in the default RHEL/CentOS/Rocky Linux/Alma Linux repositories and can be installed using the command:

sudo su - 
dnf install stratisd stratis-cli -y

Once installed, start the Stratis service using the command:

systemctl enable --now stratisd

Check if the service is running:

# systemctl status stratisd
● stratisd.service - Stratis daemon
   Loaded: loaded (/usr/lib/systemd/system/stratisd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-07-07 13:10:27 EDT; 6s ago
     Docs: man:stratisd(8)
 Main PID: 2501 (stratisd)
    Tasks: 5 (limit: 23505)
   Memory: 1.5M
   CGroup: /system.slice/stratisd.service
           └─2501 /usr/libexec/stratisd --log-level debug

Jul 07 13:10:27 geeksforgeeks.org systemd[1]: Starting Stratis daemon...
Jul 07 13:10:27 geeksforgeeks.org stratisd[2501]: [2022-07-07T17:10:27Z INFO  libstratis::stratis::run] stratis daemon version 2.4.2 st>
Jul 07 13:10:27 geeksforgeeks.org stratisd[2501]: [2022-07-07T17:10:27Z INFO  libstratis::stratis::run] Using StratEngine

Step 2 – Creating an encrypted Stratis pool

A Stratis pool can be created using one or multiple block devices. In this guide, we have 3 secondary disks attached to the system.

Begin by wiping away any partition tables, filesystems, or any RAID signatures on the device

sudo wipefs --all block-device1 block-device2

Replace block-device1 and block-device2 with the block device names. For example:

wipefs --all /dev/sdb /dev/sdc /dev/sdd

After cleaning the disk(s), proceed and obtain the key set to use for the encryption.

# stratis key set --capture-key pool1key
Enter key data followed by the return key: Enter Key and press Enter

You should now have the kernel keyring created. This will be used to access the pool after subsequent reboots. Verify this with the command:

# stratis key list
Key Description
pool1key  

Create an encrypted pool using the command with the below syntax:

stratis pool create --key-desc <key-description> <pool_name> block-device1 block-device2 block-device-n

In the above command, replace key-description with the created key description and pool_name with the desired name for the pool.

For example:

stratis pool create --key-desc pool1key pool1 /dev/sdb /dev/sdc /dev/sdd

Once created, verify using the command:

# stratis pool list 
Name                       Total Physical   Properties                                   UUID
pool1   29.95 GiB / 45.64 MiB / 29.91 GiB      ~Ca, Cr   be1d8a96-03f8-41a4-9d63-09baa1c697d8

We have a pool with the name pool1, with a 30 GB capacity. This is the sum of the 3 disk storage.

Step 3 – Creating a Filesystem on a Pool

Once the pool has been created, you need to create a filesystem on it to be able to write data on the pool. This can be done using a command with the below syntax:

# stratis fs create <poolname> <filesystemname>

For example:

stratis filesystem create pool1 filesystem1

Verify the creation using the command:

# stratis fs list
Pool Name   Name          Used      Created             Device                           UUID                                
pool1       filesystem1   545 MiB   Jul 07 2022 13:12   /dev/stratis/pool1/filesystem1   283f8f78-0b33-4a35-a2d0-e9cd6b85d124

To get a detailed view, use the command below:

lsblk

Sample Output:

Step 4 – Unlocking an encrypted Stratis pool with kernel keyring

After a system reboot, you will not be able to access the pool:

# stratis pool list
Name                        Total Physical   Properties                                   UUID

To be able to access it, you need to provide the created kernel keyring. First, recreate the key using the same key description. For example:

stratis key set --capture-key pool1key

Now unlock the pool using the keyring:

stratis pool unlock keyring

Access the pool:

# stratis pool list
Name                        Total Physical   Properties                                   UUID
pool1   29.95 GiB / 590.65 MiB / 29.38 GiB      ~Ca, Cr   be1d8a96-03f8-41a4-9d63-09baa1c697d8

This is quite handy and requires memorizing the keyring. You can make this simpler using NBDE as shown below.

Step 5 – Binding a Stratis pool to NBDE

NBDE is an abbreviation of Network Bound Disk Encryption. To be able to bind the encrypted Stratis pool to NBDE, you need a Tang server. This Tang server helps to unlock the encrypted pool without having to provide the kernel keyring description as above.

First, install the Tang server:

yum install tang

Choose any unused port and bind the service to it. For example, port 7500 as shown:

semanage port -a -t tangd_port_t -p tcp 7500

Allow the set port through the firewall:

firewall-cmd --add-port=7500/tcp --permanent
firewall-cmd --reload

Enable the tangd service:

systemctl enable tangd.socket

Create an override configuration file at /etc/systemd/system/tangd.socket.d/ using the command:

systemctl edit tangd.socket

Change the default port 80 to the new port as shown:

[Socket]
ListenStream=
ListenStream=7500

Reload the daemon and restart the service:

systemctl daemon-reload
systemctl restart tangd.socket

Verify if the service is bound to the new port:

# systemctl show tangd.socket -p Listen
Listen=[::]:7500 (Stream)

Obtain the thumbprint of the tang server:

# tang-show-keys 7500
Mbe0_qFvUj7GRHXUp6g6yEQhixU

Now bind the encrypted Stratis pool to NBDE using the command with the below syntax:

# stratis pool bind nbde <pool_name>  <tang-server> --thumbprint <random_string>

Replace the pool_name, and tang-server appropriately. The tang-server specifies the IP address/URL of the Tang server.

For example:

stratis pool bind nbde pool1 http://localhost:7500 --thumbprint Mbe0_qFvUj7GRHXUp6g6yEQhixU

Step 6 – Unlocking the Stratis Pool with NBDE

To test if we can unblock the Stratis Pool with NBDE, reboot your system.

reboot now

Once the system successfully reboots, switch to the root user.

sudo su -

Try accessing the pool:

# stratis pool list
Name                        Total Physical   Properties                                   UUID

Aside from unlocking the pool using the keyring, you can unlock it, using NBDE (clevis) as shown:

stratis pool unlock clevis

You can agree that you no longer need to provide the keyring to access the pool. Verify if you can access the pool as shown:

Step 7 – Unbinding a Stratis pool from supplementary encryption

Unbinding a Stratis pool from the supplementary encryptions only leaves the primary kernel keyring encryption in pace. The supplementary encryption could be NBDE or TPM bound.

To remove this binding, use the command with the below syntax:

# stratis pool unbind clevis <pool_name>

For example:

stratis pool unbind clevis pool1

After this, you can only access the pool using the primary kernel keyring encryption as in step 4.

Step 8 – Mounting a Stratis Filesystem

To use the Stratis Filesystem, you need to mount it. First, create the mount point:

mkdir /mnt/pool_1

You can make a temporary mounting of the file system using the command:

mount /dev/stratis/pool1/filesystem1 /mnt/pool_1

To mount the filesystem permanently, begin by identifying the UUID of the filesystems:

# lsblk --output=UUID /dev/stratis/pool1/filesystem1
UUID
65a09ba7-1053-424c-9e04-d21c5c090249

Now edit the /etc/fstab file and add the filesystem.

$ sudo vi /etc/fstab
UUID=65a09ba7-1053-424c-9e04-d21c5c090249 /mnt/pool_1 xfs defaults,x-systemd.requires=stratisd.service 0 0

Remember to replace the UUID and mount point. Reload the system daemon:

systemctl daemon-reload

After this, the filesystem will be able to survive system reboots.

The end!

This guide has provided the required knowledge on how to use an encrypted Stratis pool with Network Bound Disk Encryption (NBDE). I hope this was significant.

You can see more on Stratis in the guide below:

• Configure Stratis Storage on Rocky Linux 8 | AlmaLinux 8