linux-system-roles.nbde_client

Panoramica Versioni Approfondimenti

nbde_client

ansible-lint.yml ansible-test.yml codeql.yml markdownlint.yml python-unit-test.yml shellcheck.yml tft.yml tft_citest_bad.yml woke.yml

Ansible role for setting up Network-Bound Disk Encryption (NBDE) clients (like clevis).

This role currently supports clevis for encrypting and decrypting data.

Supported Distributions

  • RHEL-7+, CentOS-7+
  • Fedora

Limitations

Currently, this role can only create tang bindings. TPM2 is not supported yet.

Role Variables

Here are the variables you can use with this role:

Variable Default/Choices Description
nbde_client_provider clevis Specifies the provider for the nbde_client role, currently supporting clevis.
nbde_client_bindings A list of binding configurations that include devices and slots.
nbde_client_early_boot true Allows nbde_client to configure initrd for unlocking the volume. Disable if using static IPs or if a different method is needed to unlock.

nbde_client_bindings

nbde_client_bindings is a list of options that support the following keys:

Name Default/Choices Description
device The path of the encrypted device on the managed host. Must be configured as a LUKS device first (REQUIRED).
encryption_password Valid password or phrase for unlocking the specified device. Recommended to encrypt with vault. See https://docs.ansible.com/ansible/latest/user_guide/vault.html
encryption_key_src Path to a file containing a key for unlocking the device. This file will be copied to the managed node(s).
state present / absent Specifies if a binding should be added (present, default) or removed (absent).
slot 1 Indicates the slot to use for the binding.
servers List of servers to bind to. For high availability, use multiple servers.
threshold 1 Indicates how many servers must succeed for decryption when using multiple servers.
password_temporary false If true, the provided password will unlock the device and be removed after binding. Useful for replacing an old password with a stronger one.

Example:

nbde_client_bindings:
  - device: /dev/sda1
    encryption_key_src: /vault/keyfile
    state: present
    slot: 2
    threshold: 1
    password_temporary: false
    servers:
      - http://server1.example.com
      - http://server2.example.com

Example Playbooks

Example 1: High Availability

---
- hosts: all
  vars:
    nbde_client_bindings:
      - device: /dev/sda1
        encryption_password: password  # Recommend vault encrypting the password
        servers:
          - http://server1.example.com
          - http://server2.example.com
  roles:
    - linux-system-roles.nbde_client

Example 2: Remove Binding from Slot 2 in /dev/sda1

---
- hosts: all
  vars:
    nbde_client_bindings:
      - device: /dev/sda1
        encryption_password: password  # Recommend vault encrypting the password
        slot: 2
        state: absent
  roles:
    - linux-system-roles.nbde_client

License

MIT

Informazioni sul progetto

Ansible role for configuring Network-Bound Disk Encryption clients (e.g. clevis)

role centos clevis el7 el8 el9 el10 fedora nbde redhat tang
Installa
ansible-galaxy install linux-system-roles.nbde_client
GitHub repository
16 stelle
23 fork
3 problemi aperti
Licenza
mit
Download
10.5k
Proprietario