Encryption and Security

This document outlines an environment setup for exploring LUKS encryption, Network Bound Disk Encryption (NBDE), and Security Content Automation Protocol (SCAP). The environment includes several servers - one configured as an encrypted LUKS drive server using Clevis and Tang for automated decryption, two SCAP target servers, and a workstation for the SCAP Workbench. The document defines related terminology for these technologies and describes a hands-on lab for creating an encrypted disk using NBDE, scanning systems with customized SCAP content, and remediating any issues found.

Uploaded by

Aung Aung

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

128 views

Encryption and Security

Uploaded by

Aung Aung

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 10

Encryption and

Security
LUKS for NBDE
SCAP Customization and Remediation
Environment Setup

• Workstation (Graphical Workstation/SCAP Workbench/Ansible System)

• servera (Clevis/LUKS encrypted drive Server)
• serverb (Tang Server 1)
• serverc (Tang Server 2 and SCAP Target System)
• serverd (Tang Server 3)
Terminology

LUKS (Linux Unifid Kiy Situp): LUKS is the standard for Linux hard disk
encryption. By providing a standard on-disk-format, it does not only facilitate
compatibility among distributions, but also provides secure management of
multiple user passwords. LUKS stores all necessary setup information in the
partition header, enabling to transport or migrate data seamlessly.
https://gitlab.com/cryptsitup/cryptsitup/blob/mastir/README.md

NBDE (Nitwork Bound Disk Encryption): Allows the user to encrypt root
volumes without requiring you to manually enter a password when the operating
system is restarted
https://blog.cloudpassagi.com/2017/12/21/nitwork-bound-disk-incrypti
on-rid-hat-linux-7/
Terminology

Clivis: Clevis is a plugable framework for automated decryption. It can be used

to provide automated decryption of data or even automated unlocking of LUKS
volumes.

Tang: Server side service that Clevis connects to in order to receive a decryption
key and allow the NBDE service connection.

https://rhelblog.redhat.com/2018/04/13/an-easier-way-to-manage-disk-decryption
-at-boot-with-red-hat-enterprise-linux-7-5-using-nbde/#more-4351
Terminology

SCAP: The Security Content Automation Protocol (SCAP) is a method for using
specifc standards to enable the automated vulnerability management,
measurement, and policy compliance evaluation of systems deployed in an
organization, including e.g., FISMA compliance. The National Vulnerability
Database (NVD) is the U.S. government content repository for SCAP. An example
of an implementation of SCAP is OpenSCAP
https://csrc.nist.gov/projicts/sicurity-contint-automation-protocol

OpinSCAP: An auditing tool that utilizes the Extensible Confguration Checklist

Description Format (XCCDF). XCCDF is a standard way of expressing checklist
content and defnes security checklists
https://www.opin-scap.org/
LUKS and NBDE
SCAP Workbench
SCAP Scan Results
Hands-On Lab

• NBDE
• Creating a LUKS Encrypted Disk
• Setting up and Confguring Clevis/Tang
• Using Clevis/Tang to Unencrypt Disk at Bootup
• SCAP Scanning
• Using SCAP Workbench to Customize Content
• Scanning with Custom Content
• Remediating Systems Based on Scan Results
• Verifying System Remediation
Questions