installation-special-config-encrypt-disk-tpm2.adoc

Enabling TPM v2 disk encryption

Procedure

1. Check to see if TPM v2 encryption needs to be enabled in the BIOS on each node. This is required on most Dell systems. Check the manual for your computer.

2. Generate the Kubernetes manifests for the cluster:

   $ ./openshift-install create manifests --dir=<installation_directory>

3. In the openshift directory, create a master and/or worker file to encrypt disks for those nodes. Here are examples of those two files:

   $ cat << EOF > ./99_openshift-worker-tpmv2-encryption.yaml
   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     name: worker-tpm
     labels:
       machineconfiguration.openshift.io/role: worker
   spec:
     config:
       ignition:
         version: 2.2.0
       storage:
         files:
         - contents:
             source: data:text/plain;base64,e30K
           filesystem: root
           mode: 420
           path: /etc/clevis.json
   EOF

   $ cat << EOF > ./99_openshift-master-tpmv2-encryption.yaml
   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     name: master-tpm
     labels:
       machineconfiguration.openshift.io/role: master
   spec:
     config:
       ignition:
         version: 2.2.0
       storage:
         files:
         - contents:
             source: data:text/plain;base64,e30K
           filesystem: root
           mode: 420
           path: /etc/clevis.json
   EOF

4. Make a backup copy of the YAML file. You should do this because the file will be deleted when you create the cluster.

5. Continue with the remainder of the {product-title} deployment.