During {product-title} installation, you can enable disk encryption on all master and worker nodes. This feature:
-
Is available for installer provisioned infrastructure and user provisioned infrastructure deployments
-
Is supported on Red Hat Enterprise Linux CoreOS (RHCOS) systems only
-
Sets up disk encryption during the manifest installation phase so all data written to disk, from first boot forward, is encrypted
-
Encrypts data on the root filesystem only (
/dev/mapper/coreos-luks-rooton/) -
Requires no user intervention for providing passphrases
-
Uses AES-256-CBC encryption
-
Should be enabled for your cluster to support FIPS.
There are two different supported encryption modes:
-
TPM v2: This is the preferred mode. TPM v2 stores passphrases in a secure cryptoprocessor. To implement TPM v2 disk encryption, create an Ignition config file as described below.
-
Tang: To use Tang to encrypt your cluster, you need to use a Tang server. Clevis implements decryption on the client side. Tang encryption mode is only supported for bare metal installs.
Follow one of the two procedures to enable disk encryption for the nodes in your cluster.