You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/modules/proc_enabling-nbde-with-clevis.adoc
+7-20Lines changed: 7 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,25 +8,12 @@
8
8
= Enabling Network-Bound Disk Encryption with Clevis
9
9
10
10
[role="_abstract"]
11
-
You can migrate virtual machines (VMs) with Linux Unified Key Setup (LUKS)-encrypted disks from VMware vSphere to Red Hat OpenShift Virtualization by enabling Network-Bound Disk Encryption (NBDE) with Clevis. Alternatively, you can manually add passphrases for LUKS-encrypted devices in your migration plan.
11
+
When you enable Network-Bound Disk Encryption (NBDE) with Clevis, the Tang servers automatically decrypt the Linux Unified Key Setup (LUKS)-encrypted disks during a migration. If you do not use NBDE with Clevis, you must manually add passphrases for LUKS-encrypted devices so that the Tang servers can decrypt the disks during a migration.
12
12
13
-
When you enable NBDE with Clevis, the Tang servers automatically decrypt the LUKS-encrypted disks during a migration. If you do not use NBDE with Clevis, you must manually add passphrases for LUKS-encrypted devices so that the Tang servers can decrypt the disks during a migration.
13
+
You can enable NBDE with Clevis either in the MTV UI or in the YAML file for your migration plan:
14
14
15
-
In the MTV UI, you must select either NBDE with Clevis or LUKS passphrases. You can have only one encryption type, and you apply the setting to all VMs in your migration plan.
16
-
17
-
In the YAML file for your migration plan, you can combine encryption types and apply the setting to selected VMs in the YAML file.
18
-
19
-
Components::
20
-
21
-
* *Migration Toolkit for Virtualization (MTV):* Transfers the data of VMs with LUKS-encrypted disks from the source environment to the target OpenShift Virtualization cluster. The data transfer is based on MTV's raw copy mode, which copies the encrypted data bit-for-bit, without modifying the underlying encryption.
22
-
* *LUKS:* The standard disk encryption specification used on the source VM. The encrypted partitions remain in their original state during the migration process, ensuring data security and integrity.
23
-
* *Clevis:* Client-side framework that automates the decryption of LUKS volumes by binding a LUKS key slot to a policy. To migrate VMs with LUKS-encrypted disks, the Clevis configuration is transferred to or re-established in the destination environment. After migration, the Clevis configuration on the destination OpenShift Virtualization host automatically authenticates with the configured network service to retrieve the key to unlock the LUKS-encrypted disk. The automatic retrieval of the key allows the VM to boot without a manual passphrase entry from an administrator.
24
-
25
-
Benefits::
26
-
27
-
* *Automation:* Eliminates the need for manual steps to decrypt volumes post-migration, reducing the risk of human error and accelerating the overall process.
28
-
* *Enhanced security:* Maintains the security of VMs throughout their migration lifecycle by preserving LUKS encryption from the source to the destination.
29
-
* *Seamless operation:* Ensures that VMs with encrypted disks can be brought online in the new OpenShift Virtualization environment with minimal interruption.
15
+
* In the MTV UI, you must select either NBDE with Clevis or LUKS passphrases. You can have only one encryption type, and you apply the setting to all VMs in your migration plan.
16
+
* In the YAML file for your migration plan, you can combine encryption types and apply the setting to selected VMs in the YAML file.
30
17
31
18
.Prerequisites
32
19
* You have raw copy mode enabled in MTV to ensure that the encrypted data is copied bit-for-bit without any modification.
@@ -36,7 +23,7 @@ Benefits::
36
23
NOTE: For MTV to access the keys from the Tang server, the keys must be on a different subnet range than a user-defined network (UDN).
37
24
38
25
.Procedure
39
-
* Enable Network-Bound Disk Encryption with Clevis in the MTV UI.
26
+
. Enable NBDE with Clevis in the MTV UI.
40
27
.. In the Create migration plan wizard, navigate to *Other settings* under *Additional setup* in the left navigation pane.
41
28
.. Select *Use NBDE/Clevis*.
42
29
+
@@ -48,9 +35,9 @@ If you are not using NBDE with Clevis, you add passphrases for LUKS-encrypted de
48
35
+
49
36
If you are not using NBDE with Clevis, verify that the passphrases for LUKS-encrypted devices are added.
50
37
51
-
* Enable Network-Bound Disk Encryption with Clevis in the YAML file.
38
+
. Enable NBDE with Clevis in the YAML file.
52
39
.. Click *Migration plans* in the left navigation menu and open the *Plan Details* page for your migration plan.
53
-
.. Click the *YAML* tab to open the `MigrationPlan` custom resource (CR) for your migration plan.
40
+
.. Click the *YAML* tab to open the `Plan` custom resource (CR) for your migration plan.
54
41
.. For each VM under `vms` in the YAML file, enter the encryption type. In this example, you set `nbdeClevis` as the encryption type for `vm-1`, LUKS passphrase as the encryption type for `vm-2`, and no encryption type for `vm-3`:
0 commit comments