cancel
Showing results for 
Search instead for 
Did you mean: 
oblanco
Mission Specialist
Mission Specialist
  • 2,031 Views

Resolving Storage Device Encryption Issues

Jump to solution

On this lab  

~~~

https://role.rhu.redhat.com/rol-rhu/app/courses/rh342-8.4/pages/ch11s03

~~~

If they are going to reboot the virtual machine before they run the script to grade the exam, the changes will not be persistent, How are they going to unencrypt the hard drive automatically aftere reboot ? 

 

You have to create a key file for example:

 

steps 1) create a file

~~~

   dd if=/dev/random of=/root/lukskey bs=32 count=1

~~~

Step 2) Copy the existing key

~~~

 cryptsetup luksAddKey /dev/vdb1 /root/lukskey

~~~

Step 3) Create the crypttab file under /etc

~~~

 vi /etc/crypttab

finance /dev/vdb1 /root/lukskey

~~~

 

The 3 steps above will unecrypt the harddrive automatically during the reboot to grade the exam.

 

1 Solution

Accepted Solutions
Travis
Moderator
Moderator
  • 1,079 Views

@oblanco -

You won't be able to follow-up this post with what is "on" the exam like rebooting and the drive remaining persistent or things like that. Unfortunately, that is specifying TOO MUCH information about the exams and the objectives and contents of the questions and would vioulate the NDA and could result in revoking any of the Red Hat certifications you might have earned. 

In general, things on the exams need to survive a reboot. Each exam is different and they all have their own instructions on what is expected to be passing criteria. The grading of the exams is more exact and the questions as well as the documentation provided with the exam tell you exactly what is expected.

So if it says you should create an encrypted drive that can be mounted on boot-up (automatically), then yes, you would then need to modify /etc/fstab, /etc/crypttab and others things including providing a Keytab file or something to unlock the service. You could also create your own service that will unlock and mount the drive with a script ... the end state being you have an encrypted LUKS drive mounted to a specific location. However, it could ask to create a drive that can be mounted on demand or something, so you then wouldn't place in /etc/fstab and it wouldn't matter about reboots and possible failures there. Just be careful on reading questions and what exactly they are asking for before anything gets implemented.

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training

View solution in original post

13 Replies
Wasim_Raja
Moderator
Moderator
  • 1,172 Views

@oblanco I am not sure how exactly the grading happens but believe me it is very well tried and tested and all the needed measures are taken while grading any exam.

0 Kudos
oblanco
Mission Specialist
Mission Specialist
  • 1,171 Views

I believe you but the reason I am taking the time to write about this type of situation is to help people who are studying the material and encounter this type of issue. At the end of the day, I am contributing to make this course with a better user experience

Chetan_Tiwary_
Community Manager
Community Manager
  • 1,149 Views

@oblanco I agree ! Thank you for the post !

0 Kudos
Wasim_Raja
Moderator
Moderator
  • 1,108 Views

+1 @oblanco 

0 Kudos
Fran_Garcia
Starfighter Starfighter
Starfighter
  • 1,163 Views

I have not taken this exam myself, but in general the recommendation is to always look at the exam objectives, not only the training course. For this one: https://www.redhat.com/en/services/training/ex342-red-hat-certified-specialist-linux-diagnostics-and... :

"Recover data from encrypted file systems"  <-- this seems to be the only objective related to encryption. Pay attention to the wording of the objective

 

Cheers

Fran

 

Chetan_Tiwary_
Community Manager
Community Manager
  • 1,149 Views

Hey @Fran_Garcia I agree that exam objective talks only about recovering data from encrypted device but this is  a genuine question and a workaround for issues like this when we mention a lot about making things persist across reboots. Also, I belive we should base our learning on all the course contents irrespective of what will come in the exam or not ( we can obviously focus on objectives when we are revising / reviewing / preparing for only the exam perspective ).

What do you think ?

Fran_Garcia
Starfighter Starfighter
Starfighter
  • 1,137 Views

Indeed. I just wanted to avoid spending too much time thinking about potential exam environment scenarios that are just not there

 

In any case, for any real world deployment where automatic booting of systems that are encrypted, we have the NBDE solution based on clevis+tang documented here: 

https://access.redhat.com/articles/6987053

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_harden...

 

Cheers

Fran

Chetan_Tiwary_
Community Manager
Community Manager
  • 1,133 Views

Thanks much @Fran_Garcia ! 

0 Kudos
oblanco
Mission Specialist
Mission Specialist
  • 1,125 Views

The reason I opened this thread is to make some awarenes that if the Virtual machines gets rebooted, the harddrive is not going to be decrypted automatically and a quick way to do it is by following the steps I shared. If you are running the lab and this question pops in your mind , How am I going to get graded if the harddrives are not getting decrypted automatically , Am I going to failed the entire exam ?  @Wasim_Raja  explained that there are separate teams , the ones who creates the trainings and the ones who cretes the certification exams so for the exams, they are already taking care about this situations I guess but for those who are studying the labs,  It is not especified that you need reboot the VM and I guess you should expect the same thing in the exam but based on my experience with other certification exams, everything needs to survive a reboot so I guess I will confirm it in this thread once I do the exam next week and I hope we can have a note at the botton on the lab clarifying this. NOTE: In the exam you don't need to worry about you hard drives getting decrypted and mounted or something like that. If someone add the encrypted hard drive into the /etc/fstab and the hard drive fails to mount , the entire VM is going to fail to BOOT this is why it is important to clarify it 

Join the discussion
You must log in to join this conversation.