[CentOS] remote disk decryption on centos?

Mon Mar 15 05:27:55 UTC 2021
Gordon Messmer <gordon.messmer at gmail.com>

On 3/12/21 1:51 PM, ept8ept8 at secmail.pro wrote:
> Hi I was reading about how unlock encrypted root partition from remote
> (unattended). I'd like asking what is compatible way for this in centos
> and commonly used by administrators?

What's your threat model?  Are you trying to protect the system from 
physical theft, or are you trying to make sure the disks aren't readable 
when they're retired or fail?

For most purposes, I recommend enrolling the disk with the TPM2 chip, so 
that disks can be unlocked at boot without human intervention.  If theft 
is a concern, you'd need to ensure that the bootloader requires a 
password, and that the firmware boots only from the internal disk 
without a password:

     clevis luks bind -d /dev/VOLUME tpm2 '{"pcr_ids":"7"}'