openshift-docs/modules/installing-ocp-agent-encrypt.adoc

// Module included in the following assemblies:
//
// * installing/installing-with-agent-based-installer/installing-with-agent-based-installer.adoc

:_mod-docs-content-type: PROCEDURE
[id="installing-ocp-agent-encrypt_{context}"]
= Encrypting the disk

As an optional task, you can use this procedure to encrypt your disk or partition while installing {product-title} with the Agent-based Installer.

.Prerequisites

* You have created and configured the `install-config.yaml` and `agent-config.yaml` files, unless you are using ZTP manifests.

* You have placed the `openshift-install` binary in a directory that is on your `PATH`.

.Procedure

. Generate ZTP cluster manifests by running the following command:
+
[source,terminal]
----
$ openshift-install agent create cluster-manifests --dir <installation_directory>
----
+
[IMPORTANT]
====
If you have created the `install-config.yaml` and `agent-config.yaml` files, those files are deleted and replaced by the cluster manifests generated through this command.

Any configurations made to the `install-config.yaml` and `agent-config.yaml` files are imported to the ZTP cluster manifests when you run the `openshift-install agent create cluster-manifests` command.
====
+
[NOTE]
====
If you have already generated ZTP manifests, skip this step.
====

. Navigate to the `cluster-manifests` directory by running the following command:
+
[source,terminal]
----
$ cd <installation_directory>/cluster-manifests
----

. Add the following section to the `agent-cluster-install.yaml` file:
+
[source,yaml]
----
diskEncryption:
    enableOn: all <1>
    mode: tang <2>
    tangServers: "server1": "http://tang-server-1.example.com:7500" <3>
----
<1> Specify which nodes to enable disk encryption on. Valid values are `none`, `all`, `master`, and `worker`.
<2> Specify which disk encryption mode to use. Valid values are `tpmv2` and `tang`.
<3> Optional: If you are using Tang, specify the Tang servers.