openshift-docs/modules/installing-ocp-agent-encrypt.adoc

// Module included in the following assemblies:
//
// * installing/installing-with-agent-based-installer/installing-with-agent-based-installer.adoc

:_mod-docs-content-type: PROCEDURE
[id="installing-ocp-agent-encrypt_{context}"]
= Optional: Encrypting the disk

Use this procedure to encrypt your disk or partition while installing {product-title} with the Agent-based Installer.

.Prerequisites

* You have created and configured the `install-config.yaml` and `agent-config.yaml` files, unless you are using ZTP manifests.

* You have placed the `openshift-install` binary in a directory that is on your `PATH`.

.Procedure

. Use the following command to generate ZTP cluster manifests:
+
[source,terminal]
----
$ openshift-install agent create cluster-manifests --dir <installation_directory>
----
+
[IMPORTANT]
====
If you have created the `install-config.yaml` and `agent-config.yaml` files, those files are deleted and replaced by the cluster manifests generated through this command.

Any configurations made to the `install-config.yaml` and `agent-config.yaml` files are imported to the ZTP cluster manifests when you run the `openshift-install agent create cluster-manifests` command.
====
+
[NOTE]
====
If you have already generated ZTP manifests, skip this step.
====

. Navigate to the `cluster-manifests` directory:
+
[source,terminal]
----
$ cd <installation_directory>/cluster-manifests
----

. Add the following section to the `agent-cluster-install.yaml` file:
+
[source,yaml]
----
diskEncryption:
    enableOn: all <1>
    mode: tang <2>
    tangServers: "server1": "http://tang-server-1.example.com:7500" <3>
----
<1> Specify which nodes to enable disk encryption on. Valid values are 'none', 'all', 'master', and 'worker'.
<2> Specify which disk encryption mode to use. Valid values are 'tpmv2' and 'tang'.
<3> Optional: If you are using Tang, specify the Tang servers.