Clevis and Tang

Clevis and Tang can be used to make the management of LUKS encrypted disks easier. Clevis running on a client can mount and decrypt disk(s) when network connectivitly exists with Tang server(s).

Fedora 36 Tang server

dnf install -y tang;
systemctl enable tangd.socket --now;
firewall-cmd --add-service=http --permanent;
firewall-cmd --reload;

Tang keys exist in /var/db/tang/.

Fedora 36 Clevis install (Tang client)

dnf install -y clevis clevis-dracut clevis-udisks2

Ubuntu 22.04 Clevis install

apt install -y clevis clevis-initramfs clevis-luks clevis-udisks2

Find single luks device

cryptsetup status \
  $(fdisk -l | grep luks | awk '{print $2}' | sed 's/://') \
  | grep device | awk '{print $2}'

Find multiple luks devices

fdisk -l | grep luks

For each device found

cryptsetup status /dev/DEVICE

Bind encrypted disk(s) to tang server

clevis luks bind -d /dev/DEVICE tang '{"url": "http://tang.server"}'

Fedora add dracut configuration

echo 'kernel_cmdline="rd.neednet=1"' | tee /etc/dracut.conf.d/clevis-nbde.conf;
dracut -fv --regenerate-all;

Ubuntu update initramfs

update-initramfs -c -k all