[Solved] Help with Luks and Clevis/Tang

[escape214]

I setup a new non root partition with Luks and clevis with unlocking configured to a Tang server. I can successfully decrypt the volume from the Tang server via clevis luks unlock -d /dev/sdX . So the encryption and Tang server is working fine. I have installed clevis-systemd and also enabled clevis-luks-askpass.path. But the system never asks for a password at boot and hence does not trigger clevis-luks. I verified that the /etc/crypttab is correct as below

bdrive UUID="d0adb4eb-8179-419d-825a-8e1260ba3917" none _netdev

For some reason systemd does not seem to fall into to the ask password prompt. I had faced this issue sometime ago and I think I had to enable / install an additional systemd service. (which I accidently stumbled upon during a google search). But now I am unable to figure this out.

Can someone help on this please.

[fabien]

Maybe this one:

Code: Select all

Package: clevis-initramfs
Source: clevis
Version: 19-2
Installed-Size: 33 kB
Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Architecture: amd64
Depends     ▼
 clevis-luks (=19-2), initramfs-tools
Description-en: Clevis initramfs integration
 Clevis is a plugable framework for automated decryption. This package
 provides integration for initramfs-tools to automatically unlock LUKS
 encrypted block devices in early boot.
Homepage: https://github.com/latchset/clevis
Section: net
Priority: optional
Filename: pool/main/c/clevis/clevis-initramfs_19-2_amd64.deb
Size: 7.3 kB

?

[escape214]

That package is installed. But it does not solve the issue.

[fabien]

There is a note in /usr/share/doc/clevis-initramfs/README.Debian

Unlocking multiple disks
========================

In some circumstances, clevis(-initramfs) will not unlock all devices
needed for boot. In that case, consider adding the "initramfs" option
to /etc/crypttab for any device that is not handled automatically. (And
don't forget to run update-initramfs afterwards.)

See crypttab(5) for details, and #1000648 for a situation where this
was needed.

Maybe check this out?

[escape214]

Unfortunately that did not work. It looks like the /etc/crypttab itself is not being read at startup . Since this is a non root drive dont think Initramfs would be in play here

[escape214]

Looks like there is some behavior change. Adding the luks mapped drive to /etc/fstab, prompts for the password and is successfully decrypted and mounted. So the option of the Luks volume being open and ready to mount does not seem to be an option anymore

[OGSelfHosting]

Hi. I have successfully implemented clevis/tang on my Debian 12 servers. I'll be happy to help. I have a video and instructions I made just a couple of months ago for implementing clevis on Debian 12 (I have not tested it on any other Debian distro). Just google search for debian tang-clevis-for-a-luks-encrypted-debian-server and that should find my article/video (I am an Old Guy doing selfhosting, and that's the basis for my site name ).

The issue you are facing with Debian is that it doesn't auto-connect to a network pre-luks decryption, so we need to add a couple of extra configs. We need to set networking (IP) and, for accesing remote tang servers, also set up a DNS nameserver so you can resolve a name into an IP (not needed for a LAN tang server only). And we activate this prior to luks decryption. It doesn't work if you follow some of the instructions for other distros, but with some minor teweaks, it DOES WORK for Debian 12. My blog/video covers both of these. My blog is long because I tried to be very detailed, but it comes down to two simple edits you do after you create your tang server and install clevis.

I use clevis to routinely unlock all my servers (I have...too many ) In fact, I use TWO tang servers to give me even better control (I am a bit of a data-security freak). At boot up, my servers grab a blinded partial luks key fragment from a local highly-available tang server, and another fragment from a (very) remote one. It gives me huge control of auto-decryption - I can turn it on for maximum convenience, turn it off for maximum security and script for anything in between.

WELL DONE YOU for using luks; even more so for using dropbear (which is pretty neat, but still...manual) and EVEN MORE WELL DONE for doing it smartly with clevis, which is now ALL that I do!

Email/twitter or message me if you need help. It's REALLY GOOD to do this as it improves data security without compromising convenience to much, Good Luck!!

Andrew Wilson (OGSelfHosting)