Package Details: clevis 11-5

Git Clone URL: https://aur.archlinux.org/clevis.git (read-only)
Package Base: clevis
Description: Automated Encryption Framework
Upstream URL: https://github.com/latchset/clevis
Keywords: luks tpm2
Licenses: GPL3
Submitter: diabonas
Maintainer: diabonas
Last Packager: diabonas
Votes: 2
Popularity: 0.985253
First Submitted: 2018-10-24 18:42
Last Updated: 2019-09-17 12:18

Dependencies (19)

Required by (0)

Sources (4)

Latest Comments

diabonas commented on 2019-08-29 10:42

@Smoolak I got it working in a virtual machine, although some changes to the dracut module were necessary to install all required files, see the updated package clevis 11-3. Note that you need to install the new optional dependency nmap, otherwise installing the dracut module fails.

As described in my last comment, I had to add random.trust_cpu=on to the kernel command line (using e.g. dracut --kernel-cmdline or specifying kernel_cmdline in dracut.conf.d) to have enough entropy available for jose. To activate the automatic unlocker, I used

sudo clevis luks bind -d /dev/<luks-partition> tang '{"url": "http://<tang-ip-address>"}'

(DNS name resolution didn't appear to work, so I had to specify the server IP address directly.) This worked out of the box, showing the "Please enter passphrase for disk" prompt first, but automatically continuing boot a few seconds later. If the connection to the server does not work, you should get a "Error communicating with the server!" message after a few seconds instead.

diabonas commented on 2019-08-29 00:23

@Smoolak I haven't tried this myself yet, but from previous experience with the TPM2 PIN in an initramfs I know that Clevis/jose requires some random bytes, which can be problematic during early boot where entropy is sparse. This would explain the timeouts you are getting, because Clevis is not able to finish its operations before the dracut timeout. Try adding random.trust_cpu=on to your kernel command line, this causes the random number generator to be initialised fast on modern processors supporting RdRand.

Smoolak commented on 2019-08-28 20:14

Has anyone succeeded at auto unlocking a luks root partition at boot using this, dracut and the tang available on the AUR? I confirmed that a manual clevis luks unlock works. However, it don't work at boot even if the clevis module is installed correctly when I build the initramfs with dracut. I get a dracut initqueue timeout at boot every time.