Setup clevis with tang on systemd based initramfs

7thCore · 2023-09-04 13:12:29

I've been trying to get clevis working with a server, so when the server reboots or boots up and it detects the tang server on my network it auto unlocks all the encrypted drives. The luks encrypted drives are set in the systemd-boot entry under options. I've been unlocking them at boot like this for a few years now:

title Arch Linux
sort-key archlinux-10
linux /installs/active/arch/vmlinuz-linux
initrd /installs/active/arch/amd-ucode.img
initrd /installs/active/arch/initramfs-linux.img
options luks.name=61946056-0cb4-443a-a055-1b38dffecf5a=crypt_luks0 luks.name=8a9c2304-75a7-48d5-a7bf-c8b6e06a66cb=crypt_luks1 luks.name=fd9a7d64-58c2-41f5-a745-239257495177=crypt_luks2 root=UUID=95ed4d5b-e51d-46ad-b505-c9587446244e rootflags=subvol=_active/root-arch resume=UUID=9a7fa996-cfb6-4789-b3d3-ae0d602cdf05 rw

The tang server is curenty on a temporary raspberry pi and i have bind clevis to them with the following command

clevis luks bind -d /dev/sda2 tang '{"url": "http://ip-of-tang-server"}'

I've been following this guide but I found out that this solution sadly doesn't work with systemd based initramfs.

I'm using mkinitcpio-systemd-extras to get systemd-networkd working on early boot with the same static IP the system has when it's running normaly. My current mkinitcpio hooks are as follows:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-network clevis sd-encrypt lvm2 resume btrfs filesystems fsck)

I've also tried with mkinitcpio-netconf and mkinitcpio-nfs-utils to get the net hook working but I had no success.

Any advice on what to try next? Is there any clevis hook for systemd based initramfs available anywhere? Or am I missing something?

Any help is appreciated.

Last edited by 7thCore (2023-09-04 14:05:36)

Arch Linux

#1 2023-09-04 13:12:29

Setup clevis with tang on systemd based initramfs

Board footer