To make the management of the LUKS encrypted disk(s), I think Clevis/Tang method is the easiest way. Clevis/Tang can decrypt and mount the disk(s) at boot. This is great for NAS servers that have multiple disks. Here is a link to a great presentation from DebConf explaining and demo-ing the Clevis and Tang.
Figure 1 is the topology that I have in my environment.

The assumption with this method is that you already have configured LUKS on your disk(s). We are only going to install and configure Clevis on the client side and Tang on the server side.
- Setting up the Tang
- Setting up the Clevis clients
Installing Tang
I am using CentOS Stream for the primary Tang server and Debian 10 for the secondary Tang server.
# CentOS dnf install -y tang # Debian apt install -y tang # Enable the tangd.socket systemctl enable tangd.socket
By default Tang uses HTTP which is port 80/tcp. In this post, we are changing the port to 7575/tcp.
systemctl edit tangd.socket
Copy and paste the parameters below then exit and save the file.
[Socket] ListenStream= ListenStream=7575
Reload the system manager to activate the changes.
systemctl daemon-reload
Start the tangd.socket
. Check the listening port
systemctl start tangd.socket # Check the listening port systemctl show tangd.socket -p Listen
I use firewalld on my hosts, so make sure to allow the tangd port inbound on the Tang server.
firewall-cmd --permanent --zone=public --add-port=7575/tcp firewall-cmd --reload
Keep tabs of the content of the
because we will need to compare the content of this directory when we bind the Clevis to the Tang server./var/db/tang
ls /var/db/tang
Installing Clevis
The Tang server is done, we need to install Clevis on the host(s) requires LUKS decrypting and auto-mounting the encrypted disk(s). In this scenario. I am using Fedora as my workstation and Debian as my NAS. For the Fedora install, I have the root drive encrypted by LUKS during the installation of Fedora. The Debian NAS the root disk is not encrypted by LUKS, but the data disks.
I just want to throw this info, I could not get the Fedora workstation to work if it is connected to the Wi-Fi network. However, when the workstation is connected to the LAN it works.
This post assumption that you already opened the LUKS partition.
Just a note on the Debian side. I could not get the Clevis to work when I installed Clevis via apt
. The only time that I get Clevis to work is to install the .deb package version 15.
- Install Clevis
- Add the LUKS encrypted volume(s) to the
/etc/crypttab
- Add the decrypted volume(s) to the
/etc/fstab
- Bind the volume(s) to the Tang server
- Enable clevis for non-root disk(s) and enable dracut for root disk
Clevis on non-root disks
To install Clevis on Debian, Fedora and openSUSE.
# Debian wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis_15-5_amd64.deb wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis-luks_15-5_amd64.deb wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis-systemd_15-5_amd64.deb wget http://ftp.us.debian.org/debian/pool/main/c/clevis/clevis-dracut_15-5_amd64.deb # Download this only if the root disk is encrypted by LUKS gdebi clevis_15-5_amd64.deb gdebi clevis-luks_15-5_amd64.deb gdebi clevis-systemd_15-5_amd64.deb gdebi clevis-dracut_15-5_amd64.deb # Install this only if the root disk is encrypted by LUKS # CentOS/Fedora dnf install clevis clevis-luks clevis-dracut # openSUSE Leap zypper addrepo https://download.opensuse.org/repositories/home:ArturGaspar:clevis/openSUSE_Leap_15.2/home:ArturGaspar:clevis.repo zypper refresh zypper install clevis clevis-luks clevis-systemd
This only applies to the non-root disk. We need to edit the /etc/crypttab
and add all the LUKS partition to be automatically decrypted and mounted during the late boot. To edit the
, you will have to use your favorite text editor. I’ll be using vim./etc/crypttab
When you opened the LUKS partition (disk), you gave it a name. The LUKS name is the Target-name. You can find these LUKS name under the
./dev/mapper/
# edit the /etc/crypttab vim /etc/crypttab # Enter the your # <target name> <source device> <key file> <options> luks_parity1 UUID=1aa0965-98d5-4e26-b7a9-2c2fcae9f4e2 none _netdev luks_disk1 UUID=eb4ma10-9c3c-4cdd-8ac8-8ahd134a8abb none _netdev luks_disk2 UUID=dd12355-cf21-418e-8e22-9ea466bc1479 none _netdev
For automatically mount the decrypted partitions, we need to edit the
. If you have multiple disks, you will have to add each one./etc/fstab
# At the bottom of the fstab /dev/mapper/luks_parity1 /mnt/parity1 xfs _netdev,defaults 0 0 /dev/mapper/luks_disk1 /mnt/disk1 xfs _netdev,defaults 0 0 /dev/mapper/luks_disk2 /mnt/disk2 xfs _netdev,defaults 0 0
It is time to bind the each partition to the Tang server. You will need to match the binding keys from Tang server to make sure you are binding to the right Tang server. If you have more than one Tang server, you will have to repeat for each LUKS partition.
# First Tang server clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.38:7575"}' # Second Tang server clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.39:7575"}'
Enable the Clevis unlocker service,
. clevis-luks-askpass.pat
h
systemctl enable clevis-luks-askpass.path
Mount the disk(s) to make sure that the /etc/fstab
is working correctly. Run
to make suredf -h
mount -a
Clevis on the root disk
Just like the data disk, the root disk need to be bind to the tang server. To do so:
# First Tang server clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.38:7575"}' # Second Tang server clevis luks bind -d /dev/sdf1 tang '{"url":"http://10.0.7.39:7575"}'
Since I am using Fedora as my workstation and I have to run
. Now, there is two scenarios with these. the first one is workstation that gets its IP address via DHCP and the second one is the workstation with static IP address. If you are using DHCP to get an IP address, run this command once.dracut -f
dracut -f --kernel-cmdline "ip=dhcp"
For a workstation that uses static IP address. Replace the values if necessary.
dracut -f --kernel-cmdline "ip=192.168.1.10 netmask=255.255.255.0 gateway=192.168.1.1 nameserver=1.1.1.1"
Clevis LUKS Unbind
If you need to unbind the disk from the Tang server(s) or planning to migrate the disk(s) to a different Tang server, you can remove the disk(s) from the existing Tang server by using the unbind option. Just be careful about unbinding the keys because you don’t want to lose access to it. To view the Clevis Tokens use the command cryptsetup luksDump
.
# Check the Clevis Token keyslot cryptsetup luksDump /dev/sdf1 ... ... omitted for brevity ... Tokens: 0: clevis Keyslot: 1 ... ... omitted for brevity # Unbinding the keyslot clevis luks unbind -d /dev/sdf1 -s 1 The unbind operation will wipe a slot. This operation is unrecoverable. Do you wish to erase LUKS slot 2 on /dev/sdf1? [ynYN] y Enter any remaining passphrase:
That is it. Cheers!
How do I make this automatic on kernel upgrades? (Fedora 35 – I’ve tried to do the same but I failed – there was something about needing to remove the crypttab when using luks command lines so I’m a little confused. The original /etc/default/grub contains luks entries, and the crypttab contains entries. There was also some mention on the web about _netdev and stuff so I was wondering if you could share your /etc/default/grub and your /etc/fstab and your /etc/crypttab)
You need to enter the UUID of the LUKS disk in /etc/crypttab. You need to grab the /dev/mapper/ for the /etc/fstab. I didn’t mess around with grub.
The documentation on Clevis and Tang must be one of the worst.
I couldn’t find anywhere that completely documented.