Clevis: Difference between revisions

From Alpine Linux
mNo edit summary
(replaced references to gummiboot-efistub by systemd-efistub as per v3.22 release notes)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{draft}}
{{draft}}
[https://github.com/latchset/clevis Clevis] is a pluggable framework for automated decryption. This page documents the how to use it in Alpine Linux to encrypt/decrypt a disk by bounding to tang (network bound encryption/decryption) or a TPM (hardware chip encryption/decryption).


== What is clevis ==
It is a software that allows to encrypt/decrypt a disk by bounding to tang (network bound encryption/decryption) or a TPM (hardware chip encryption/decryption).
It is in use in redhat fedora systems
== Why use clevis ==
With tang, you may automatically decrypt device block/files for convenience, it is encrypted and built to prevent man-in-the-middle attacks as well, since nobody gets private key, only an always changing advertised timed key.
With tang, you may automatically decrypt device block/files for convenience, it is encrypted and built to prevent man-in-the-middle attacks as well, since nobody gets private key, only an always changing advertised timed key.
* It is recommended to use a tang docker with this, you can use this for example: [https://github.com/padhi-homelab/services/blob/master/tang/docker-compose.yml github]
* It is recommended to use a tang docker with this, you can use this for example: [https://github.com/padhi-homelab/services/blob/master/tang/docker-compose.yml github] or [https://gitlab.com/AdrianKoshka/tang-docker-container/ gitlab]


== Auto Disk decryption using clevis + tang ==
== Auto Disk decryption using clevis + tang ==
Line 15: Line 10:


=== mkinitfs + kernel-hooks + secureboot-hook ===
=== mkinitfs + kernel-hooks + secureboot-hook ===
{{todo| write guide}}
{{todo| write guide}}


Line 54: Line 50:


Then just do:
Then just do:
{{cmd| apk add secureboot-hook gummiboot gummiboot-efistub efibootmgr kernel-hooks secureboot-hook}}
{{cmd| apk add secureboot-hook systemd-efistub efibootmgr kernel-hooks secureboot-hook}}


{{tip|To make sure initramfs has the scripts needed, do:
{{tip|To make sure initramfs has the scripts needed, do:
Line 67: Line 63:
}}
}}


----
== See also ==
 
=== dracut ===
{{todo| write guide}}
 
== External sources ==
* [https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/ https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/]
* [https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/ https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/]
* [https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang]
* [https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang]

Latest revision as of 15:32, 30 May 2025

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Prabuanand on 30 May 2025.)

Clevis is a pluggable framework for automated decryption. This page documents the how to use it in Alpine Linux to encrypt/decrypt a disk by bounding to tang (network bound encryption/decryption) or a TPM (hardware chip encryption/decryption).

With tang, you may automatically decrypt device block/files for convenience, it is encrypted and built to prevent man-in-the-middle attacks as well, since nobody gets private key, only an always changing advertised timed key.

  • It is recommended to use a tang docker with this, you can use this for example: github or gitlab

Auto Disk decryption using clevis + tang

You need to run tang in a separate server, from the one you want to decrypt. I recommend running a tang server on a docker.

mkinitfs + kernel-hooks + secureboot-hook

Todo: write guide


Using mkinitfs, it is possible to force tang/clevis in initramfs generation. It is recommended to make a chroot or docker so you don't mess with your system files, and by adding these files:

Todo: The init script is too big to put in wiki, I just acquired it from initramfs generation and decompression (read the tip below)


Note: the APK package "cryptsetup" comes with veritysetup

apk add cryptsetup

Note: make sure the chroot has a linux-kernel

Edit /sbin/mkinitfs (put "# Copy custom init" before "# copy modloop signature"):

Contents of /etc/mkinitfs

... # Copy custom init cp /initramfs/init "$tmpdir"/init # copy modloop signature ...

PUT "# Clevis + tang script" AFTER "ebegin "Mounting root""

Contents of /initramfs/init

... ebegin "Mounting root" # Clevis + tang script # work in progress ...

Contents of /etc/mkinitfs/features.d/curl.files

/usr/bin/curl

Contents of /etc/mkinitfs/features.d/clevis.files

/usr/bin/clevis*

Contents of /etc/mkinitfs/mkinitfs.conf

... features="... curl clevis" ...

Then just do:

apk add secureboot-hook systemd-efistub efibootmgr kernel-hooks secureboot-hook

Tip: To make sure initramfs has the scripts needed, do:

mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b / $(uname -r)

Decompress:

mkdir /tmp/initramfs cd /tmp/initramfs zcat /boot/initramfs-$KERNEL | cpio -idmv

Test if "init" works by just executing it and see how it runs:

./init

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Clevis&oldid=30126"