Clevis: Difference between revisions

From Alpine Linux
mNo edit summary
mNo edit summary
Line 69: Line 69:
* [https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/ https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/]
* [https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/ https://fedoramagazine.org/using-linux-system-roles-to-implement-clevis-and-tang-for-automated-luks-volume-unlocking/]
* [https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang]
* [https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang https://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang]
[[Category:Security]] [[Category:Booting]]

Revision as of 16:29, 25 December 2024

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Pursuable1652 on 25 Dec 2024.)

What is clevis

It is a software that allows to encrypt/decrypt a disk by bounding to tang (network bound encryption/decryption) or a TPM (hardware chip encryption/decryption).

Auto Disk decryption using clevis + tang

You need to run tang in a separate server, from the one you want to decrypt. I recommend running a tang server on a docker.

mkinitfs + kernel-hooks + secureboot-hook

Todo: write guide


Using mkinitfs, it is possible to force tang/clevis in initramfs generation. It is recommended to make a chroot or docker so you don't mess with your system files, and by adding these files:

Todo: The init script is too big to put in wiki, I just acquired it from initramfs generation and decompression (read the tip below)


Note: the APK package "cryptsetup" comes with veritysetup

apk add cryptsetup

Note: make sure the chroot has a linux-kernel

Edit /sbin/mkinitfs (put "# Copy custom init" before "# copy modloop signature"):

Contents of /etc/mkinitfs

... # Copy custom init cp /initramfs/init "$tmpdir"/init # copy modloop signature ...

PUT "# Clevis + tang script" AFTER "ebegin "Mounting root""

Contents of /initramfs/init

... ebegin "Mounting root" # Clevis + tang script # work in progress ...

Contents of /etc/mkinitfs/features.d/curl.files

/usr/bin/curl

Contents of /etc/mkinitfs/features.d/clevis.files

/usr/bin/clevis*

Contents of /etc/mkinitfs/mkinitfs.conf

... features="... curl clevis" ...

Then just do:

apk add secureboot-hook gummiboot gummiboot-efistub efibootmgr kernel-hooks secureboot-hook

Tip: To make sure initramfs has the scripts needed, do:

mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b / $(uname -r)

Decompress:

mkdir /tmp/initramfs cd /tmp/initramfs zcat /boot/initramfs-$KERNEL | cpio -idmv

Test if "init" works by just executing it and see how it runs:

./init

dracut

Todo: write guide


External sources

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Clevis&oldid=28581"