Clevis: Difference between revisions

From Alpine Linux
(Created page with "{{draft}} ==== What is clevis ==== It is a software that allows to encrypt/decrypt a disk by bounding to tang (network bound encryption/decryption) or a TPM (hardware chip encryption/decryption). ==== Auto Disk decryption using clevis + tang ==== You need to run tang in a separate server, from the one you want to decrypt. I recommend running a tang server on a docker. === mkinitfs + kernel-hooks + secureboot-hook === {{todo| write guide}} Using mkinitfs, it is possi...")
 
mNo edit summary
Line 29: Line 29:
...}}
...}}


PUT "# Call custom script" AFTER "ebegin "Mounting root""
PUT "# Clevis + tang script" AFTER "ebegin "Mounting root""


{{cat| /initramfs/init|...
{{cat| /initramfs/init|...
Line 46: Line 46:
features{{=}}"... curl clevis"
features{{=}}"... curl clevis"
...}}
...}}
{{cat| /etc/scripts/my-custom-script.sh|
#!/bin/sh
mount /dev/mapper/root /root
mount /root/var/root/erofs.img /sysroot
}}


Then just do:
Then just do:

Revision as of 16:23, 25 December 2024

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Pursuable1652 on 25 Dec 2024.)

What is clevis

It is a software that allows to encrypt/decrypt a disk by bounding to tang (network bound encryption/decryption) or a TPM (hardware chip encryption/decryption).

Auto Disk decryption using clevis + tang

You need to run tang in a separate server, from the one you want to decrypt. I recommend running a tang server on a docker.

mkinitfs + kernel-hooks + secureboot-hook

Todo: write guide


Using mkinitfs, it is possible to force tang/clevis in initramfs generation. It is recommended to make a chroot or docker so you don't mess with your system files, and by adding these files:

Todo: The init script is too big to put in wiki, I just acquired it from initramfs generation and decompression (read the tip below)


Note: the APK package "cryptsetup" comes with veritysetup

apk add cryptsetup

Note: make sure the chroot has a linux-kernel

Edit /sbin/mkinitfs (put "# Copy custom init" before "# copy modloop signature"):

Contents of /etc/mkinitfs

... # Copy custom init cp /initramfs/init "$tmpdir"/init # copy modloop signature ...

PUT "# Clevis + tang script" AFTER "ebegin "Mounting root""

Contents of /initramfs/init

... ebegin "Mounting root" # Clevis + tang script # work in progress ...

Contents of /etc/mkinitfs/features.d/curl.files

/usr/bin/curl

Contents of /etc/mkinitfs/features.d/clevis.files

/usr/bin/clevis*

Contents of /etc/mkinitfs/mkinitfs.conf

... features="... curl clevis" ...

Then just do:

apk add secureboot-hook gummiboot gummiboot-efistub efibootmgr kernel-hooks secureboot-hook

Tip: To make sure initramfs has the scripts needed, do:

mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b / $(uname -r)

Decompress:

mkdir /tmp/initramfs cd /tmp/initramfs zcat /boot/initramfs-$KERNEL | cpio -idmv

Test if "init" works by just executing it and see how it runs:

./init

dracut

Todo: write guide


External sources

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Clevis&oldid=28578"