Solution documented: https://github.com/JarlMorgennebel/home … ain/devuan

Perhaps it requires "netconsole"  for entering password if you don't have console access.
See https://www.kernel.org/doc/Documentatio … onsole.txt

That would  mean to use the "netconsole=" boot parameter rather than (or maybe together with) the "ip=" parameter. At the console end you can run a "socat" process, as per exmaple "3)" on that page.

EDIT: you might also want/need the pty option on the socat service, to make it "user friendlier".

EDIT 2: It's probably obvious, but I don't know anything about "clevis" or "tang", so keep filtering my loose ideas.

ip=dhcp

as kernel parameter within /etc/default/grub raised errors. Replaced this with

ip=192.168.1.187::192.168.1.1:255.255.255.0:guldukat:eth0:none:192.168.1.2

which adds one more step:

...
cryptsetup: WARNING: sdb3_crypt: ignoring unknown option '_netdev'
Please unlock disk sdb3_crypt: Begin: clevis: Waiting for interface eth0 to become available ... done
Begin: Waiting up to 180 secs for eth0 to become available ... done
IP-Config: eth0 hardware address d8:XX:XX.XX.XX.XX:XX mtu 1500
IP-Config: eth0 guessed broadcast address 192.168.1.255
IP-Config: eth0 complete:
   address: 192.168.1.187    broadcast: 192.168.1.255    netmask 255.255.255.0
   gateway: 192.168.1.1      dns0: 192.168.1.2           dns1: 0.0.0.0

So r8169 seems to be loaded and configured, but clevis still fails....

-MN

I just reinstalled after testing "apt install dracut" which resulted in a blank screen after grub :-/

On a fresh installation

allow-hotplug eth0

is missing from /etc/network/interfaces.

Also

update-initramfs -v | grep interfaces

results in an empty output - how do I add this file into initramfs?

Thanks

allow-hotplug eth0
iface eth0 inet dhcp

I would belive that to be needed in order to get the network interface configured before decryption.

I am trying to implement a Network based disk encryption based on LUKS, clevis and tang.

Tang-server is a Pi Zero 2 running Raspberry OS lite and tang from apt repositories.

My client is a fresh installation of Daedalus. I installed clevis using apt:

apt install powertop vim-nox clevis-initramfs clevis-luks clevis-tpm2

and configured LVM-over-LUKS:

root@guldukat:~# lsblk
NAME                 MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                    8:0    0 29.8G  0 disk  
├─sda1                 8:1    0  365M  0 part  /boot/efi
├─sda2                 8:2    0  954M  0 part  /boot
└─sda3                 8:3    0 28.5G  0 part  
  └─sda3_crypt       254:0    0 28.5G  0 crypt 
    ├─FlashMem-opt   254:1    0  7.4G  0 lvm   /opt
    ├─FlashMem-swap  254:2    0  3.7G  0 lvm   [SWAP]
    └─FlashMem-root  254:3    0 17.3G  0 lvm   /
sdb                    8:16   0  1.8T  0 disk  
└─sdb1                 8:17   0  1.8T  0 part  
  └─sdb1_crypt       254:4    0  1.8T  0 crypt 
    └─USB2TBSSD-data 254:5    0  1.8T  0 lvm   /data

For both /dev/sda3 and /dev/sdb1 the tang server registered successfully:

cryptosetup luksDump /dev/sda3 

reports

...
Tokens:
  0: clevis
	Keyslot:    1
....

I am failing with automatic decryption during boot, as the network is unreachable. As documented in clevis & tang documentation I have:

Changed /etc/default/grub to include

GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.neednet=1 ip=dhcp"

Added the module in /etc/initramfs-tools/modules to include my network card driver:

r8169

Added to /etc/crypttab the options _netdev

sda3_crypt UUID=1f4eXXXX-...-baXXXXX9cf0 none luks,discard,_netdev
sdb1_crypt UUID=7YYYYYe12-...-9a2dbYYYYYYf none luks,discard,_netdev

Recreated initrd using

update-initramfs -v -u -k 'all'

and updated grub

update-grub

However during a reboot no network is found and clevis cannot reach the tang server. The network module and dhpc appears much later after unlocking the disks manually.

My Google-Fu show a lot of recommendations for dracut instead of update-initramfs, but I think the error is more around network availability during early grub or early kernel stages.

Any advice?

Thanks, -MN