The officially official Devuan Forum!

You are not logged in.

#1 2024-05-12 10:04:24

Morgennebel
Member
Registered: 2017-06-07
Posts: 17  

[SOLVED] Network based disk encryption using clevis & tang fails

Hej,

I am trying to implement a Network based disk encryption based on LUKS, clevis and tang.

Tang-server is a Pi Zero 2 running Raspberry OS lite and tang from apt repositories.

My client is a fresh installation of Daedalus. I installed clevis using apt:

apt install powertop vim-nox clevis-initramfs clevis-luks clevis-tpm2

and configured LVM-over-LUKS:

root@guldukat:~# lsblk
NAME                 MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                    8:0    0 29.8G  0 disk  
├─sda1                 8:1    0  365M  0 part  /boot/efi
├─sda2                 8:2    0  954M  0 part  /boot
└─sda3                 8:3    0 28.5G  0 part  
  └─sda3_crypt       254:0    0 28.5G  0 crypt 
    ├─FlashMem-opt   254:1    0  7.4G  0 lvm   /opt
    ├─FlashMem-swap  254:2    0  3.7G  0 lvm   [SWAP]
    └─FlashMem-root  254:3    0 17.3G  0 lvm   /
sdb                    8:16   0  1.8T  0 disk  
└─sdb1                 8:17   0  1.8T  0 part  
  └─sdb1_crypt       254:4    0  1.8T  0 crypt 
    └─USB2TBSSD-data 254:5    0  1.8T  0 lvm   /data

For both /dev/sda3 and /dev/sdb1 the tang server registered successfully:

cryptosetup luksDump /dev/sda3 

reports

...
Tokens:
  0: clevis
	Keyslot:    1
....

I am failing with automatic decryption during boot, as the network is unreachable. As documented in clevis & tang documentation I have:

Changed /etc/default/grub to include

GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.neednet=1 ip=dhcp"

Added the module in /etc/initramfs-tools/modules to include my network card driver:

r8169

Added to /etc/crypttab the options _netdev

sda3_crypt UUID=1f4eXXXX-...-baXXXXX9cf0 none luks,discard,_netdev
sdb1_crypt UUID=7YYYYYe12-...-9a2dbYYYYYYf none luks,discard,_netdev

Recreated initrd using

update-initramfs -v -u -k 'all'

and updated grub

update-grub

However during a reboot no network is found and clevis cannot reach the tang server. The network module and dhpc appears much later after unlocking the disks manually.

My Google-Fu show a lot of recommendations for dracut instead of update-initramfs, but I think the error is more around network availability during early grub or early kernel stages.

Any advice?

Thanks, -MN

Last edited by Morgennebel (2024-05-17 14:37:54)

Offline

#2 2024-05-12 12:42:33

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,189  

Re: [SOLVED] Network based disk encryption using clevis & tang fails

Does your initrd contain file /etc/network/interfaces with the lines

allow-hotplug eth0
iface eth0 inet dhcp

I would belive that to be needed in order to get the network interface configured before decryption.

Offline

#3 2024-05-12 14:48:23

Morgennebel
Member
Registered: 2017-06-07
Posts: 17  

Re: [SOLVED] Network based disk encryption using clevis & tang fails

Thank you.

I just reinstalled after testing "apt install dracut" which resulted in a blank screen after grub :-/

On a fresh installation

allow-hotplug eth0

is missing from /etc/network/interfaces.

Also

update-initramfs -v | grep interfaces

results in an empty output - how do I add this file into initramfs?

Thanks

Offline

#4 2024-05-12 15:53:27

Morgennebel
Member
Registered: 2017-06-07
Posts: 17  

Re: [SOLVED] Network based disk encryption using clevis & tang fails

Some more digging:

ip=dhcp

as kernel parameter within /etc/default/grub raised errors. Replaced this with

ip=192.168.1.187::192.168.1.1:255.255.255.0:guldukat:eth0:none:192.168.1.2

which adds one more step:

...
cryptsetup: WARNING: sdb3_crypt: ignoring unknown option '_netdev'
Please unlock disk sdb3_crypt: Begin: clevis: Waiting for interface eth0 to become available ... done
Begin: Waiting up to 180 secs for eth0 to become available ... done
IP-Config: eth0 hardware address d8:XX:XX.XX.XX.XX:XX mtu 1500
IP-Config: eth0 guessed broadcast address 192.168.1.255
IP-Config: eth0 complete:
   address: 192.168.1.187    broadcast: 192.168.1.255    netmask 255.255.255.0
   gateway: 192.168.1.1      dns0: 192.168.1.2           dns1: 0.0.0.0

So r8169 seems to be loaded and configured, but clevis still fails....

-MN

Last edited by Morgennebel (2024-05-12 15:59:35)

Offline

#5 2024-05-12 21:42:09

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,189  

Re: [SOLVED] Network based disk encryption using clevis & tang fails

Ok.

Perhaps it requires "netconsole"  for entering password if you don't have console access.
See https://www.kernel.org/doc/Documentatio … onsole.txt

That would  mean to use the "netconsole=" boot parameter rather than (or maybe together with) the "ip=" parameter. At the console end you can run a "socat" process, as per exmaple "3)" on that page.

EDIT: you might also want/need the pty option on the socat service, to make it "user friendlier".

EDIT 2: It's probably obvious, but I don't know anything about "clevis" or "tang", so keep filtering my loose ideas.

Offline

#6 2024-05-17 14:37:28

Morgennebel
Member
Registered: 2017-06-07
Posts: 17  

Re: [SOLVED] Network based disk encryption using clevis & tang fails

Offline

Board footer