clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

Question: USB fallback on headless tang bound machines

Open spacerunner5 opened this issue 2 years ago • 1 comments

Hi,

please excuse, this is not an issue but rather a question posted here due to the lack of finding the required documentation on the required scenario:

Clevis client bound to a tang server, multiple disks encrypted. Scenario: network failure, no tang server available, forced offline boot etc.

Question: How can I configure a headless machine to auto decrypt (luksopen) on boot using keys stored on a USB key if tang servers are not available anymore?

Is it correct that clevis does not have such a functionality build in currently?

Any help / resources / hints are greatly appreciated.

Thank you :)

Edit: Of course it is assumed that the "rescue key medium" is not permanently attached to the machines.

spacerunner5 avatar Jan 13 '23 10:01 spacerunner5

Years ago, I've created a "medium" pin for precisely that purpose: https://github.com/cbiedl/clevis/commit/5ec0fbc8be6bee1e4e7d682b8f12bcea277e3e21 For various reasons I'd really like to see it in clevis.

cbiedl avatar Jan 16 '23 14:01 cbiedl