Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include clevis #477

Closed
sghosh151 opened this issue Apr 30, 2019 · 8 comments
Closed

Include clevis #477

sghosh151 opened this issue Apr 30, 2019 · 8 comments

Comments

@sghosh151
Copy link

Include clevis to support automated disk encryption
Related: coreos/ignition#577
@cgwalters
Copy link
Member

OK I'm in favor of this. I was researching TPMs and LUKS and clevis has pretty good support for this.

@lucab
Copy link
Contributor

lucab commented Aug 6, 2019
edited
Loading

I do like the idea of piggybacking on clevis for LUKS support. However before blindly including it I think we have some design/experimenting groundwork to do.

In particular, some relevant points are:

  • a rough sketch of how provisioning on first-boot an encrypted volume via Ignition looks like
  • a rough sketch of how unlocking on subsequent-boots an encrypted volume looks like (especially the root volume)
  • clouds are our main environments, so our direct targets are network-attached secret managers (Vault, AWS KMS, etc.). We should check what's clevis coverage there.

@sghosh151
Copy link
Author

On premise baremetal is a big use case. Encrypted disk is more suitable for baremetal deployments. Cloud deployments via prebuilt AMI, etc implies lvm is already configured and common for all instances booted from same AMI.

@sghosh151
Copy link
Author

For on-premise deployments, creating a dependency on pre-existing Tang service should be sufficent.

For cloud deployment, should support explicit tang server setting to allow reach back from cloud vpc to on-premise tang service.

@lucab lucab transferred this issue from coreos/fedora-coreos-config May 12, 2020
@rugk
Copy link
Contributor

rugk commented May 19, 2020

Maybe interesting: Another post on how to use that with TPM2 unlocking.

@dustymabe
Copy link
Member

This seems to be resolved by the recent work we did to support LUKs on the root device

coreos/fedora-coreos-config#609

@dustymabe dustymabe added the status/pending-testing-release Fixed upstream. Waiting on a testing release. label Sep 16, 2020
@dustymabe
Copy link
Member

The fix for this went into testing stream release 32.20200923.2.0. Please try out the new release and report issues.

@dustymabe dustymabe added status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. and removed status/pending-testing-release Fixed upstream. Waiting on a testing release. labels Sep 28, 2020
@dustymabe
Copy link
Member

The fix for this went into stable stream release 32.20200923.3.0.

@dustymabe dustymabe removed the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Oct 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lucab @cgwalters @dustymabe @sghosh151 @rugk