Tag Archives: autoinstall

Run “clevis luks bind” as late-command in subiquity/autoinstall

There are different approaches and methods for implementing file system encryption on Linux servers, sometimes depending on the file system itself. LUKS is independent of the file system, forming a layer on the block device but under the file system.

Manual encryption is the standard, where the initramfs launches a small program for passphrase entry. To automate the whole thing, you can utilize your machine’s TPM 2.0 module.

Within production environments it may be feasible to combine TPM 2.0 with Clevis/Tang as fallback, where, when the TPM 2.0 gets reset due to a firmware-upgrade or user fault, there is a still automated fallback. If that one fails, there will always be the manual passphrase entry, but only as a absolute last resort.

Within production environments it is also common to deploy nodes automatically. One could rely for example on the Subiquity installer with autoinstall. For this several files are required, including a user-data file which contains most of the required instructions and data for an automated install. To incorporate the automated LUKS unlock with TPM 2.0 and Clevis/Tang, a couple of commands must be run in the installation process. autoinstall is extremely picky when it comes to escaping, hence this post with a working solution:

  late-commands:
    - apt-get -y install clevis clevis-tpm2 clevis-luks clevis-udisks2 clevis-systemd clevis-initramfs
    - printf "supersecret" | clevis luks bind -y -k - -d /dev/sda3 sss '{"t":1,"pins":{"tpm2":{},"tang":{"url":"http://tang01.local"}}}'

These two late commands are formatted and tested in the autoinstall of Ubuntu 24.04.