Question 1

How to set up Clevis with a YubiKey for disk encryption?

Accepted Answer

Install clevis-pin-pkcs11, use the PKCS#11 URI with the module path (e.g., libykcs11.so), and enable the clevis-luks-pkcs11-askpass socket. The README provides specific binding commands and notes the need for PIN handling via systemd.

Question 2

Clevis vs manual LUKS passphrases: which is better for servers?

Accepted Answer

Clevis automates decryption with policy-based pins, ideal for hands-off server management but adds complexity and dependencies. Manual passphrases are simpler but require physical or remote access for each unlock.

Question 3

What happens if my Tang server is down during boot?

Accepted Answer

Decryption will fail, potentially halting boot unless fallback mechanisms like SSS with multiple pins are configured. The README suggests using threshold policies to mitigate single points of failure.

Question 4

Can Clevis work without a TPM2 or network access?

Accepted Answer

Yes, but core features like Tang and TPM2 require specific hardware or networks. You can use other pins or local configurations, but automation benefits may be limited without those components.

Question 5

How to implement Shamir Secret Sharing with multiple decryption methods?

Accepted Answer

Use the SSS pin in encryption commands, specifying a threshold and child pins like Tang and TPM2. The README shows examples where t=2 requires both pins to succeed for decryption.

Question 6

Is Clevis secure for production with PKCS#11 given the RSA limitations?

Accepted Answer

While Clevis leverages HSMs for security, the PKCS#11 pin's support for only RSA mechanisms and insecure RSA-PKCS mode requires careful configuration. Use secure algorithms and test thoroughly in your environment.

Clevis

What is Clevis?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions