Hi. I have successfully implemented clevis/tang on my Debian 12 servers. I'll be happy to help. I have a video and instructions I made just a couple of months ago for implementing clevis on Debian 12 (I have not tested it on any other Debian distro). Just google search for debian tang-clevis-for-a-luks-encrypted-debian-server and that should find my article/video (I am an Old Guy doing selfhosting, and that's the basis for my site name ![:)]( "Smile")
).
The issue you are facing with Debian is that it doesn't auto-connect to a network pre-luks decryption, so we need to add a couple of extra configs. We need to set networking (IP) and, for accesing remote tang servers, also set up a DNS nameserver so you can resolve a name into an IP (not needed for a LAN tang server only). And we activate this prior to luks decryption. It doesn't work if you follow some of the instructions for other distros, but with some minor teweaks, it DOES WORK for Debian 12. My blog/video covers both of these. My blog is long because I tried to be very detailed, but it comes down to two simple edits you do after you 'sudo apt install clevis jose' and configure clevis.
I use clevis to routinely unlock all my servers (I have...too many![:)]( "Smile")
) In fact, I use TWO tang servers to give me even better control (I am a bit of a data-security freak). At boot up, my servers grab a blinded partial luks key fragment from a local highly-available tang server, and another fragment from a (very) remote one. It gives me huge control of auto-decryption - I can turn it on for maximum convenience, turn it off for maximum security and script for anything in between.
WELL DONE YOU for using luks; even more so for using dropbear (which is pretty neat, but still...manual) and EVEN MORE WELL DONE for doing it smartly with clevis, which is now ALL that I do!
Email/twitter or message me if you need help. It's REALLY GOOD to do this as it improves data security without compromising convenience to much, Good Luck!!![:-)]( "Smile")
Andrew Wilson (OGSelfHosting)
).The issue you are facing with Debian is that it doesn't auto-connect to a network pre-luks decryption, so we need to add a couple of extra configs. We need to set networking (IP) and, for accesing remote tang servers, also set up a DNS nameserver so you can resolve a name into an IP (not needed for a LAN tang server only). And we activate this prior to luks decryption. It doesn't work if you follow some of the instructions for other distros, but with some minor teweaks, it DOES WORK for Debian 12. My blog/video covers both of these. My blog is long because I tried to be very detailed, but it comes down to two simple edits you do after you 'sudo apt install clevis jose' and configure clevis.
I use clevis to routinely unlock all my servers (I have...too many
) In fact, I use TWO tang servers to give me even better control (I am a bit of a data-security freak). At boot up, my servers grab a blinded partial luks key fragment from a local highly-available tang server, and another fragment from a (very) remote one. It gives me huge control of auto-decryption - I can turn it on for maximum convenience, turn it off for maximum security and script for anything in between.WELL DONE YOU for using luks; even more so for using dropbear (which is pretty neat, but still...manual) and EVEN MORE WELL DONE for doing it smartly with clevis, which is now ALL that I do!
Email/twitter or message me if you need help. It's REALLY GOOD to do this as it improves data security without compromising convenience to much, Good Luck!!
Andrew Wilson (OGSelfHosting)
Statistics: Posted by OGSelfHosting — 2024-03-13 13:53 — Replies 6 — Views 190