Running Ubuntu 18.04 with an unencrypted root volume. For what I need this to do, that's fine. But I need to mount and decrypt secondary disks. Following Red Hat's directions here since every google search for Ubuntu and NBDE/Clevis&Tang takes me there.
*This procedure works flawlessly on RHEL 7.x and CentOS 7.x.
I've gotten as far as partitioning (not using LVM here), encrypting, binding it to a tang server.
First I install the packages:
Then I set up the diskCode:apt-get install clevis clevis-systemd clevis-dracut clevis-luks
Code:echo '<TEMPPASS>'| cryptsetup --verbose luksFormat /dev/xvdc1Get rid of the temporary passkeyCode:clevis bind luks -f -k- -d /dev/xvdc1 tang '{"url":"http://<IP>:<PORT>","thp":"<KEY>"}' <<< "<TEMPPASS>"
Unlock the deviceCode:echo "<TEMPPASS>" | cryptsetup luksRemoveKey /dev/xvdc1
And Bob's your Auntie. Then I format it and verify it can mount.Code:clevis luks unlock -d /dev/xvdc1 -n testluksvol
Code:mkfs.ext4 /dev/mapper/testluksvolSo far so good. I add the entries to /etc/fstab using _netdev as the directions said:Code:mount /dev/mapper/testluksvol /testluksvol
Add the entry to /etc/crypttab, also with _netdev, though I didn't think Ubuntu crypttab supported that since it isn't in the crypttab manpage, but whatevs. We're making Chef Boy'R'D here, not world class bolognese:Code:/dev/mapper/testluksvol /testluksvol ext4 defaults,_netdev 0 2
And finally, enable clevis-luks-askpass.pathCode:testluksvol UUID=<DEVICE UUID> none _netdev
Then we reboot... and it doesn't work. No auto decrypt, no auto mount. It sits for a bit running a job for the device before finally giving up and finishing the boot. So we go look in /var/log/syslog and see this:Code:systemctl enable clevis-luks-askpass.path
This is a bit beyond frustrating. I got 18.04 specifically because it was supposed to have support for clevis & tang. I wanted to integrate it into an existing env that is running tang servers.Code:Jun 22 23:06:22 ubuntu03 systemd[1]: dev-disk-by\x2duuid-72ebf50e\x2dc3de\x2d468a\x2d89c3\x2defc869757a51.device: Job dev-disk-by\x2duuid-72ebf50e\x2dc3de\x2d468a\x2d89c3\x2defc86975 7a51.device/start timed out. Jun 22 23:06:22 ubuntu03 systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-72ebf50e\x2dc3de\x2d468a\x2d89c3\x2defc869757a51.device. Jun 22 23:06:22 ubuntu03 systemd[1]: Dependency failed for Cryptography Setup for testluksvol. Jun 22 23:06:22 ubuntu03 systemd[1]: Dependency failed for dev-mapper-testluksvol.device. Jun 22 23:06:22 ubuntu03 systemd[1]: Dependency failed for /testluksvol. Jun 22 23:06:22 ubuntu03 systemd[1]: Dependency failed for Remote File Systems. Jun 22 23:06:22 ubuntu03 systemd[1]: remote-fs.target: Job remote-fs.target/start failed with result 'dependency'. Jun 22 23:06:22 ubuntu03 systemd[1]: testluksvol.mount: Job testluksvol.mount/start failed with result 'dependency'. Jun 22 23:06:22 ubuntu03 systemd[1]: Dependency failed for File System Check on /dev/mapper/testluksvol. Jun 22 23:06:22 ubuntu03 systemd[1]: systemd-fsck@dev-mapper-testluksvol.service: Job systemd-fsck@dev-mapper-testluksvol.service/start failed with result 'dependency'. Jun 22 23:06:22 ubuntu03 systemd[1]: dev-mapper-testluksvol.device: Job dev-mapper-testluksvol.device/start failed with result 'dependency'. Jun 22 23:06:22 ubuntu03 systemd[1]: Dependency failed for Local Encrypted Volumes. Jun 22 23:06:22 ubuntu03 systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'. Jun 22 23:06:22 ubuntu03 systemd[1]: systemd-cryptsetup@testluksvol.service: Job systemd-cryptsetup@testluksvol.service/start failed with result 'dependency'. Jun 22 23:06:22 ubuntu03 systemd[1]: dev-disk-by\x2duuid-72ebf50e\x2dc3de\x2d468a\x2d89c3\x2defc869757a51.device: Job dev-disk-by\x2duuid-72ebf50e\x2dc3de\x2d468a\x2d89c3\x2defc86975 7a51.device/start failed with result 'timeout'.
Can anyone, for the love of Linus Torvalds, tell me what I'm doing wrong?
*Update: I discovered that my disk UUID was wrong. Hence broken. Once I updated that, things worked correctly. I'm embarrassingly closing this help request.
Bookmarks