Machine with static IP not decrypting its Tang+Clevis encrypted drives on boot?

published Jan 10, 2023, last modified Jan 14, 2023

Notes on Tang, Clevis, Dracut and networking on boot.

As per this bug, Tang and Clevis expect networking to be configured by Dracut on boot.

Except Dracut will not work by default with non-DHCP addresses.  Machines with static network configuration will simply hang at the boot prompt, waiting for your LUKS recovery passphrase. They will not decrypt.

The fix

To fix this, when you regenerate the Dracut initial RAM disk, you can use the following command line:

dracut -f --regenerate-all --kernel-cmdline \
'ip= nameserver='

The first value (of the values separated by colons) in that quoted string is the IP address of the host.  The third value is the default route.  The fourth is the network mask.  The sixth value is the name of the network interface to configure.  The value after that expresses the name server.

If you want to make these command line options persistent, write them to a file under /etc/dracut.d (perhaps named static_ip.conf) as follows:

ip= nameserver=

Don't forget the standard suggested Dracut configuration by the Tang + Clevis documentation in file /etc/dracut.d/clevis.conf:


Non-boot block devices don't decrypt with Clevis

This is a known issue — Clevis will not work for devices that must be mounted after Dracut has pivoted root; for Clevis to start, all devices listed in /etc/fstab must be mounted — otherwise they will not boot.  Use the /etc/cryptsetup-keys.d facility documented in crypttab(5) to decrypt those drives.