When utilizing LUKS as the encryption method for NBDE, Clevis and Tang are employed to automatically unlock the disk during the reboot process. It’s important to note that the communication between Clevis and Tang is not inherently encrypted by design. However, this may potentially conflict with your organization’s security policy. I have detailed my proposed solution in this GitHub issue, and now, I believe it’s time to provide a more comprehensive explanation.

The challenge arises when employing a Tang server with HTTPS, particularly when the rootfs is also encrypted. In such cases, the initramfs lacks the necessary files and configurations to establish an HTTPS connection. The resolution involves integrating the missing components into the initramfs and ensuring they persist in the newly generated initramfs after a kernel update. To accomplish this, follow these steps:

  1. Append /etc/dracut.conf.d/clevis.conf to guarantee the inclusion of all essential components in the initramfs after a kernel upgrade.

  2. Execute the dracut -fv --regenerate-all command for the presently running kernel.

# /etc/dracut.conf.d/clevis.conf

hostonly_cmdline=yes
kernel_cmdline+=" rd.neednet=1 "
install_items+=/etc/pki/tls/certs/ca-bundle.crt

The hostonly_cmdline=yes option is crucial to ensure the inclusion of the kernel command line.

The rd.neednet=1 option is essential to ensure that the network is active before the clevis-tang service is initiated.

The install_items+=/etc/pki/tls/certs/ca-bundle.crt option is necessary to include the ca-bundle.crt file in the initramfs.

If you are utilizing a private CA, please append the CA certificate to the ca-bundle.crt file. I strongly discourage the use of self-signed certificates.