proxmox VE + clevis (network based disk encryption)

schuft

Member
Dec 17, 2021
2
1
8
24
Hello Proxmox-Team,

I'm using Clevis + Tang to enable network based disk encryption on my other systems. Means - once I boot a client (clevis) it requests its decryption key from a keyserver (tang) do decrypt its disks. This way the disks can only be opened (and the system booted) when it is in my network.
More details: https://opensource.com/article/20/11/nbde-linux


Sadly this works not for Proxmox VE (latest version, normal installation, not Debian) since installing clevis (disk decryption client) wants to deinstall proxmox-ve.

Is there a way to install clevis / use NBDE nevertheless?



root@pve:~# apt install clevis clevis-luks clevis-dracut cryptsetup Reading package lists... Done Building dependency tree... Done Reading state information... Done cryptsetup is already the newest version (2:2.3.7-1+deb11u1). The following additional packages will be installed: clevis-systemd cracklib-runtime dmraid dracut dracut-core dracut-network iputils-arping jose kpartx libcrack2 libdmraid1.0.0.rc16 libdpkg-perl libfile-fcntllock-perl libjose0 libluksmeta0 libnl-genl-3-200 libpwquality-common libpwquality-tools libpwquality1 luksmeta mdadm nbd-client pigz pkg-config Suggested packages: debian-keyring gcc | c-compiler bzr dpkg-dev The following packages will be REMOVED: initramfs-tools proxmox-ve pve-kernel-5.15 pve-kernel-5.15.74-1-pve zfs-initramfs The following NEW packages will be installed: clevis clevis-dracut clevis-luks clevis-systemd cracklib-runtime dmraid dracut dracut-core dracut-network iputils-arping jose kpartx libcrack2 libdmraid1.0.0.rc16 libdpkg-perl libfile-fcntllock-perl libjose0 libluksmeta0 libnl-genl-3-200 libpwquality-common libpwquality-tools libpwquality1 luksmeta mdadm nbd-client pigz pkg-config 0 upgraded, 27 newly installed, 5 to remove and 0 not upgraded. Need to get 0 B/3,237 kB of archives. After this operation, 391 MB disk space will be freed. Do you want to continue? [Y/n] Y W: (pve-apt-hook) !! WARNING !! W: (pve-apt-hook) You are attempting to remove the meta-package 'proxmox-ve'! W: (pve-apt-hook) W: (pve-apt-hook) If you really want to permanently remove 'proxmox-ve' from your system, run the following command W: (pve-apt-hook) touch '/please-remove-proxmox-ve' W: (pve-apt-hook) run apt purge proxmox-ve to remove the meta-package W: (pve-apt-hook) and repeat your apt invocation. W: (pve-apt-hook) W: (pve-apt-hook) If you are unsure why 'proxmox-ve' would be removed, please verify W: (pve-apt-hook) - your APT repository settings W: (pve-apt-hook) - that you are using 'apt full-upgrade' to upgrade your system E: Sub-process /usr/share/proxmox-ve/pve-apt-hook returned an error code (1) E: Failure running script /usr/share/proxmox-ve/pve-apt-hook

Regards,
Schuft
 
I was having the same problems you were having then I found a way to make it work. Today is the first time I've ever used Clevis or Tang so I could be missing something but this is how I got it to work in my lab:

1. Fresh install of Proxmox on Debian with encrypted root.
2. Next I installed the following packages apt install clevis clevis-initramfs clevis-luks
3. Then added my drive to bind to the Tang server clevis luks bind -d /your/drive tang '{"url":"http://server.address"}' and entered my current luks password and confirmed.
4. Finally I updated my initramfs update-initramfs -u and rebooted

Like I said, It's my first time using this so there might be a better way, but it worked for me and seems fine so far.
 
Last edited:
  • Like
Reactions: der_schorsch
Hello WarmEthernet,
Did you completely remove GRUB and install dracut or just installed clevis without much more?

Could you verify?

Your command seems to indicate you installed clevis without dracut, and the original poster wished to use dracut.
Obviously i'm asking because i'm interested in replacing GRUB by dracut in Proxmox the same way I did on bare-metal debian servers.

Maybe the thread title is incorrect as clevis could be installed without dracut.
Here is what happen for me when trying to install dracut, which is commonly used with clevis:
Code:
root@pve:/# apt install dracut
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  cryptsetup cryptsetup-bin cryptsetup-initramfs cryptsetup-run dmraid dracut-core kpartx libdmraid1.0.0.rc16 libdpkg-perl libfile-fcntllock-perl mdadm pigz pkg-config
Suggested packages:
  dracut-network debian-keyring gcc | c-compiler patch git bzr dpkg-dev
The following packages will be REMOVED:
  initramfs-tools proxmox-ve pve-kernel-5.15 pve-kernel-5.15.74-1-pve zfs-initramfs
The following NEW packages will be installed:
  cryptsetup cryptsetup-bin cryptsetup-initramfs cryptsetup-run dmraid dracut dracut-core kpartx libdmraid1.0.0.rc16 libdpkg-perl libfile-fcntllock-perl mdadm pigz pkg-config
0 upgraded, 14 newly installed, 5 to remove and 14 not upgraded.
Need to get 3,397 kB of archives.
After this operation, 391 MB disk space will be freed.
Do you want to continue? [Y/n]

It seems to be caused by initramfs-tools conflicting with dracut:
Code:
root@pve:/# apt-cache depends initramfs-tools
initramfs-tools
  Depends: initramfs-tools-core
  Depends: linux-base
  Conflicts: <linux-initramfs-tool>
    dracut
    tiny-initramfs
  Conflicts: <usplash>
  Breaks: e2fsprogs
  Breaks: initscripts
  Breaks: <upstart>
  Suggests: bash-completion
But initramfs-tools is a dependence of zfs-initramfs and pve-kernel-5.15.74-1-pve

dracut seems to support zfs
https://openzfs.github.io/openzfs-docs/man/7/dracut.zfs.7.html
and zfs-dracut package is available in Debian Bullseye since the manpage exist for it:
https://manpages.debian.org/bullseye-backports/zfs-dracut/dracut.zfs.7.en.html

@proxmox team, is it possible to be more flexible with the init and make the package need zfs-initramfs OR zfs-dracut? Any of these two should pull the required bootloader with them as their own dependences.
 
Last edited:
Hey Zulgrib,

All I did was install clevis. I'm not sure if the original poster really cared if they were using dracut or not as it appears they just wanted to get NBDE working. This was the question I was answering -
Is there a way to install clevis / use NBDE nevertheless?
When I was trying to get this to work for myself, I found most tutorials were on systems that used dracut instead of initramfs. I think Red Had were the ones who developed clevis, so it makes sense that most tutorials were using Red Hat documentation that assumes dracut is used instead of initramfs-tools. I'm still really new to a lot of this stuff and honestly have no idea why people would choose one over the other or pros vs cons of each. I just wanted the easiest method to get it working, found a way that worked for me, and wanted to share with someone who might also be around my level of knowledge that experienced the same block as I did.
 
You are spot-on, I documented about clevis with resources from Red Hat and ArchLinux and incorrectly assumed dracut was a requirement.

For the pros and cons between initramfs-tools and dracut stacks, I had with my machines better boot time using dracut and it was easier for me to add arbitrary binaries and actions in dracut for me. I also had lot of troubles for days booting with an encrypted boot partition using the usual GRUB stack while I managed to make it works in 3 tries with dracut+systemd-boot. Maybe I'm doing something wrong when using initramfs-tools+GRUB, dracut is a lot easier to understand for me.
 
@schuft do you need dracut + clevis or just clevis? Clevis seem to work without dracut. If dracut is important for you, we may need action from Proxmox maintainers to resolve the package conflict.
 
@schuft do you need dracut + clevis or just clevis? Clevis seem to work without dracut. If dracut is important for you, we may need action from Proxmox maintainers to resolve the package conflict.
A bit late (shame on me) but let me answer :)

I don't need dracut - I was just assuming that it is needed from the documentation I have read. If it works without it is perfect.

Thank you for pointing out!
 
  • Like
Reactions: der_schorsch

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!