[CentOS] NBDE, clevis and tang for non-root disk

Tue Nov 27 18:05:46 UTC 2018
mark <m.roth at 5-cent.us>

Radu Radutiu wrote:
> On Tue, Nov 27, 2018 at 3:14 PM mark <m.roth at 5-cent.us> wrote:
>> What we do is to have the encryption key of the secondary filesystem in
>>  /etc/crypttab, which is, of course, 600. As it boots, it decrypts from
>>  that as it mounts the rest of the system.
> Thanks, this is working as expected and it gave me the hint needed to
> find the actual problem. The problem is that the initramfs image generated
> by dracut -f does not include the /etc/crypttab from the OS (it only
> contains the entry for the root device). Once I have  manually added the
> other volumes in the /etc/crypttab file from the initramfs image, clevis
> is able to decrypt all volumes. Now the question is why the generated
> iniramfs image has a different /etc/crypttab.  How can I specify
> /etc/crypttab for the initramfs so that
> furhter kernel updates will not replace it with the wrong file?
Sorry, I think you misunderstood. The key for root is *not* in
/etc/crypttab - that's only for the secondary ones.