Radu Radutiu wrote: > On Tue, Nov 27, 2018 at 3:14 PM mark <m.roth at 5-cent.us> wrote: > >> What we do is to have the encryption key of the secondary filesystem in >> /etc/crypttab, which is, of course, 600. As it boots, it decrypts from >> that as it mounts the rest of the system. >> > Thanks, this is working as expected and it gave me the hint needed to > find the actual problem. The problem is that the initramfs image generated > by dracut -f does not include the /etc/crypttab from the OS (it only > contains the entry for the root device). Once I have manually added the > other volumes in the /etc/crypttab file from the initramfs image, clevis > is able to decrypt all volumes. Now the question is why the generated > iniramfs image has a different /etc/crypttab. How can I specify > /etc/crypttab for the initramfs so that > furhter kernel updates will not replace it with the wrong file? > Sorry, I think you misunderstood. The key for root is *not* in /etc/crypttab - that's only for the secondary ones. mark