On Tue, Nov 27, 2018 at 8:06 PM mark <m.roth at 5-cent.us> wrote: > Sorry, I think you misunderstood. The key for root is *not* in > /etc/crypttab - that's only for the secondary ones. > > mark > > I understood correctly, just that you mentioning that one can put the key in the /etc/crypttab gave me the idea to check if the initramfs image will have the same content for crypttab. So now I have 2 working solutions: 1) /etc/crypttab on OS has a reference to the file that contains the key to decrypt the second volume (the key is on the encrypted root fs). I have checked and the initramfs /etc/crypttab has only the line for the root volume, without any reference to the second volume. The root volume gets decrypted by clevis+tang. The second volume is decrypted after the root volume is decrypted, /etc/crypptab is read and the key is found. 2) the initramfs /etc/crypttab was manually updated to add the line for the second volume. Clevis + tang will decrypt both the root fs and the second volume. I was surprised to find out the the /etc/crypttab in initramfs is different from the one in OS. So now I'm searching for the correct way to force dracut to include /etc/crypttab unchanged in the initramfs image. Radu