You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From what I can see here, luks keyfiles (provided or generated) are only written to sysroot if clevis hasn't been configured. This makes the resulting setup brittle, if there's been both keyfile and clevis configured if the keyfiles have been generated by ignition itself. We end up with a luks device with two keys, one stored in tpm, the other being effectively unusable, as it was generated randomly, used, then discarded.
While we're at it: would it be possible to change the default location of the keyfiles to /etc/cryptsetup-keys.d/volumename.key to align with systemd defaults?
Thanks!
The text was updated successfully, but these errors were encountered:
From what I can see here, luks keyfiles (provided or generated) are only written to
sysrootif clevis hasn't been configured. This makes the resulting setup brittle, if there's been both keyfile and clevis configured if the keyfiles have been generated by ignition itself. We end up with a luks device with two keys, one stored in tpm, the other being effectively unusable, as it was generated randomly, used, then discarded.While we're at it: would it be possible to change the default location of the keyfiles to
/etc/cryptsetup-keys.d/volumename.keyto align with systemd defaults?Thanks!
The text was updated successfully, but these errors were encountered: