Using Clevis + Tang for network-bound automatic disk unlock

Clevis + Tang allows a LUKS-encrypted disk to unlock automatically at boot when the server can reach a trusted Tang server over the network.

This can be useful if you want encrypted storage while still allowing a VPS to reboot unattended. It is generally best suited to private-network setups where the client can reach the Tang server over a VPC.


Prerequisites:

  • A Tang server on the same private network or VPC.
  • A client VPS using a LUKS-encrypted disk or volume.
  • Root or sudo access on both systems.
  • The original LUKS passphrase kept available for recovery.

Installation


1. Install and start Tang


On a server in the same private network as the protected VPS:

apt update
apt install -y tang ufw
systemctl enable --now tangd.socket


Allow access only from the required private client IPs. Example:

ufw default deny incoming
ufw default allow outgoing
ufw allow from 10.10.0.5 to any port 80 proto tcp
ufw enable


2. Install Clevis on the client VPS


apt update
apt install -y clevis clevis-luks clevis-initramfs clevis-systemd cryptsetup curl jq


Confirm the client can reach the Tang server:

curl http://<TANG_PRIVATE_IP>/adv


3. Bind the LUKS device to the Tang server

clevis luks bind -d /dev/<your_luks_device> tang '{"url":"http://<TANG_PRIVATE_IP>"}'



If needed, you can provide the existing LUKS passphrase non-interactively:

echo -n '<existing-passphrase>' | clevis luks bind -y -k - -d /dev/<your_luks_device> tang '{"url":"http://<TANG_PRIVATE_IP>"}'


If this is intended for boot-time unlock on Debian or Ubuntu, rebuild initramfs afterwards:

update-initramfs -u


Important

If the Tang server is unavailable or unreachable, automatic unlock will fail. Keep the original LUKS passphrase available so the volume can still be unlocked manually if required.


Verification


Check that Clevis was added to the LUKS device:

cryptsetup luksDump /dev/<your_luks_device>


You should see an additional keyslot or token associated with Clevis.

For a non-root test volume, you can also confirm unlock works:

cryptsetup close <mapper_name>
clevis luks unlock -d /dev/<your_luks_device> -n <mapper_name>
mount /dev/mapper/<mapper_name> /mnt

If you require assistance, feel free to submit a support ticket at our helpdesk here: Submit a ticket | BinaryLane