I want to mount an existing external disk with a LUKS volume on it. It’s already bound with the correct Clevis commands…
I thought of this:
variant: fcos version: 1.3.0 storage: luks: # external disk - name: external label: luks-external device: /dev/disk/by-partlabel/external clevis: tpm2: false threshold: 1 tang: - url: # … wipe_volume: false filesystems: - path: /mnt/external device: /dev/mapper/external format: btrfs wipe_filesystem: false with_mount_unit: true
I hope the
wipe_volume should make sure the LUKS volume is not re-created or Ignition tries to change the encryption (add another keyslot for the clevis device I show). Is that correct?
However, given the
disk is also only required to be specified if you actually want to format/partition a disk, can’t we also just remove the LUKS section?
After all, AFAIK, the JSON data to let Clevis know how to actually decrypt the stuff is already saved as Luks metadata, so there is no reason to provide it to Ignition again, is there?