How to mount/re-use an existing LUKS volume?

I want to mount an existing external disk with a LUKS volume on it. It’s already bound with the correct Clevis commands…

I thought of this:

variant: fcos
version: 1.3.0
    # external disk
    - name: external
      label: luks-external
      device: /dev/disk/by-partlabel/external
        tpm2: false
        threshold: 1
          - url: # …
      wipe_volume: false
    - path: /mnt/external
      device: /dev/mapper/external
      format: btrfs
      wipe_filesystem: false
      with_mount_unit: true

I hope the wipe_volume should make sure the LUKS volume is not re-created or Ignition tries to change the encryption (add another keyslot for the clevis device I show). Is that correct?

However, given the disk is also only required to be specified if you actually want to format/partition a disk, can’t we also just remove the LUKS section?
After all, AFAIK, the JSON data to let Clevis know how to actually decrypt the stuff is already saved as Luks metadata, so there is no reason to provide it to Ignition again, is there?

Ignition shouldn’t try to re-use existing clevis based devices: ignition/luks.go at main · coreos/ignition · GitHub

Please post a bug to the Ignition tracker (Issues · coreos/ignition · GitHub) if it’s doing something else.

Wait? Did I understood that correctly, it should not?
I.e. it should usually always remove the existing LUKS partition (and data) and add a fresh new one? remove the LUKS encryption data and add a fresh new one?

Also looking through the code you linked it seems that check only triggers if wipe_volume = false. However, as my aim is to actually just re-use the existing partition? Or well… at least don’t wipe the data, which it thankfully does not seem to to.

Or what does it do then? Does it reconfigure the LUKS keyslots as specified in the Butane config?

And what happens if I just omit the whole LUKS section? Does it then anyway properly unlock the volume? Or do I need to specify it?

Ignition should do nothing with the device if the device specifies wipeVolume: false & either A) the device uses clevis or B) the device doesn’t match what is specified in the Ignition config.

If you omit the LUKS section then Ignition shouldn’t touch anything (unless you’re doing something else to the disk elsewhere in the storage section). You could then configure the unlocking of the device however you wish.

Essentially you’d just be treading off the path of Ignition configuring the unlocking for you. If you go through the code you can probably piece together what Ignition does to configure automatic unlocking and build a config which performs those steps for an existing device without using the LUKS section.