Clevis
Secrets & CredentialsA pluggable framework for automated decryption of data and LUKS volumes
Features
- Encrypt plaintext to JWE objects with specified plugin (pin) and config
- Supports multiple pins including Tang, TPM1, and TPM2 for diverse decryption back‑ends
- Automated decryption without additional interaction or manual key handling
Recent releases
View all 2 releases →
v22
Breaking risk
Fixes a race condition and adds support for LUKS devices with empty passwords.
Full changelog
What's Changed
- Fix README.md typo and latest release version by @sarroutbi in https://github.com/latchset/clevis/pull/483
- tang: clean-up unused variable, omit reuseaddr by @oldium in https://github.com/latchset/clevis/pull/489
- pkcs11: provide key file format to openssl by @oldium in https://github.com/latchset/clevis/pull/486
- systemd: search for systemd-reply-password in dir specified by systemd by @oldium in https://github.com/latchset/clevis/pull/487
- tang: allow reading full request by socat fake http server by @oldium in https://github.com/latchset/clevis/pull/488
- pkcs11: add missing threads dependency by @oldium in https://github.com/latchset/clevis/pull/485
- pkcs11: add Dracut install check by @oldium in https://github.com/latchset/clevis/pull/480
- PKCS#11 pin: fix dracut for unconfigured device by @sarroutbi in https://github.com/latchset/clevis/pull/481
- Fix potential race condition by @sarroutbi in https://github.com/latchset/clevis/pull/479
- tpm2: fix dangling loaded session after tpm2_createpolicy by @oldium in https://github.com/latchset/clevis/pull/484
- tpm2: use first PCR algorithm bank supported by TPM as default by @oldium in https://github.com/latchset/clevis/pull/490
- Fix to start pcscd appropriately by @sarroutbi in https://github.com/latchset/clevis/pull/491
- Fix support for LUKS device with an empty password by @sergio-correia in https://github.com/latchset/clevis/pull/495
- Fix test script permissions by @sarroutbi in https://github.com/latchset/clevis/pull/499
- initramfs: fix killing child PIDs by @oldium in https://github.com/latchset/clevis/pull/496
- luks: make sure cryptsetup.target is installed by @LaszloGombos in https://github.com/latchset/clevis/pull/493
- Groom references to deprecated tangd-update script by @sarroutbi in https://github.com/latchset/clevis/pull/500
- Include tpm2_getcap as required tpm2 pin binary by @sarroutbi in https://github.com/latchset/clevis/pull/503
- initramfs-tools: Copy a certificate bundle so curl can do https by @g2p in https://github.com/latchset/clevis/pull/189
- Fix README.md (add clevis-pin-pkcs11 installation) by @sarroutbi in https://github.com/latchset/clevis/pull/502
- dracut: fix running with pre-v103 Dracut by @oldium in https://github.com/latchset/clevis/pull/501
- Install clevis-pin-tpm2 in initrd when required by @sarroutbi in https://github.com/latchset/clevis/pull/509
- ci: fix fedora 43 (rawhide) build by @oldium in https://github.com/latchset/clevis/pull/510
- Don't use centos10 development (use stable) by @sarroutbi in https://github.com/latchset/clevis/pull/512
- conditionally remove tests from cross build by @n80fr1n60 in https://github.com/latchset/clevis/pull/511
- Fix packages to install by @sarroutbi in https://github.com/latchset/clevis/pull/513
- Remove dependencies and -y parameter by @sarroutbi in https://github.com/latchset/clevis/pull/514
- fix missing pkcs11 when libexecdir is configured by @ClaudiaJ in https://github.com/latchset/clevis/pull/522
- Use awk instead of cut to extract the device field from $IP by @lcharreau in https://github.com/latchset/clevis/pull/523
- initramfs: redirect 'ip route' output to null by @natthias in https://github.com/latchset/clevis/pull/525
- pin template with documentation, sample "file" pin by @cbiedl in https://github.com/latchset/clevis/pull/203
- clevis-luks-askpass: allow non-block-device volumes by @x-qq in https://github.com/latchset/clevis/pull/527
- dracut: move the dracut module to 50 ordering (from 60) by @jozzsi in https://github.com/latchset/clevis/pull/530
- Correct LUKS hash handling by @sarroutbi in https://github.com/latchset/clevis/pull/544
- Release version 22 by @sarroutbi in https://github.com/latchset/clevis/pull/547
New Contributors
- @LaszloGombos made their first contribution in https://github.com/latchset/clevis/pull/493
- @g2p made their first contribution in https://github.com/latchset/clevis/pull/189
- @n80fr1n60 made their first contribution in https://github.com/latchset/clevis/pull/511
- @ClaudiaJ made their first contribution in https://github.com/latchset/clevis/pull/522
- @lcharreau made their first contribution in https://github.com/latchset/clevis/pull/523
- @natthias made their first contribution in https://github.com/latchset/clevis/pull/525
- @x-qq made their first contribution in https://github.com/latchset/clevis/pull/527
- @jozzsi made their first contribution in https://github.com/latchset/clevis/pull/530
Full Changelog: https://github.com/latchset/clevis/compare/v21...v22
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
