clevis

Build Status Release Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores puppetmodule.info docs AGPL v3 License

Clevis is a pluggable framework for automated decryption.

Table of Contents

  1. Description
  2. Setup - The basics of getting started with clevis
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.

Description

It can be used to provide automate decryption of data or even automated unlocking of LUKS volumes 2. Once Clevis has subscribed the decryption to a server, the encryption passphrase is removed, which means in a lost communication event, the server won’t be able to decrypt, not even with the passphrase. To prevent this Clevis can subscribe up to 8 keys to 8 different servers/users and it can be restricted to how many of them are required as a minimum. If you set a value t=2, means that at least 2 servers have to be available at the moment of decryption.

Setup

Setup Requirements

Clevis needs a tang server cluster ready and running andusually is installed and configured during OS provisioning.

Usage

Just include the clevis module:

include clevis

Limitations

Clevis can not be installed AFTER provisioning. It should always be part of the provisioning process.