diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..28c6c77 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: Timothée Ravier +# +# SPDX-License-Identifier: CC0-1.0 + +# Inspired by https://github.com/coreos/repo-templates + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + groups: + actions: + patterns: + - "*" + - package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "weekly" + groups: + rust: + patterns: + - "*" diff --git a/.github/workflows/reuse-lint.yml b/.github/workflows/reuse-lint.yml new file mode 100644 index 0000000..39400b1 --- /dev/null +++ b/.github/workflows/reuse-lint.yml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2022 Free Software Foundation Europe e.V. +# SPDX-License-Identifier: CC0-1.0 +--- +name: REUSE Compliance Check + +on: [push, pull_request] + +permissions: + contents: read + +jobs: + reuse-compliance-check: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: REUSE Compliance Check + uses: fsfe/reuse-action@v5 diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml new file mode 100644 index 0000000..1a21ce0 --- /dev/null +++ b/.github/workflows/rust.yml @@ -0,0 +1,121 @@ +# SPDX-FileCopyrightText: Timothée Ravier +# +# SPDX-License-Identifier: CC0-1.0 + +# Inspired by https://github.com/coreos/repo-templates + +name: "Rust" +on: + pull_request: + branches: + - "main" +permissions: + contents: "read" + +# Don't waste job slots on superseded code +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + CARGO_TERM_COLOR: always + # Pinned toolchain for linting + ACTIONS_LINTS_TOOLCHAIN: 1.85.0 + +jobs: + tests-stable: + name: "Tests, stable toolchain" + runs-on: "ubuntu-24.04" + container: "ghcr.io/confidential-clusters/buildroot:latest" + steps: + - name: "Check out repository" + uses: actions/checkout@v5 + - name: "Install toolchain" + uses: dtolnay/rust-toolchain@v1 + with: + toolchain: stable + - name: "Cache build artifacts" + uses: Swatinem/rust-cache@v2 + - name: "cargo build" + run: cargo build --all-targets + - name: "cargo test" + run: cargo test --all-targets + tests-release-stable: + name: "Tests (release), stable toolchain" + runs-on: "ubuntu-24.04" + container: "ghcr.io/confidential-clusters/buildroot:latest" + steps: + - name: "Check out repository" + uses: actions/checkout@v5 + - name: "Install toolchain" + uses: dtolnay/rust-toolchain@v1 + with: + toolchain: stable + - name: "Cache build artifacts" + uses: Swatinem/rust-cache@v2 + - name: "cargo build (release)" + run: cargo build --all-targets --release + - name: "cargo test (release)" + run: cargo test --all-targets --release + tests-release-msrv: + name: "Tests (release), minimum supported toolchain" + runs-on: "ubuntu-24.04" + container: "ghcr.io/confidential-clusters/buildroot:latest" + steps: + - name: "Check out repository" + uses: actions/checkout@v5 + - name: "Detect crate MSRV" + run: | + msrv=$(cargo metadata --format-version 1 --no-deps | \ + jq -r '.packages[0].rust_version') + echo "Crate MSRV: $msrv" + echo "MSRV=$msrv" >> $GITHUB_ENV + - name: "Install toolchain" + uses: dtolnay/rust-toolchain@v1 + with: + toolchain: ${{ env.MSRV }} + - name: "Cache build artifacts" + uses: Swatinem/rust-cache@v2 + - name: "cargo build (release)" + run: cargo build --all-targets --release + - name: "cargo test (release)" + run: cargo test --all-targets --release + linting: + name: "Lints, pinned toolchain" + runs-on: "ubuntu-24.04" + container: "ghcr.io/confidential-clusters/buildroot:latest" + steps: + - name: "Check out repository" + uses: actions/checkout@v5 + - name: "Install toolchain" + uses: dtolnay/rust-toolchain@v1 + with: + toolchain: ${{ env.ACTIONS_LINTS_TOOLCHAIN }} + components: rustfmt, clippy + - name: "Cache build artifacts" + uses: Swatinem/rust-cache@v2 + - name: "cargo fmt (check)" + run: cargo fmt -- --check -l + - name: "cargo clippy (warnings)" + run: cargo clippy --all-targets -- -D warnings + tests-other-channels: + name: "Tests, unstable toolchain" + runs-on: "ubuntu-24.04" + container: "ghcr.io/confidential-clusters/buildroot:latest" + continue-on-error: true + strategy: + matrix: + channel: [beta, nightly] + steps: + - name: "Check out repository" + uses: actions/checkout@v5 + - name: "Install toolchain" + uses: dtolnay/rust-toolchain@v1 + with: + toolchain: ${{ matrix.channel }} + - name: "Cache build artifacts" + uses: Swatinem/rust-cache@v2 + - name: "cargo build" + run: cargo build --all-targets + - name: "cargo test" + run: cargo test --all-targets diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..79e6f4f --- /dev/null +++ b/.gitignore @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: Alice Frosi +# +# SPDX-License-Identifier: CC0-1.0 + +# Rust build artifacts +/target/ +Cargo.lock + +# IDE files +.vscode/ +.idea/ +*.swp +*.swo + +# Temporary files +*.tmp +*.temp diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..bf2950e --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: Alice Frosi +# +# SPDX-License-Identifier: CC0-1.0 + +[package] +name = "clevis-pin-trustee" +version = "0.1.0" +edition = "2024" +description = "Clevis PIN for URL-based encryption/decryption" +repository = "https://github.com/confidential-clusters/clevis-pin-trustee" + +[dependencies] +serde = { version = "1.0", features = ["derive"] } +serde_json = "1.0" +reqwest = { version = "0.11", features = ["json", "blocking"] } +tokio = { version = "1.0", features = ["full"] } +clap = { version = "4.0", features = ["derive"] } +anyhow = "1.0" +josekit = "0.10.3" +base64 = "0.22.1" +rand = "0.9.2" +hex = "0.4.3" + +[dev-dependencies] +tempfile = "3.0" diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..9e85b9d --- /dev/null +++ b/Containerfile @@ -0,0 +1,14 @@ +# SPDX-FileCopyrightText: Alice Frosi +# +# SPDX-License-Identifier: CC0-1.0 + +FROM docker.io/library/rust:trixie as build + +COPY . /src +WORKDIR /src +RUN cargo build --release + +FROM quay.io/fedora/fedora:42 +COPY --from=build /src/target/release/clevis-pin-trustee /usr/bin/clevis-pin-trustee +COPY --from=build /src/clevis-encrypt-trustee /usr/bin/clevis-encrypt-trustee +COPY --from=build /src/clevis-decrypt-trustee /usr/bin/clevis-decrypt-trustee diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt new file mode 100644 index 0000000..0e259d4 --- /dev/null +++ b/LICENSES/CC0-1.0.txt @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/LICENSES/MIT.txt b/LICENSES/MIT.txt new file mode 100644 index 0000000..d817195 --- /dev/null +++ b/LICENSES/MIT.txt @@ -0,0 +1,18 @@ +MIT License + +Copyright (c) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the +following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial +portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT +LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO +EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md index 47e4406..6db27a1 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,7 @@ # Clevis PIN for Trustee attestation + TBD + +## Licenses + +See [LICENSES](LICENSES). diff --git a/REUSE.toml b/REUSE.toml new file mode 100644 index 0000000..8bf49a3 --- /dev/null +++ b/REUSE.toml @@ -0,0 +1,13 @@ +version = 1 + +[[annotations]] +path = [ + "README.md", + "Cargo.lock", + "data.json", + "test-secret-trustee" +] +SPDX-FileCopyrightText = [ + "Alice Frosi " +] +SPDX-License-Identifier = "CC0-1.0" diff --git a/clevis-decrypt-trustee b/clevis-decrypt-trustee new file mode 100755 index 0000000..a77432f --- /dev/null +++ b/clevis-decrypt-trustee @@ -0,0 +1,7 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: Alice Frosi +# +# SPDX-License-Identifier: MIT + +clevis-pin-trustee decrypt "$@" diff --git a/clevis-encrypt-trustee b/clevis-encrypt-trustee new file mode 100755 index 0000000..b733588 --- /dev/null +++ b/clevis-encrypt-trustee @@ -0,0 +1,7 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: Alice Frosi +# +# SPDX-License-Identifier: MIT + +clevis-pin-trustee encrypt "$@" diff --git a/data.json b/data.json new file mode 100644 index 0000000..7e9a976 --- /dev/null +++ b/data.json @@ -0,0 +1,9 @@ +{ + "servers": [ + { + "url": "http://localhost:8080", + "cert": "" + } + ], + "path": "conf-cluster/12345/root" +} diff --git a/src/main.rs b/src/main.rs new file mode 100644 index 0000000..22460f3 --- /dev/null +++ b/src/main.rs @@ -0,0 +1,229 @@ +// SPDX-FileCopyrightText: Alice Frosi +// +// SPDX-License-Identifier: MIT + +use anyhow::{Context, Result, anyhow}; +use base64::{Engine as _, engine::general_purpose}; +use clap::{Parser, Subcommand}; +use josekit::jwe::alg::direct::DirectJweAlgorithm::Dir; +use josekit::jwk::Jwk; +use serde::{Deserialize, Serialize}; +use std::io::{self, Read, Write}; +use std::process::Command as StdCommand; +use std::thread; +use std::time::Duration; + +#[derive(Debug, Serialize, Deserialize, Clone)] +struct Server { + url: String, + cert: String, +} + +#[derive(Debug, Serialize, Deserialize)] +struct Config { + servers: Vec, + path: String, +} + +#[derive(Debug, Serialize, Deserialize)] +struct ClevisHeader { + pin: String, + servers: Vec, + path: String, +} + +#[derive(Debug, Serialize, Deserialize)] +pub struct Key { + pub key_type: String, + pub key: String, +} + +fn fetch_and_prepare_jwk(servers: &[Server], path: &str) -> Result { + let key = fetch_luks_key(servers, path)?; + let key = String::from_utf8( + general_purpose::STANDARD + .decode(&key) + .context("Error decoding key in base64")?, + ) + .context("Error decoding the key in JSON")?; + eprintln!("Key: {:?}", key); + let key: Key = serde_json::from_str(&key).context("Error in parsing the fetched key")?; + + let mut jwk = Jwk::new(&key.key_type); + jwk.set_key_value(&key.key); + jwk.set_key_operations(vec!["encrypt", "decrypt"]); + + Ok(jwk) +} + +fn encrypt(config: &str) -> Result<()> { + let config: Config = + serde_json::from_str(config).map_err(|e| anyhow!("Failed to parse config JSON: {}", e))?; + + let mut input = Vec::new(); + io::stdin().read_to_end(&mut input)?; + + let jwk = fetch_and_prepare_jwk(&config.servers, &config.path)?; + + eprintln!("{}", jwk); + let encrypter = Dir + .encrypter_from_jwk(&jwk) + .context("Error creating direct encrypter")?; + + let private_hdr = ClevisHeader { + pin: "trustee".to_string(), + servers: config.servers.clone(), + path: config.path, + }; + + let mut hdr = josekit::jwe::JweHeader::new(); + hdr.set_algorithm("ECDH-ES"); + hdr.set_content_encryption("A256GCM"); + hdr.set_claim( + "clevis", + Some(serde_json::value::to_value(private_hdr).context("Error serializing private header")?), + ) + .context("Error adding clevis claim")?; + + let jwe_token = josekit::jwe::serialize_compact(&input, &hdr, &encrypter) + .context("Error serializing JWE token")?; + + io::stdout() + .write_all(jwe_token.as_bytes()) + .context("Error writing the token on stdout")?; + eprintln!("Encryption successful."); + + Ok(()) +} + +fn decrypt() -> Result<()> { + let mut input = Vec::new(); + io::stdin().read_to_end(&mut input)?; + let input = std::str::from_utf8(&input).context("Input is not valid UTF-8")?; + + let hdr = josekit::jwt::decode_header(input).context("Error decoding header")?; + let hdr_clevis = hdr.claim("clevis").context("Error getting clevis claim")?; + let hdr_clevis: ClevisHeader = + serde_json::from_value(hdr_clevis.clone()).context("Error deserializing clevis header")?; + + eprintln!("Decrypt with header: {:?}", hdr_clevis); + + let decrypter_jwk = fetch_and_prepare_jwk(&hdr_clevis.servers, &hdr_clevis.path)?; + + let decrypter = Dir + .decrypter_from_jwk(&decrypter_jwk) + .context("Error creating decrypter")?; + + let (payload, _) = + josekit::jwe::deserialize_compact(input, &decrypter).context("Error decrypting JWE")?; + + io::stdout().write_all(&payload)?; + + eprintln!("Decryption successful."); + Ok(()) +} + +fn fetch_luks_key(servers: &[Server], path: &str) -> Result { + const MAX_ATTEMPTS: u32 = 3; + const DELAY: Duration = Duration::from_secs(5); + + if servers.is_empty() { + return Err(anyhow!("No URLs provided")); + } + + (1..=MAX_ATTEMPTS) + .find_map(|attempt| { + eprintln!( + "Attempting to fetch LUKS key (attempt {}/{})", + attempt, MAX_ATTEMPTS + ); + + for (index, server) in servers.iter().enumerate() { + eprintln!("Trying URL {}/{}: {}", index + 1, servers.len(), server.url); + match try_fetch_luks_key(&server.url, path) { + Ok(key) => { + eprintln!("Successfully fetched LUKS key from URL: {}", server.url); + return Some(Ok(key)); + } + Err(e) => { + eprintln!("Error with URL {}: {}", server.url, e); + } + } + } + + if attempt < MAX_ATTEMPTS { + eprintln!( + "All URLs failed for attempt {}. Retrying in {:?} seconds...", + attempt, DELAY + ); + thread::sleep(DELAY); + } + None + }) + .unwrap_or_else(|| { + Err(anyhow!( + "Failed to fetch the LUKS key from all URLs after {} attempts", + MAX_ATTEMPTS + )) + }) +} + +fn try_fetch_luks_key(url: &str, path: &str) -> Result { + let output = StdCommand::new("trustee-attester") + .arg("--url") + .arg(url) + .arg("get-resource") + .arg("--path") + .arg(path) + .output() + .map_err(|e| anyhow!("Failed to execute trustee-attester: {}", e))?; + + io::stderr().write_all(&output.stderr)?; + io::stderr().write_all(&output.stdout)?; + + if !output.status.success() { + let stderr = String::from_utf8_lossy(&output.stderr); + return Err(anyhow!("trustee-attester failed: {}", stderr)); + } + + let key = String::from_utf8(output.stdout) + .map_err(|e| anyhow!("Invalid UTF-8 for the LUKS key: {}", e))? + .trim() + .to_string(); + + if key.is_empty() { + return Err(anyhow!("Received empty LUKS key")); + } + + Ok(key) +} + +/// Clevis PIN for confidential cluster +#[derive(Parser)] +#[command(name = "clevis-pin-trustee")] +#[command(version = "0.1.0")] +#[command(about = "Clevis PIN for confidential clusters")] +struct Cli { + #[command(subcommand)] + command: Commands, +} + +#[derive(Subcommand)] +enum Commands { + /// Encrypt data using the configuration + Encrypt { + /// Input data or arguments + config: String, + }, + /// Decrypt the input data + Decrypt, +} + +fn main() -> Result<()> { + let cli = Cli::parse(); + + match cli.command { + Commands::Encrypt { config } => encrypt(&config), + Commands::Decrypt => decrypt(), + } +} diff --git a/test-secret-trustee b/test-secret-trustee new file mode 100644 index 0000000..1d048f1 --- /dev/null +++ b/test-secret-trustee @@ -0,0 +1 @@ +{ "key_type": "oct", "key": "2b442dd5db4478367729ef8bbf2e7480" } diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..5ade09f --- /dev/null +++ b/test.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: Alice Frosi +# +# SPDX-License-Identifier: CC0-1.0 + +set -euo pipefail + +device=$(sudo losetup |grep test.img | awk '{print $1}'|head -n1 || true) +if [ -z "$device" ]; then + truncate test.img --size 1GB + device=$(sudo losetup -f --show test.img) +fi +echo "Device $device" +echo "cLevisTest1234" > key +sudo cryptsetup isLuks $device +if [ $? -ne 0 ]; then + yes "YES"| sudo cryptsetup luksFormat -d key --force-password $device +fi +sudo clevis luks bind -f -k key -d $device trustee "$(cat data.json)" +sudo clevis luks list -d $device +sudo clevis luks unlock -d $device -n myroot