"clevis luks bind" command fails with "Error while saving Clevis metadata in LUKS header!" message

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 7 (RHEL7)
- cryptsetup
- clevis

Issue

When trying to bind to a LUKS device using the clevis luks bind command, the command returns with the error shown below
```
Error while saving Clevis metadata in LUKS header!
stty: standard input: Inappropriate ioctl for device
```
Upon reinstalling a system configured with Clevis, it's not possible to register with the Tang server

Resolution

Follow the procedure listed in the Diagnostic Steps section. If this is a match, proceed further.

Wipe out existing key slots that are in inactive state, as shown below:

# DEV=/dev/vdb
# while read slot state rest; do
	[ $state == "inactive" ] || continue
	luksmeta wipe -d $DEV -s $slot -f
done <<< "$(luksmeta show -d $DEV)"

Verify that all slots (except first one if a passphrase is used) have been wiped

# luksmeta show -d $DEV
0   active empty
1 inactive empty
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty

Execute the clevis luks bind command again
```
# clevis luks bind ...
```

How to automatically wipe slots in a kickstart

It may be wise to wipe all the key slots prior to using clevis luks bind in the %post installation script, as shown in the excerpt below:

%post --log=/root/post.log --erroronfail
for dev in <DEVICES>; do
	for slot in $(seq 1 7); do luksmeta wipe -d $dev -s $slot -f; done
	clevis luks bind -f -k - -d $dev tang '{"url":"<TANG_URL>", "thp":"<TOKEN>"}' <<< "<PASSWD>"
done
[...]
%end

Beware to not wipe slot 0 unless you don't use a passphrase.
Replace <DEVICES> (list of devices configured for LUKS), <TANG_URL>, <TOKEN> and <PASSWD> by suited values for your environment.

Note that this operation cannot be done in a %pre script since luksmeta is not available at that time.

Root Cause

Due to a bug, cryptsetup luksFormat command doesn't wipe the key slots, but just mark them as inactive
Upon reinstalling the system several time, all the key slots previously used are inactive, preventing clevis luks bind command to find a new key slot

The issue happens only on RHEL7 is tracked by This content is not included.BZ 1905883 - luksFormat doesn't wipe keyslots.

Diagnostic Steps

Dump the LUKS metadata of the device

# DEV=/dev/vdb
# luksmeta show -d $DEV
0   active empty
1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
3 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
4 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
5 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
6 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
7 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e

Verify that all slots which are not passphrases are inactive

In the example above, the first slot is used by a passphrase. All the others are in inactive state and contain a token.

SBR

Product(s)

Red Hat Enterprise Linux

Components

crypto-utils

Category

Troubleshoot

Tags

rhel_7

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.