If you use, or want to use, full-disk encryption on your server, you might have been bothered by the problem of unattended reboots. Clevis is a decryption framework which binds secrets against a secure resource (a secure cryptographic protocol to reach a remote Tang server or a TPM) to mount the root partition. Clevis is now part of NixOS, available in the initrd and can be set up declaratively for LUKS, ZFS and Bcachefs.

This talk will briefly explain the Clevis-Tang protocol and show you how to set it up on your NixOS machines.