FOSDEM 2026

"Clevis/Tang: unattended boot of an encrypted NixOS system" ( 2024 )

Sunday at 12:00, 25 minutes, H.1302 (Depage), H.1302 (Depage), Nix and NixOS devroom Julien Malka Camille Mondon , video

If you use, or want to use, full-disk encryption on your server, you might have been bothered by the problem of unattended reboots. Clevis is a decryption framework which binds secrets against a secure resource (a secure cryptographic protocol to reach a remote Tang server or a TPM) to mount the root partition. Clevis is now part of NixOS, available in the initrd and can be set up declaratively for LUKS, ZFS and Bcachefs.

This talk will briefly explain the Clevis-Tang protocol and show you how to set it up on your NixOS machines.

2026

0.46 "Look ma, no secrets! - bootstrapping cryptographic trust in my homelab using NixOS, UKIs, TPMs and SPIFFE"
0.43 "Full disk encryption for Confidential Computing guests"
0.42 "Netboot without throwing a FIT"

2025

0.43 "Remote Execution with Buck2 and Nix"
0.42 "Lessons learned from deploying boot security features on embedded systems"
0.42 "Case Study: Measured Boot and Remote Attestation in Confidential Containers"
0.42 "Generating immutable, A/B updatable, securely booting Debian images"

2024

0.45 "Automatic boot assessment with boot counting"
0.43 "Fortifying the Foundations: Elevating Security in Nix and NixOS"
0.43 "Typhon: Nix-based continuous integration"

Related: