leapp preupgrade shows inhibitor for LUKS encrypted device

Solution Verified - Updated -

Issue

  • Before performing in-place update from RHEL 8 to 9, we executed leapp preupgrade command to check for any issues and it showed following inhibitor for LUKS encrypted device. Please let us know how to resolve it:

    
Risk Factor: high (inhibitor)
Title: Detected LUKS devices unsuitable for in-place upgrade.

Summary: We have detected LUKS encrypted volumes that do not meet current criteria to be able to proceed the in-place upgrade process. Right now the upgrade process requires for encrypted storage to be in LUKS2 format configured with Clevis TPM 2.0.

Currently we require the process to be non-interactive and offline. For this reason we require automatic unlock of encrypted devices during the upgrade process. Currently we support automatic unlocking during the upgrade only for volumes bound to Clevis TPM2 token. The following LUKS2 devices without Clevis TPM2 token  have been discovered on your system: 
    - sda
Related links:
    - Configuring manual enrollment of LUKS-encrypted volumes by using a TPM 2.0 policy: https://red.ht/clevis-tpm2-luks-auto-unlock-rhel8
Remediation: [hint] Add Clevis TPM2 binding to LUKS devices. If some LUKS devices use still the old LUKS1 format, convert them to LUKS2 prior to binding.

Environment

  • Red Hat Enterprise Linux 8, 9
  • LUKS encrypted device

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content