Ubuntu LUKS automatic unlock using Tang @ EdgeRouter


Update: For security reasons, I no longer provide the repo. Please build the packages yourself.

LUKS is the Full Disk Encryption (FDE) method to go on Linux. At least that’s the one both Ubuntu and Fedora use. On most modern systems you have TPM2, so it’s easy to use Clevis to automatically unlock your encrypted partitions during boot. That’s what I do in Noobuntu. If you don’t want to use my packages, feel free to built them on your own using my scripts. On systems that don’t have TPM2, you can use Tang, that’s also covered in the Noobuntu Wiki article.

Now what if you want to use this stuff at home, where you don’t normally have a virtualization cluster and a Tang VM just for this? Well how about your router? I happen to own a Ubiquiti EdgeRouter X, which is an incredible piece of hardware that’s capable of handling even 1 Gbps. The problem is, getting stuff done there isn’t as easy as apt install tang, because it runs on MIPS.

Luckily, I just sorted out cross-compilation for MIPS, so I went ahead and built all the dependencies and Tang itself, and even packaged them all. Heck, I even set up a .deb repo so that installation actually becomes as easy as apt install noobient-tang.



In any case, if you don’t want to use my packages, that’s perfectly understandable, I could put any kind of shady stuff in there, you don’t want that on your router. The Docker environment can be found here.

Install Docker, and also install Clevis. For Clevis, either use the Noobuntu packages, or rebuild them on your own (see the “my scripts” link above).

Now obtain the noobuntu/pkgdocker repo:

git clone https://github.com/noobient/pkgdocker.git

Run the build.sh scripts in both the common/ubuntu/mipsel/16.04 and common/ubuntu/mipsel/18.04/ dirs. These will create Docker images for both Ubuntu 16.04 and 18.04. Why both, because OpenSSL cross-compiled on 18.04 will depend on GLIB 2.25, and the EdgeRouter only has 2.24, so we have to resort to 16.04.

After that, build the packages in the following order:

./pkgdocker noobient-http-parser
./pkgdocker noobient-zlib
./pkgdocker noobient-openssl
./pkgdocker noobient-jansson
./pkgdocker noobient-jose
./pkgdocker noobient-tang

This will result in 6 .deb files in the pkg directory. Copy them over to your EdgeRouter with FileZilla or whatever, then install them:

sudo dpkg -i noobient-http-parser_*.deb noobient-zlib_*.deb noobient-openssl_*.deb noobient-jansson_*.deb noobient-jose_*.deb noobient-tang_*.deb


If you’re too lazy for that, you can add my repo:

sudo tee /etc/apt/sources.list.d/noobient.list <<EOF
deb [arch=mipsel] https://apt.noobient.com/ubnt/ stretch main

Then import the corresponding repo GPG key, update the apt cache, and install Tang and its dependencies:

curl https://apt.noobient.com/files/noobuntu.asc | sudo apt-key add -
sudo apt update
sudo apt install noobient-tang


All newly installed files will be placed under /usr/local. You can start the Tang server like so:

sudo systemctl enable tangd.socket --now

Stopping is just as easy:

sudo systemctl disable tangd.socket --now

Now test on your desktop if it actually works (change the router IP accordingly):

echo hi | clevis encrypt tang '{"url": ""}' | clevis decrypt

If you receive the hi response, all is well, and you can proceed binding a new LUKS slot to Tang network unlock during boot, as explained in the Noobuntu FDE article.

Easy as pie!


Q: Why do you rebuild OpenSSL? It’s already installed on EdgeOS.
A: That’s absolutely right, but I don’t have access to those packages in Docker, and I need them during the build for compilation and linking. If you know of a better way, please let me know.

Q: How much space do Tang and its dependencies require on my router?
A: About 13 MB.

Q: Will the Tang package, and its keys be preserved after a firmware update?
A: To my knowledge they won’t be, and based on the comments I’ve read so far on the topic, I’m not sure if it’s even possible. This is yet to be accomplished.

Q: Which EdgeRouter models are compatible?
A: Honestly, not too many, since very few EdgeRouters use the 32-bit little-endian MIPS architecture. Router donations are welcome, but keep in mind, I can’t guarantee I’ll be able to get it to work on MIPS64.

Model CPU Compatible?
EdgeRouter X MIPS32 little-endian
EdgeRouter X SFP MIPS32 little-endian
EdgeRouter 12 MIPS64 big-endian
EdgeRouter 12P MIPS64 big-endian
EdgeRouter 10X MIPS32 little-endian
EdgeRouter MIPS64 big-endian
EdgeRouter Pro MIPS64 big-endian
EdgeRouter 6P MIPS64 big-endian
EdgeRouter PoE MIPS64 big-endian
EdgeRouter 4 MIPS64 big-endian
EdgeRouter Lite MIPS64 big-endian

That’s about it, cheers!