[1389562107] Upstream Reporter: Jonathan Lebon
Upstream issue status: Closed
Upstream description:

1. Feature Request #

1. 1. Environment ##

Applicable to any environment where disk encryption is desirable.

1. 1. Desired Feature ##

I was recently made aware that Tang supports offline provisioning by obtaining the advertisement out of band and passing it directly to Clevis (see the final paragraphs of [this section](https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang.1.adoc#overview)).

This could be useful for example to provision a machine in one environment, and then move it into its final location where a secure connection to the Tang server is available for subsequent boots. (Edit: actually the use case that motivated this RFE is described in #issuecomment-1262556065.)

We should consider adding support for this in Ignition.

1. 1. Other Information ##

Using a custom pin for this almost works:

```json
"clevis": {
"custom": {
"config": "{"url": "http://192.168.122.1:8000","adv": {"payload": "...","protected":"...","signature":"..."}}",
"needsNetwork": true,
"pin": "tang"
}
},
```

There are two problems however:
1. `needsNetwork` controls networking for both first boot and subsequent boots, but we don't actually need the network on first boot and one may not even be available.
2. the `disks` stage by default [will close and reopen the devices](https://github.com/coreos/ignition/blob/816fa993ee30ccd5121374377fe29b96dd27b64f/internal/exec/stages/disks/luks.go#L315-L327) as a sanity-check; re-opening will fail if Clevis can't reach the Tang server.