I am facing the same issue (I use clevis with TPM in my case) > When running the unmodified scripts on a completely booted system, they work. > So it seems that the '< <(...)' mechanism fails only in initrd (no idea why). After a slightly deeper inspection, the issue is that initramfs scripts are called without /dev/fd symlinked to /proc/self/fd.
You can confirm this by patching /usr/share/initramfs-tools/scripts/local-top/clevis with: --- clevis +++ clevis-fixed @@ -112,6 +112,8 @@ # Set the path how we want it (Probably not all needed) PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin" + [ -e /dev/fd ] || ln -s -T /proc/self/fd /dev/fd + if [ -x /bin/plymouth ] && plymouth --ping; then cryptkeyscript='plymouth ask-for-password' else With this patch, the clevis-decrypt works at boot. This is of course not a proper fix. I think the fix should be done either in initramfs-tools init-* scripts either in systemd/udev itself. In my case, I can say for sure the clevis-decrypt worked in July. I don't know which package update has broken the symlink for the clevis initramfs script. Best, Nicolas Bourdaud