diff --git a/.clevis.metadata b/.clevis.metadata
new file mode 100644
index 0000000..4602876
--- /dev/null
+++ b/.clevis.metadata
@@ -0,0 +1 @@
+086374814a4d71db8625d27a1719e03244a7cff0 SOURCES/clevis-11.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f017bbb
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/clevis-11.tar.xz
diff --git a/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch b/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch
new file mode 100644
index 0000000..6757e60
--- /dev/null
+++ b/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch
@@ -0,0 +1,34 @@
+From 6826e5d31d6323eac5137404f0194bf2183b561c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 7 Nov 2018 16:48:47 +0100
+Subject: [PATCH 3/3] Add device TCTI library to the initramfs
+
+The tpm2-tools don't dynamically link against the TCTI libraries anymore,
+but instead dlopen() the correct library depending on the TCTI used.
+
+So dracut isn't able anymore to figure out automatically using ldd what
+libraries are needed by the tpm2-tools. Since clevis uses the device TCTI
+to access the TPM directly, add the libtss2-tcti-device.so to the initrd.
+
+Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
+
+Fixes: ##74
+---
+ src/luks/systemd/dracut/module-setup.sh.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 41e7d6c9b002..990bf4aeed56 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -65,6 +65,7 @@ install() {
+ 	    tpm2_pcrlist \
+ 	    tpm2_unseal \
+ 	    tpm2_load
++	inst_libdir_file "libtss2-tcti-device.so*"
+     fi
+ 
+     dracut_need_initqueue
+-- 
+2.19.1
+
diff --git a/SOURCES/Check-key-derivation-key-is-available.patch b/SOURCES/Check-key-derivation-key-is-available.patch
new file mode 100644
index 0000000..bc1be6f
--- /dev/null
+++ b/SOURCES/Check-key-derivation-key-is-available.patch
@@ -0,0 +1,30 @@
+From 8b707e8bfcbfd073579ee553b982b4784490f5ea Mon Sep 17 00:00:00 2001
+From: Daniel Kopecek <dkopecek@redhat.com>
+Date: Wed, 5 Dec 2018 13:18:59 +0100
+Subject: [PATCH] clevis-encrypt-tang: check key derivation key is available
+ before encryption
+
+---
+ src/pins/tang/clevis-encrypt-tang | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
+index e65a7d1..7fc55ca 100755
+--- a/src/pins/tang/clevis-encrypt-tang
++++ b/src/pins/tang/clevis-encrypt-tang
+@@ -114,7 +114,11 @@ elif [ "$thp" != "any" ] && \
+ fi
+ 
+ ### Perform encryption
+-enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`
++if ! enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`; then
++    echo "Key derivation key not available!" >&2
++    exit 1
++fi
++
+ jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}"
+ 
+ for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do
+-- 
+2.13.6
+
diff --git a/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch b/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch
new file mode 100644
index 0000000..36f1361
--- /dev/null
+++ b/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch
@@ -0,0 +1,132 @@
+From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 7 Nov 2018 14:53:08 +0100
+Subject: [PATCH 1/3] Delete remaining references to the removed http pin
+
+Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
+there are still references of it in the docs and also the dracut module.
+
+This was causing dracut to fail building the initramfs due the following:
+
+dracut-install: ERROR: installing 'clevis-decrypt-http'
+
+Suggested-by: Dominick Grift <dac.override@gmail.com>
+
+Fixes: #73
+---
+ README.md                                  | 21 ---------------------
+ src/clevis.1.adoc                          | 21 ---------------------
+ src/luks/clevis-luks-bind.1.adoc           |  1 -
+ src/luks/systemd/dracut/module-setup.sh.in |  1 -
+ src/pins/sss/clevis-encrypt-sss.1.adoc     |  1 -
+ 5 files changed, 45 deletions(-)
+
+diff --git a/README.md b/README.md
+index ce8def12ec96..d57339aca5d9 100644
+--- a/README.md
++++ b/README.md
+@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When
+ the advertisment is specified manually like this, Clevis presumes that the
+ advertisement is trusted.
+ 
+-#### PIN: HTTP
+-
+-Clevis also ships a pin for performing escrow using HTTP. Please note that,
+-at this time, this pin does not provide HTTPS support and is suitable only
+-for use over local sockets. This provides integration with services like
+-[Custodia](http://github.com/latchset/custodia).
+-
+-For example:
+-
+-```bash
+-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
+-```
+-
+-The HTTP pin generate a new (cryptographically-strong random) key and performs
+-encryption using it. It then performs a PUT request to the URL specified. It is
+-understood that the server will securely store this key for later retrieval.
+-During decryption, the pin will perform a GET request to retrieve the key and
+-perform decryption.
+-
+-Patches to provide support for HTTPS and authentication are welcome.
+-
+ #### PIN: TPM2
+ 
+ Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
+diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc
+index 756aba57a4c8..dea0a696f5f7 100644
+--- a/src/clevis.1.adoc
++++ b/src/clevis.1.adoc
+@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to
+ encrypt the data so that it can be automatically decrypted if the policy is
+ met. Lets walk through an example.
+ 
+-== HTTP ESCROW
+-
+-When using the HTTP pin, we create a new, cryptographically-strong, random key.
+-This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
+-Then at decryption time, we attempt to fetch the key back again in order to
+-decrypt our data. So, for our configuration we need to pass the URL to the key
+-location:
+-
+-    $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
+-
+-To decrypt the data, simply provide the ciphertext (JWE):
+-
+-    $ clevis decrypt < JWE > PLAINTEXT
+-
+-Notice that we did not pass any configuration during decryption. The decrypt
+-command extracted the URL (and possibly other configuration) from the JWE
+-object, fetched the encryption key from the escrow and performed decryption.
+-
+-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
+-
+ == TANG BINDING
+ 
+ Clevis provides support for the Tang network binding server. Tang provides
+@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)].
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
+index 9f3a880cfb0c..0d649e3ec28b 100644
+--- a/src/luks/clevis-luks-bind.1.adoc
++++ b/src/luks/clevis-luks-bind.1.adoc
+@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key.
+ == SEE ALSO
+ 
+ link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 119762e38326..48aea5b3f29a 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -36,7 +36,6 @@ install() {
+     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+ 
+     inst_multiple /etc/services \
+-        clevis-decrypt-http \
+         clevis-decrypt-tang \
+         clevis-decrypt-sss \
+         @libexecdir@/clevis-luks-askpass \
+diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
+index d46498db328c..7144e7e9ea96 100644
+--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
+@@ -54,6 +54,5 @@ receive key fragments.
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
+-- 
+2.19.1
+
diff --git a/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch b/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
new file mode 100644
index 0000000..28082b7
--- /dev/null
+++ b/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
@@ -0,0 +1,49 @@
+From 34658590e45ab85f6008379d9433406a5c7fd914 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 7 Nov 2018 15:12:17 +0100
+Subject: [PATCH 2/3] Install cryptsetup and tpm2_pcrlist in the initramfs
+
+The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes
+automatic LUKS unlocking fail with the following errors:
+
+dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found
+dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found
+
+Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
+
+Fixes: #74
+---
+ src/luks/systemd/dracut/module-setup.sh.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 48aea5b3f29a..41e7d6c9b002 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -40,6 +40,7 @@ install() {
+         clevis-decrypt-sss \
+         @libexecdir@/clevis-luks-askpass \
+         clevis-decrypt \
++        cryptsetup \
+         luksmeta \
+         clevis \
+         mktemp \
+@@ -49,6 +50,7 @@ install() {
+ 
+     for cmd in clevis-decrypt-tpm2 \
+ 	tpm2_createprimary \
++	tpm2_pcrlist \
+ 	tpm2_unseal \
+ 	tpm2_load; do
+ 
+@@ -60,6 +62,7 @@ install() {
+     if (($ret == 0)); then
+ 	inst_multiple clevis-decrypt-tpm2 \
+ 	    tpm2_createprimary \
++	    tpm2_pcrlist \
+ 	    tpm2_unseal \
+ 	    tpm2_load
+     fi
+-- 
+2.19.1
+
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
new file mode 100644
index 0000000..d72e15d
--- /dev/null
+++ b/SPECS/clevis.spec
@@ -0,0 +1,223 @@
+%global _hardened_build 1
+
+Name:           clevis
+Version:        11
+Release:        2%{?dist}
+Summary:        Automated decryption framework
+
+License:        GPLv3+
+URL:            https://github.com/latchset/%{name}
+Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
+
+Patch0: Delete-remaining-references-to-the-removed-http-pin.patch
+Patch1: Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
+Patch2: Add-device-TCTI-library-to-the-initramfs.patch
+Patch3: Check-key-derivation-key-is-available.patch
+
+BuildRequires:  gcc
+BuildRequires:  meson
+BuildRequires:  asciidoc
+BuildRequires:  ninja-build
+BuildRequires:  bash-completion
+
+BuildRequires:  libjose-devel >= 8
+BuildRequires:  libluksmeta-devel >= 8
+BuildRequires:  audit-libs-devel
+BuildRequires:  libudisks2-devel
+BuildRequires:  openssl-devel
+
+BuildRequires:  tpm2-tools >= 3.0.0
+BuildRequires:  desktop-file-utils
+BuildRequires:  pkgconfig
+BuildRequires:  systemd
+BuildRequires:  dracut
+BuildRequires:  tang >= 6
+BuildRequires:  curl
+
+Requires:       tpm2-tools >= 3.0.0
+Requires:       coreutils
+Requires:       jose >= 8
+Requires:       curl
+Requires(pre):  shadow-utils
+
+%description
+Clevis is a framework for automated decryption. It allows you to encrypt
+data using sophisticated unlocking policies which enable decryption to
+occur automatically.
+
+The clevis package provides basic encryption/decryption policy support.
+Users can use this directly; but most commonly, it will be used as a
+building block for other packages. For example, see the clevis-luks
+and clevis-dracut packages for automatic root volume unlocking of LUKSv1
+volumes during early boot.
+
+%package luks
+Summary:        LUKSv1 integration for clevis
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       cryptsetup
+Requires:       luksmeta >= 8
+
+%description luks
+LUKSv1 integration for clevis. This package allows you to bind a LUKSv1
+volume to a clevis unlocking policy. For automated unlocking, an unlocker
+will also be required. See, for example, clevis-dracut and clevis-udisks2.
+
+%package systemd
+Summary:        systemd integration for clevis
+Requires:       %{name}-luks%{?_isa} = %{version}-%{release}
+%if 0%{?fedora} > 27
+Requires:       systemd%{?_isa} >= 235-3
+%else
+%if 0%{?fedora} == 27
+Requires:       systemd%{?_isa} >= 234-9
+%else
+%if 0%{?fedora} == 26
+Requires:       systemd%{?_isa} >= 233-7
+%else
+Requires:       systemd%{?_isa} >= 236
+%endif
+%endif
+%endif
+Requires:       nc
+
+%description systemd
+Automatically unlocks LUKSv1 _netdev block devices from /etc/crypttab.
+
+%package dracut
+Summary:        Dracut integration for clevis
+Requires:       %{name}-systemd%{?_isa} = %{version}-%{release}
+Requires:       dracut-network
+
+%description dracut
+Automatically unlocks LUKSv1 block devices in early boot.
+
+%package udisks2
+Summary:        UDisks2/Storaged integration for clevis
+Requires:       %{name}-luks%{?_isa} = %{version}-%{release}
+
+%description udisks2
+Automatically unlocks LUKSv1 block devices in desktop environments that
+use UDisks2 or storaged (like GNOME).
+
+%prep
+%autosetup -p1
+
+%build
+%meson -Duser=clevis -Dgroup=clevis
+%meson_build
+
+%install
+%meson_install
+
+%check
+desktop-file-validate \
+  %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
+%meson_test
+
+%pre
+getent group %{name} >/dev/null || groupadd -r %{name}
+getent passwd %{name} >/dev/null || \
+    useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
+    -c "Clevis Decryption Framework unprivileged user" %{name}
+exit 0
+
+%files
+%license COPYING
+%{_datadir}/bash-completion/
+%{_bindir}/%{name}-decrypt-tang
+%{_bindir}/%{name}-decrypt-tpm2
+%{_bindir}/%{name}-decrypt-sss
+%{_bindir}/%{name}-decrypt
+%{_bindir}/%{name}-encrypt-tang
+%{_bindir}/%{name}-encrypt-tpm2
+%{_bindir}/%{name}-encrypt-sss
+%{_bindir}/%{name}
+%{_mandir}/man1/%{name}-encrypt-tang.1*
+%{_mandir}/man1/%{name}-encrypt-tpm2.1*
+%{_mandir}/man1/%{name}-encrypt-sss.1*
+%{_mandir}/man1/%{name}-decrypt.1*
+%{_mandir}/man1/%{name}.1*
+
+%files luks
+%{_mandir}/man7/%{name}-luks-unlockers.7*
+%{_mandir}/man1/%{name}-luks-unlock.1*
+%{_mandir}/man1/%{name}-luks-unbind.1*
+%{_mandir}/man1/%{name}-luks-bind.1*
+%{_bindir}/%{name}-luks-unlock
+%{_bindir}/%{name}-luks-unbind
+%{_bindir}/%{name}-luks-bind
+
+%files systemd
+%{_libexecdir}/%{name}-luks-askpass
+%{_unitdir}/%{name}-luks-askpass.path
+%{_unitdir}/%{name}-luks-askpass.service
+
+%files dracut
+%{_prefix}/lib/dracut/modules.d/60%{name}
+
+%files udisks2
+%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
+%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
+
+%changelog
+* Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2
+- Check that key derivation key is available
+- Delete remaining references to the removed http pin
+- Install cryptsetup and tpm2_pcrlist in the initramfs
+- Add device TCTI library to the initramfs
+  Resolves: rhbz#1648004
+  Resolves: rhbz#1650246
+
+* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
+- Update to v11
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
+- Update to v10
+
+* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
+- Update to v9
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
+- Update to v8
+
+* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
+- Rebuild for cryptsetup-2.0.0
+
+* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
+- Update to v7
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
+- New upstream release
+- Specify unprivileged user/group during configuration
+- Move clevis user/group creation to base clevis package
+
+* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
+- New upstream release
+- Run clevis decryption from udisks2 under an unprivileged user
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
+- New upstream release
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
+- New upstream release
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
+- New upstream release
+
+* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
+- First release