diff --git a/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch b/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch
new file mode 100644
index 0000000..7dcd5ac
--- /dev/null
+++ b/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch
@@ -0,0 +1,16 @@
+--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
++++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
+@@ -413,7 +413,12 @@
+ clevis_devices=
+
+ # Build list of devices to unlock.
+- while read -r _ crypt_device _; do
++ while read -r _volname_ crypt_device _; do
++ # skip empty lines and lines which begin with the '#' char, per
++ # crypttab(5)
++ case $_volname_ in
++ ''|\#*) continue ;;
++ esac
+ if ! dev=$(clevis_map_device "${crypt_device}") \
+ || [ -z "${dev}" ]; then
+ # Unable to get the device - maybe it's not available, e.g. a
diff --git a/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch b/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
new file mode 100644
index 0000000..4b18e61
--- /dev/null
+++ b/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
@@ -0,0 +1,73 @@
+--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
++++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
+@@ -101,7 +101,7 @@
+
+ This command performs four steps:
+
+-1. Creates a new key with the same entropy as the LUKS master key.
++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
+ 2. Encrypts the new key with Clevis.
+ 3. Stores the Clevis JWE in the LUKS header.
+ 4. Enables the new key for use with LUKS.
+--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
++++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
+@@ -20,7 +20,7 @@
+
+ This command performs four steps:
+
+-1. Creates a new key with the same entropy as the LUKS master key.
++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
+ 2. Encrypts the new key with Clevis.
+ 3. Stores the Clevis JWE in the LUKS header.
+ 4. Enables the new key for use with LUKS.
+--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
++++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
+@@ -865,6 +865,7 @@
+ [ -z "${DEV}" ] && return 1
+
+ local dump filter bits
++ local MAX_ENTROPY_BITS=256
+ dump=$(cryptsetup luksDump "${DEV}")
+ if cryptsetup isLuks --type luks1 "${DEV}"; then
+ filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
+@@ -876,6 +877,9 @@
+ fi
+
+ bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
++ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
++ bits="${MAX_ENTROPY_BITS}"
++ fi
+ pwmake "${bits}"
+ }
+
+--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
++++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
+@@ -19,6 +19,8 @@
+ # along with this program. If not, see .
+ #
+
++. clevis-luks-common-functions
++
+ SUMMARY="Binds a LUKS device using the specified policy"
+ UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
+
+@@ -139,14 +141,11 @@
+ fi
+
+ # Generate a key with the same entropy as the LUKS Master Key
+-key="$(pwmake "$(
+-cryptsetup luksDump "$DEV" \
+- | if [ "$luks_type" == "luks1" ]; then
+- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
+- else
+- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
+- fi | sort -n | tail -n 1
+-)")"
++if ! key="$(clevis_luks_generate_key "${DEV}")" \
++ || [ -z "${key}" ]; then
++ echo "Unable to generate key for ${DEV}" >&2
++ return 1
++fi
+
+ # Encrypt the new key
+ jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
diff --git a/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch b/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
new file mode 100644
index 0000000..0280ec5
--- /dev/null
+++ b/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
@@ -0,0 +1,11 @@
+--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
++++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
+@@ -173,7 +173,7 @@
+
+ echo "Updating binding..."
+ if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
+- "-y" "overwrite" 2>/dev/null; then
++ "-y" "overwrite"; then
+ echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
+ exit 1
+ fi
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
index c63c7b3..592ac6e 100644
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@@ -2,7 +2,7 @@
Name: clevis
Version: 15
-Release: 11%{?dist}
+Release: 14%{?dist}
Summary: Automated decryption framework
License: GPLv3+
@@ -20,6 +20,9 @@ Patch0008: 0008-tang-dump-url-on-error-communication.patch
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
Patch0010: 0010-avoid-clevis-invalid-msg.patch
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
+Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
+Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
+Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
BuildRequires: git
BuildRequires: gcc
@@ -200,6 +203,18 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
+* Mon Jan 16 2023 Sergio Arroutbi - 15-14
+- luks-edit: remove unnecessary 2>/dev/null
+ Resolves: rhbz#2159739
+
+* Wed Jan 11 2023 Sergio Arroutbi - 15-13
+- luks: define max entropy bits for pwmake
+ Resolves: rhbz#2159736
+
+* Wed Jan 11 2023 Sergio Arroutbi - 15-12
+- Ignore empty & comment lines in crypttab
+ Resolves: rhbz#2159440
+
* Tue Aug 02 2022 Sergio Arroutbi - 15-11
- Start clevis-luks-askpass.path service according to global policy
Resolves: rhbz#2107081