Skip to main content
Redhat Developers  Logo
  • AI

    Get started with AI

    • Red Hat AI
      Accelerate the development and deployment of enterprise AI solutions.
    • AI learning hub
      Explore learning materials and tools, organized by task.
    • AI interactive demos
      Click through scenarios with Red Hat AI, including training LLMs and more.
    • AI/ML learning paths
      Expand your OpenShift AI knowledge using these learning resources.
    • AI quickstarts
      Focused AI use cases designed for fast deployment on Red Hat AI platforms.
    • No-cost AI training
      Foundational Red Hat AI training.

    Featured resources

    • OpenShift AI learning
    • Open source AI for developers
    • AI product application development
    • Open source-powered AI/ML for hybrid cloud
    • AI and Node.js cheat sheet

    Red Hat AI Factory with NVIDIA

    • Red Hat AI Factory with NVIDIA is a co-engineered, enterprise-grade AI solution for building, deploying, and managing AI at scale across hybrid cloud environments.
    • Explore the solution
  • Learn

    Self-guided

    • Documentation
      Find answers, get step-by-step guidance, and learn how to use Red Hat products.
    • Learning paths
      Explore curated walkthroughs for common development tasks.
    • Guided learning
      Receive custom learning paths powered by our AI assistant.
    • See all learning

    Hands-on

    • Developer Sandbox
      Spin up Red Hat's products and technologies without setup or configuration.
    • Interactive labs
      Learn by doing in these hands-on, browser-based experiences.
    • Interactive demos
      Click through product features in these guided tours.

    Browse by topic

    • AI/ML
    • Automation
    • Java
    • Kubernetes
    • Linux
    • See all topics

    Training & certifications

    • Courses and exams
    • Certifications
    • Skills assessments
    • Red Hat Academy
    • Learning subscription
    • Explore training
  • Build

    Get started

    • Red Hat build of Podman Desktop
      A downloadable, local development hub to experiment with our products and builds.
    • Developer Sandbox
      Spin up Red Hat's products and technologies without setup or configuration.

    Download products

    • Access product downloads to start building and testing right away.
    • Red Hat Enterprise Linux
    • Red Hat AI
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat Developer Toolset

    References

    • E-books
    • Documentation
    • Cheat sheets
    • Architecture center
  • Community

    Get involved

    • Events
    • Live AI events
    • Red Hat Summit
    • Red Hat Accelerators
    • Community discussions

    Follow along

    • Articles & blogs
    • Developer newsletter
    • Videos
    • Github

    Get help

    • Customer service
    • Customer support
    • Regional contacts
    • Find a partner

    Join the Red Hat Developer program

    • Download Red Hat products and project builds, access support documentation, learning content, and more.
    • Explore the benefits

Upgrade RHEL with leapp

July 2, 2026
Ted Brunell
Related topics:
Developer toolsLinuxPlatform engineering
Related products:
Red Hat Enterprise Linux

    Linux Unified Key Setup (LUKS) and FIPS are essential tools for system administrators managing secure environments. However, when it is time to upgrade the operating system, these security features can become significant obstacles. Red Hat Enterprise Linux (RHEL) operates on a predictable 3-year major release cycle with each major version supported for ten years. When the time comes to transition to the next major version, leapp serves as the officially supported tool to perform in-place system upgrades, allowing organizations to retain their original subscriptions, system configurations, and custom repositories without having to completely reinstall machines.

    Limitations

    However, leapp has a known limitation: it officially will not work if the system uses disk encryption for the root filesystem. This hurdle can leave environments stranded, overly reliant on extended life cycle offerings just to keep systems active and supported.

    Fortunately, a clever workaround exists. Administrators can utilize the system's TPM2 module to temporarily bypass the lock while Leapp executes the upgrade. The following outlines a basic workflow for upgrading a RHEL 8 system to RHEL 9 using leapp when FIPS and LUKS are both configured.

    Caution: This process design is for partition-level encryption. If you utilize individually encrypted logical volumes, this method could fail to proceed past the reboot during the leapp upgrade process.

    LUKS and LVM strategy

    Before diving into the upgrade process, it is helpful to understand the role of Linux Unified Key Setup (LUKS) and the optimal strategy for deploying it. LUKS is the standard encryption specification for Linux, designed to protect data at rest. By encrypting the storage medium, LUKS ensures that if a physical drive is ever compromised or stolen, the contents remain completely inaccessible without the correct passphrase or cryptographic key.

    When configuring encrypted storage with Logical Volume Management (LVM), system administrators must choose whether to apply LUKS to the underlying physical partition (with LVM built on top) or to encrypt individual logical volumes separately. Applying LUKS directly to the raw partition or drive is widely recognized as the best practice. This configuration encrypts the entire LVM physical volume, ensuring that all subsequent logical volumes, filesystem metadata, and even swap space are uniformly protected under a single cryptographic umbrella.

    Furthermore, encrypting the raw partition simplifies the boot process by requiring only a single unlock operation for the entire storage stack. Conversely, encrypting individual logical volumes requires the unlocking of each volume independently. This drastically complicates automation, increases administrative overhead, and, most importantly for this scenario, breaks compatibility with the automated reboot sequences required by the leapp upgrade tool.

    Set the stage

    First, it is crucial to back up all data and equip the system (either a 40GB VM or a physical box) with a TPM2 chip. The hard drive must be fully LUKS encrypted. You can configure FIPS can if required by local security policies. You can verify the environment as follows.

    Check the OS version:

    # cat /etc/redhat-release
    Red Hat Enterprise Linux release 8.10 (Ootpa)

    Check FIPS status by running the following command to ensure it returns enabled: 

    # fips-mode-setup --check
    
    FIPS mode is enabled.

    Confirm TPM2 is present by running the following and looking for an output of 2:

    # cat /sys/class/tpm/tpm0/tpm_version_major

    Check the storage layout. In this example, /dev/sda2 is the encrypted partition providing protection across all logical volumes. 

    # lsblk
    NAME                                          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
    sda                                             8:0    0   40G  0 disk  
    ├─sda1                                          8:1    0    1G  0 part  /boot
    └─sda2                                          8:2    0   39G  0 part  
      └─luks-95ef6b14-df5c-4400-af81-621f6271adf4 253:0    0   39G  0 crypt 
        ├─rhel-root                               253:1    0   25G  0 lvm   /
        ├─rhel-swap                               253:2    0    4G  0 lvm   [SWAP]
        └─rhel-var                                253:3    0   10G  0 lvm   /var

    The pre-upgrade reality check

    Using leapp is a two-phase process: an upgradability analysis and the actual upgrade. The following steps outline how to install the tools and perform the initial checks.

    Install the necessary packages:

    # yum install -y leapp leapp-upgrade-el8toel9

    Run the pre-upgrade check:

    # leapp preupgrade

    The system remains unmodified, but leapp creates important report files (e.g., /var/log/leapp/leapp-report.txt) which plot the upgrade path. A review of the report overview will likely reveal a few inhibitors preventing the upgrade, most notably the presence of LUKS devices.

    The magic bind: Solving the LUKS inhibitor

    To bypass the LUKS inhibitor, the TPM2 module must temporarily handle the unlock duties, so the system can reboot and unlock itself without requiring manual password entry.

    First, install the Clevis packages:

    # yum install -y clevis-luks clevis-dracut

    Bind a new LUKS key to the TPM module by running:

    # clevis luks bind -d /dev/sda2 tpm2 / '{"pcr_bank":"sha256","pcr_ids":"7"}'

    When prompted, you must enter the existing LUKS password created during installation.

    Verify the key linked successfully:

    # clevis luks list -d /dev/sda2
    1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","...

    Regenerate the initramfs file so the boot process registers this new setup:

    # dracut -fv --regenerate-all

    Finally, reboot the system:

    # reboot

    Note: If the LUKS password box appears during bootup, you should not enter the password. The screen will eventually advance to the login screen on its own.

    Squash remaining inhibitors

    With the LUKS hurdle cleared, running the preupgrade check one more time should confirm that the LUKS inhibitor is completely gone from the report. A leapp upgrade will absolutely not proceed if any inhibitors remain on the system. 

    # leapp preupgrade

    The output will list blocking items, as well as in the /var/log/leapp/leapp-report.txt file. Before proceeding, any remaining inhibitors need to be resolved. You should review the leapp report carefully, and follow the recommended remediation steps for any remaining flags to ensure the system is fully prepped for the jump to RHEL 9.

    Taking the leapp

    Once the preupgrade report returns completely clean, the upgrade can commence. Run the upgrade script with the reboot flag as follows:

    # leapp upgrade --reboot

    This command triggers the upgrade process. The bootloader automatically initializes a special upgrade environment using the menu entry Upgrade-Initramfs.

    This step requires patience since it swaps out packages and updates configurations. During the reboot, the LUKS drive will unlock automatically via the TPM2 bound key without requiring a passphrase. Once the system is back online, you can verify the fresh RHEL 9 installation.

    Check the OS version:

    # cat /etc/redhat-release
    Red Hat Enterprise Linux release 9.8 (Plow)

    Ensure FIPS is still active:

    # fips-mode-setup --check
    FIPS mode is enabled.

    Verify the storage is intact:

    # lsblk
    NAME                                          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
    sda                                             8:0    0   40G  0 disk  
    ├─sda1                                          8:1    0    1G  0 part  /boot
    └─sda2                                          8:2    0   39G  0 part  
      └─luks-95ef6b14-df5c-4400-af81-621f6271adf4 253:0    0   39G  0 crypt 
        ├─rhel-root                               253:1    0   25G  0 lvm   /
        ├─rhel-swap                               253:2    0    4G  0 lvm   [SWAP]
        └─rhel-var                                253:3    0   10G  0 lvm   /var

    Post-flight cleanup

    Do not leave the TPM2 key indefinitely. Once the upgrade is complete, you should remove the bound key so the original passphrase becomes the sole key once again.

    Find the slot number for the TPM2 key:

    # clevis luks list -d /dev/sda2
    1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","...

    If the key is in slot 1, run the following to erase it:

    # clevis luks unbind -d /dev/sda2 -s 1

    Confirm the unrecoverable wipe by typing y and entering the original pre-upgrade passphrase when prompted. On the next reboot, the system will prompt for the original LUKS passphrase, reverting to the standard behavior. These steps ensure a successful and secure upgrade.

    Related Posts

    • Installing Red Hat Enterprise Linux 10 from a bootc image with bootc

    • Red Hat Enterprise Linux 10.2 and 9.8: Top features for developers

    • Integrate Red Hat Enterprise Linux VMs into OpenShift Service Mesh

    • Auto-registration v2: Easier management of Red Hat Enterprise Linux on AWS

    Recent Posts

    • Batch inference on OpenShift AI with llm-d: Architecture, integration, and workflows

    • Upgrade RHEL with leapp

    • Kafka Monthly Digest: June 2026

    • Build a multi-agent supervisor pattern on Red Hat AI

    • Inside the vLLM-Omni architecture: Serving Qwen3-Omni

    What’s up next?

    RHEL 10 cheat sheet tile card

    Red Hat Enterprise Linux 10 cheat sheet

    Seth Kenlon
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Platforms

    • Red Hat AI
    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Build

    • Developer Sandbox
    • Developer tools
    • Interactive tutorials
    • API catalog

    Quicklinks

    • Learning resources
    • E-books
    • Cheat sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site status dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2026 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Chat Support

    Please log in with your Red Hat account to access chat support.