diff --git a/app-crypt/clevis/Manifest b/app-crypt/clevis/Manifest
new file mode 100644
index 0000000..b19fca0
--- /dev/null
+++ b/app-crypt/clevis/Manifest
@@ -0,0 +1,4 @@
+AUX clevis-tpm2-tools-5.patch 5784 BLAKE2B dc7d29ce4f218ab5cb2720dceeb17966277040366d0e4eb14c5361a36d601621697218e3708959b2d70662451527ccd95a809a5d7c3aa5c9c90eb286bec9f059 SHA512 c4eda96618898da17963d3ecc3e75ea5d783af2adb597594d86dc595d7ab2a1129e9d982ddeaec8ac3432d2676a505c5348c8ff5e542924644a6aaf8db41f58c
+DIST clevis-15.tar.xz 62856 BLAKE2B 7cb4d5f10314718a32175c7cee31448b316f70545736fbf1ce37b6119111622beaae8288449a45cde87ea9113ad0266c5646c50a23e782e9fcd0ddfcca5fea5b SHA512 8a84b9e081d02742c2c718bdc8b2c834764da6ec9ad1ae5640e8af80a38c2a1ec83eeea5de7696f60f7dd8f165b3dc527290831621440b1a46459d2c8bd56918
+EBUILD clevis-15.ebuild 950 BLAKE2B b99a2cf3c8d06e762cfd4c22290829d1df05af8cd8363ddb1946adbbfb380a815323116695ca85f1acdd6d99b03e593814d7aea3c3f9f7060714b180893b1ae2 SHA512 45a89d4ae9b802da288281c08c73d237e66dfe951267f3dada6baefe3b532649bfceec73a0f2b7b439839284303f2b361aa0ffdd6587a59114cfa0f1a6369ee1
+MISC metadata.xml 339 BLAKE2B 22a58137717e070a7569fa1bd601e07802e722f947645290fced36991e7b863ed904fa708c0fbaf16e2ad57effa252fc2f99998de695b9a7b9b35991912538bf SHA512 45d27acd78f71ac07f762282f61d167e11f0de2aeafcf03193f3d43401c19f97a72b79cc8811ba2e8ab6b15ad289aeecb00bd402cd98639f479f3b24c4ae737f
diff --git a/app-crypt/clevis/clevis-15.ebuild b/app-crypt/clevis/clevis-15.ebuild
new file mode 100644
index 0000000..8c2f2db
--- /dev/null
+++ b/app-crypt/clevis/clevis-15.ebuild
@@ -0,0 +1,39 @@
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit meson systemd
+
+DESCRIPTION="Clevis is a plugable framework for automated decryption"
+HOMEPAGE="https://latchset.github.io/"
+SRC_URI="https://github.com/latchset/${PN}/releases/download/v${PV}/${P}.tar.xz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="bash-completion dracut luks1 systemd tpm udisks"
+
+REQUIRED_USE="dracut? ( systemd )"
+
+DEPEND="tpm? ( >=app-crypt/tpm2-tools-4.0 )
+	app-text/asciidoc
+	luks1? ( >=sys-fs/luksmeta-8 )
+	|| (
+		dev-libs/openssl:0=
+		dev-libs/libressl:0=
+	)
+	systemd? ( sys-apps/systemd )
+	net-misc/curl
+	>=dev-libs/jansson-2.10
+	>=dev-libs/jose-8
+	>=sys-fs/cryptsetup-2.0.4[pwquality]
+	dracut?	( sys-kernel/dracut )
+	udisks? ( sys-fs/udisks:2 )
+	>=sys-process/audit-2.7.8
+	bash-completion? ( app-shells/bash-completion )"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}"/clevis-tpm2-tools-5.patch
+)
diff --git a/app-crypt/clevis/files/clevis-tpm2-tools-5.patch b/app-crypt/clevis/files/clevis-tpm2-tools-5.patch
new file mode 100644
index 0000000..604ea53
--- /dev/null
+++ b/app-crypt/clevis/files/clevis-tpm2-tools-5.patch
@@ -0,0 +1,118 @@
+From ef76951e4486dadf41ca8085e09849466a0c7fd3 Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas@gmx.de>
+Date: Wed, 11 Nov 2020 12:43:18 +0100
+Subject: [PATCH] pins/tpm2: add support for tpm2-tools 5.X
+
+tpm2-tools 5.0 consolidates all tools into a single busybox-style binary, so
+the preferred way to invoke the commands would be e.g. "tpm2 createprimary"
+instead of "tpm2_createprimary". However, compatibility symlinks tpm2_* -> tpm2
+are installed by default, so we keep the old syntax for tpm2-tools 5.0 to avoid
+creating another special case, since the option syntax has not changed (it
+should be stable since version 4).
+
+tpm2-tools 3.X is deprecated, but unfortunately still packaged by a few Linux
+distributions, so keep supporting it for now at least.
+---
+ src/pins/tpm2/clevis-decrypt-tpm2 | 12 ++++++------
+ src/pins/tpm2/clevis-encrypt-tpm2 | 16 ++++++++--------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2
+index 83bf8f0..6226cb7 100755
+--- a/src/pins/tpm2/clevis-decrypt-tpm2
++++ b/src/pins/tpm2/clevis-decrypt-tpm2
+@@ -49,8 +49,8 @@ TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
++if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
++    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -135,7 +135,7 @@ fi
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -146,8 +146,8 @@ fi
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+                  -C "$TMP"/load.context || fail=$?;;
+-    4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+-                 -c "$TMP"/load.context || fail=$?;;
++    4|5) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
++                   -c "$TMP"/load.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -157,7 +157,7 @@ fi
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
+-    4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
++    4|5) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
+index 16d35c4..69a1126 100755
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
++++ b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -71,8 +71,8 @@ TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
++if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
++    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -153,7 +153,7 @@ trap 'on_exit' EXIT
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -166,7 +166,7 @@ if [ -n "$pcr_ids" ]; then
+     if [ -z "$pcr_digest" ]; then
+         case "$TPM2TOOLS_VERSION" in
+             3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+-            4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
++            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+             *) fail=1;;
+         esac
+         if [ -n "$fail" ]; then
+@@ -183,8 +183,8 @@ if [ -n "$pcr_ids" ]; then
+     case "$TPM2TOOLS_VERSION" in
+         3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
+                              -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
+-        4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
+-                             -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
++        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
++                               -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
+         *) fail=1;;
+     esac
+     if [ -n "$fail" ]; then
+@@ -200,8 +200,8 @@ fi
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
+                    -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
+-    4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
+-                   -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
++    4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
++                     -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
diff --git a/app-crypt/clevis/metadata.xml b/app-crypt/clevis/metadata.xml
new file mode 100644
index 0000000..c4815f7
--- /dev/null
+++ b/app-crypt/clevis/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>alex@millerson.name</email>
+		<name>Alexander Miroshnichenko</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">latchset/clevis</remote-id>
+	</upstream>
+</pkgmetadata>