git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: 0d3a01ab38
Branches Tags
clevis
/
doc
/
clevis-luks-bind.1

clevis-luks-bind.1 2.2 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. .\" Automatically generated by Pandoc 1.19.1
    2. 

  2. .\"
    3. 

  3. .TH "CLEVIS\-LUKS\-BIND" "1" "September 2017" "" ""
    4. 

  4. .hy
    5. 

  5. .SH NAME
    6. 

  6. .PP
    7. 

  7. clevis\-luks\-bind \-\- Bind a LUKSv1 device using the specified policy
    8. 

  8. .SH SYNOPSIS
    9. 

  9. .PP
    10. 

  10. \f[C]clevis\ luks\ bind\f[] [\-f] \-d DEV [\-s SLT] [\-k KEY] PIN CFG
    11. 

  11. .SH OVERVIEW
    12. 

  12. .PP
    13. 

  13. The \f[C]clevis\ luks\ bind\f[] command binds a LUKSv1 device using the
    14. 

  14. specified policy.
    15. 

  15. This is accomplished with a simple command:
    16. 

  16. .IP
    17. 

  17. .nf
    18. 

  18. \f[C]
    19. 

  19. $\ clevis\ luks\ bind\ \-d\ /dev/sda\ tang\ \[aq]{"url":...}\[aq]
    20. 

  20. \f[]
    21. 

  21. .fi
    22. 

  22. .PP
    23. 

  23. This command performs four steps:
    24. 

  24. .IP "1." 3
    25. 

  25. Creates a new key with the same entropy as the LUKS master key.
    26. 

  26. .IP "2." 3
    27. 

  27. Encrypts the new key with Clevis.
    28. 

  28. .IP "3." 3
    29. 

  29. Stores the Clevis JWE in the LUKS header with LUKSMeta.
    30. 

  30. .IP "4." 3
    31. 

  31. Enables the new key for use with LUKS.
    32. 

  32. .PP
    33. 

  33. This disk can now be unlocked with your existing password as well as
    34. 

  34. with the Clevis policy.
    35. 

  35. You will additionally need to enable one or more of the Clevis LUKS
    36. 

  36. unlockers.
    37. 

  37. See \f[C]clevis\-luks\-unlockers\f[](7).
    38. 

  38. .SH OPTIONS
    39. 

  39. .IP \[bu] 2
    40. 

  40. \f[C]\-f\f[] : Do not prompt for LUKSMeta initialization
    41. 

  41. .IP \[bu] 2
    42. 

  42. \f[C]\-d\f[] \f[I]DEV\f[] : The LUKS device on which to perform binding
    43. 

  43. .IP \[bu] 2
    44. 

  44. \f[C]\-s\f[] \f[I]SLT\f[] : The LUKSMeta slot to use for metadata
    45. 

  45. storage
    46. 

  46. .IP \[bu] 2
    47. 

  47. \f[C]\-k\f[] \f[I]KEY\f[] : Non\-interactively read LUKS password from
    48. 

  48. KEY file
    49. 

  49. .IP \[bu] 2
    50. 

  50. \f[C]\-k\f[] \- : Non\-interactively read LUKS password from standard
    51. 

  51. input
    52. 

  52. .SH CAVEATS
    53. 

  53. .PP
    54. 

  54. This command does not change the LUKS master key.
    55. 

  55. This implies that if you create a LUKS\-encrypted image for use in a
    56. 

  56. Virtual Machine or Cloud environment, all the instances that run this
    57. 

  57. image will share a master key.
    58. 

  58. This is extremely dangerous and should be avoided at all cost.
    59. 

  59. .PP
    60. 

  60. This is not a limitation of Clevis but a design principle of LUKS.
    61. 

  61. If you wish to have encrypted root volumes in the cloud, you will need
    62. 

  62. to make sure that you perform the OS install method for each instance in
    63. 

  63. the cloud as well.
    64. 

  64. The images cannot be shared without also sharing a master key.
    65. 

  65. .SH SEE ALSO
    66. 

  66. .PP
    67. 

  67. \f[C]clevis\-luks\-unlockers\f[](7), \f[C]clevis\-encrypt\-http\f[](1),
    68. 

  68. \f[C]clevis\-encrypt\-tang\f[](1), \f[C]clevis\-encrypt\-sss\f[](1),
    69. 

  69. \f[C]clevis\-decrypt\f[](1)
    70. 

  70. .SH AUTHORS
    71. 

  71. Nathaniel McCallum <npmccallum@redhat.com>.
    72.