1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 |
- .\" Automatically generated by Pandoc 1.19.1
- .\"
- .TH "CLEVIS\-LUKS\-BIND" "1" "September 2017" "" ""
- .hy
- .SH NAME
- .PP
- clevis\-luks\-bind \-\- Bind a LUKSv1 device using the specified policy
- .SH SYNOPSIS
- .PP
- \f[C]clevis\ luks\ bind\f[] [\-f] \-d DEV [\-s SLT] [\-k KEY] PIN CFG
- .SH OVERVIEW
- .PP
- The \f[C]clevis\ luks\ bind\f[] command binds a LUKSv1 device using the
- specified policy.
- This is accomplished with a simple command:
- .IP
- .nf
- \f[C]
- $\ clevis\ luks\ bind\ \-d\ /dev/sda\ tang\ \[aq]{"url":...}\[aq]
- \f[]
- .fi
- .PP
- This command performs four steps:
- .IP "1." 3
- Creates a new key with the same entropy as the LUKS master key.
- .IP "2." 3
- Encrypts the new key with Clevis.
- .IP "3." 3
- Stores the Clevis JWE in the LUKS header with LUKSMeta.
- .IP "4." 3
- Enables the new key for use with LUKS.
- .PP
- This disk can now be unlocked with your existing password as well as
- with the Clevis policy.
- You will additionally need to enable one or more of the Clevis LUKS
- unlockers.
- See \f[C]clevis\-luks\-unlockers\f[](7).
- .SH OPTIONS
- .IP \[bu] 2
- \f[C]\-f\f[] : Do not prompt for LUKSMeta initialization
- .IP \[bu] 2
- \f[C]\-d\f[] \f[I]DEV\f[] : The LUKS device on which to perform binding
- .IP \[bu] 2
- \f[C]\-s\f[] \f[I]SLT\f[] : The LUKSMeta slot to use for metadata
- storage
- .IP \[bu] 2
- \f[C]\-k\f[] \f[I]KEY\f[] : Non\-interactively read LUKS password from
- KEY file
- .IP \[bu] 2
- \f[C]\-k\f[] \- : Non\-interactively read LUKS password from standard
- input
- .SH CAVEATS
- .PP
- This command does not change the LUKS master key.
- This implies that if you create a LUKS\-encrypted image for use in a
- Virtual Machine or Cloud environment, all the instances that run this
- image will share a master key.
- This is extremely dangerous and should be avoided at all cost.
- .PP
- This is not a limitation of Clevis but a design principle of LUKS.
- If you wish to have encrypted root volumes in the cloud, you will need
- to make sure that you perform the OS install method for each instance in
- the cloud as well.
- The images cannot be shared without also sharing a master key.
- .SH SEE ALSO
- .PP
- \f[C]clevis\-luks\-unlockers\f[](7), \f[C]clevis\-encrypt\-http\f[](1),
- \f[C]clevis\-encrypt\-tang\f[](1), \f[C]clevis\-encrypt\-sss\f[](1),
- \f[C]clevis\-decrypt\f[](1)
- .SH AUTHORS
- Nathaniel McCallum <npmccallum@redhat.com>.
|