123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 |
- .\" Automatically generated by Pandoc 1.19.1
- .\"
- .TH "CLEVIS\-LUKS\-UNLOCKERS" "7" "October 2017" "" ""
- .hy
- .SH OVERVIEW
- .PP
- Clevis provides unlockers for LUKS volumes which can use LUKS policy:
- .IP \[bu] 2
- clevis\-luks\-unlock \- Unlocks manually using the command line.
- .IP \[bu] 2
- dracut \- Unlocks automatically during early boot.
- .IP \[bu] 2
- systemd \- Unlocks automatically during late boot.
- .IP \[bu] 2
- udisks2 \- Unlocks automatically in a GNOME desktop session.
- .PP
- Once a LUKS volume is bound using \f[C]clevis\ luks\ bind\f[], it can be
- unlocked using any of the above unlockers without using a password.
- .SH MANUAL UNLOCKING
- .PP
- You can unlock a LUKS volume manually using the following command:
- .IP
- .nf
- \f[C]
- $\ sudo\ clevis\ luks\ unlock\ \-d\ /dev/sda
- \f[]
- .fi
- .PP
- For more information, see \f[C]clevis\-luks\-unlock\f[](1).
- .SH EARLY BOOT UNLOCKING
- .PP
- If Clevis integration does not already ship in your initramfs, you may
- need to rebuild your initramfs with this command:
- .IP
- .nf
- \f[C]
- $\ sudo\ dracut\ \-f
- \f[]
- .fi
- .PP
- Once Clevis is integrated into your initramfs, a simple reboot should
- unlock your root volume.
- Note, however, that early boot integration only works for the root
- volume.
- Non\-root volumes should use the late boot unlocker.
- .PP
- Dracut will bring up your network using DHCP by default.
- If you need to specify additional network parameters, such as static IP
- configuration, please consult the dracut documentation.
- .SH LATE BOOT UNLOCKING
- .PP
- You can enable late boot unlocking by executing the following command:
- .IP
- .nf
- \f[C]
- $\ sudo\ systemctl\ enable\ clevis\-luks\-askpass.path
- \f[]
- .fi
- .PP
- After a reboot, Clevis will attempt to unlock all \f[C]_netdev\f[]
- devices listed in \f[C]/etc/crypttab\f[] when systemd prompts for their
- passwords.
- This implies that systemd support for \f[C]_netdev\f[] is required.
- .SH DESKTOP UNLOCKING
- .PP
- When the udisks2 unlocker is installed, your GNOME desktop session
- should unlock LUKS removable devices configured with Clevis
- automatically.
- You may need to restart your desktop session after installation for the
- unlocker to be loaded.
- .SH SEE ALSO
- .PP
- \f[C]clevis\-luks\-unlock\f[](1) \f[C]clevis\-luks\-bind\f[](1)
- .SH AUTHORS
- Nathaniel McCallum <npmccallum@redhat.com>.
|