git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: ba74221dd9
Branches Tags
clevis
/
doc
/
clevis-luks-unlockers.7

clevis-luks-unlockers.7 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. .\" Automatically generated by Pandoc 1.19.1
    2. 

  2. .\"
    3. 

  3. .TH "CLEVIS\-LUKS\-UNLOCKERS" "7" "October 2017" "" ""
    4. 

  4. .hy
    5. 

  5. .SH OVERVIEW
    6. 

  6. .PP
    7. 

  7. Clevis provides unlockers for LUKS volumes which can use LUKS policy:
    8. 

  8. .IP \[bu] 2
    9. 

  9. clevis\-luks\-unlock \- Unlocks manually using the command line.
    10. 

  10. .IP \[bu] 2
    11. 

  11. dracut \- Unlocks automatically during early boot.
    12. 

  12. .IP \[bu] 2
    13. 

  13. systemd \- Unlocks automatically during late boot.
    14. 

  14. .IP \[bu] 2
    15. 

  15. udisks2 \- Unlocks automatically in a GNOME desktop session.
    16. 

  16. .PP
    17. 

  17. Once a LUKS volume is bound using \f[C]clevis\ luks\ bind\f[], it can be
    18. 

  18. unlocked using any of the above unlockers without using a password.
    19. 

  19. .SH MANUAL UNLOCKING
    20. 

  20. .PP
    21. 

  21. You can unlock a LUKS volume manually using the following command:
    22. 

  22. .IP
    23. 

  23. .nf
    24. 

  24. \f[C]
    25. 

  25. $\ sudo\ clevis\ luks\ unlock\ \-d\ /dev/sda
    26. 

  26. \f[]
    27. 

  27. .fi
    28. 

  28. .PP
    29. 

  29. For more information, see \f[C]clevis\-luks\-unlock\f[](1).
    30. 

  30. .SH EARLY BOOT UNLOCKING
    31. 

  31. .PP
    32. 

  32. If Clevis integration does not already ship in your initramfs, you may
    33. 

  33. need to rebuild your initramfs with this command:
    34. 

  34. .IP
    35. 

  35. .nf
    36. 

  36. \f[C]
    37. 

  37. $\ sudo\ dracut\ \-f
    38. 

  38. \f[]
    39. 

  39. .fi
    40. 

  40. .PP
    41. 

  41. Once Clevis is integrated into your initramfs, a simple reboot should
    42. 

  42. unlock your root volume.
    43. 

  43. Note, however, that early boot integration only works for the root
    44. 

  44. volume.
    45. 

  45. Non\-root volumes should use the late boot unlocker.
    46. 

  46. .PP
    47. 

  47. Dracut will bring up your network using DHCP by default.
    48. 

  48. If you need to specify additional network parameters, such as static IP
    49. 

  49. configuration, please consult the dracut documentation.
    50. 

  50. .SH LATE BOOT UNLOCKING
    51. 

  51. .PP
    52. 

  52. You can enable late boot unlocking by executing the following command:
    53. 

  53. .IP
    54. 

  54. .nf
    55. 

  55. \f[C]
    56. 

  56. $\ sudo\ systemctl\ enable\ clevis\-luks\-askpass.path
    57. 

  57. \f[]
    58. 

  58. .fi
    59. 

  59. .PP
    60. 

  60. After a reboot, Clevis will attempt to unlock all \f[C]_netdev\f[]
    61. 

  61. devices listed in \f[C]/etc/crypttab\f[] when systemd prompts for their
    62. 

  62. passwords.
    63. 

  63. This implies that systemd support for \f[C]_netdev\f[] is required.
    64. 

  64. .SH DESKTOP UNLOCKING
    65. 

  65. .PP
    66. 

  66. When the udisks2 unlocker is installed, your GNOME desktop session
    67. 

  67. should unlock LUKS removable devices configured with Clevis
    68. 

  68. automatically.
    69. 

  69. You may need to restart your desktop session after installation for the
    70. 

  70. unlocker to be loaded.
    71. 

  71. .SH SEE ALSO
    72. 

  72. .PP
    73. 

  73. \f[C]clevis\-luks\-unlock\f[](1) \f[C]clevis\-luks\-bind\f[](1)
    74. 

  74. .SH AUTHORS
    75. 

  75. Nathaniel McCallum <npmccallum@redhat.com>.
    76.