1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 |
- CLEVIS-LUKS-BIND(1)
- ===================
- :doctype: manpage
- == NAME
- clevis-luks-bind - Bind a LUKS device using the specified policy
- == SYNOPSIS
- *clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
- == OVERVIEW
- The *clevis luks bind* command binds a LUKS device using the specified
- policy. This is accomplished with a simple command:
- $ clevis luks bind -d /dev/sda tang '{"url":...}'
- This command performs four steps:
- 1. Creates a new key with the same entropy as the LUKS master key.
- 2. Encrypts the new key with Clevis.
- 3. Stores the Clevis JWE in the LUKS header.
- 4. Enables the new key for use with LUKS.
- This disk can now be unlocked with your existing password as well as with
- the Clevis policy. You will additionally need to enable one or more of the
- Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)].
- == OPTIONS
- * *-f* :
- Do not prompt for LUKSMeta initialization
- * *-y* :
- Automatically answer yes for all questions. When using _tang_, it
- causes the advertisement trust check to be skipped, which can be
- useful in automated deployments
- * *-d* _DEV_ :
- The LUKS device on which to perform binding
- * *-s* _SLT_ :
- The LUKSMeta slot to use for metadata storage
- * *-t* _TKN_ID_ :
- The LUKS token ID to use; only available for LUKS2
- * *-k* _KEY_ :
- Non-interactively read LUKS password from KEY file
- * *-k* - :
- Non-interactively read LUKS password from standard input
- == CAVEATS
- This command does not change the LUKS master key. This implies that if you
- create a LUKS-encrypted image for use in a Virtual Machine or Cloud
- environment, all the instances that run this image will share a master key.
- This is extremely dangerous and should be avoided at all cost.
- This is not a limitation of Clevis but a design principle of LUKS. If you wish
- to have encrypted root volumes in the cloud, you will need to make sure that
- you perform the OS install method for each instance in the cloud as well.
- The images cannot be shared without also sharing a master key.
- == SEE ALSO
- link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
- link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
- link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
- link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
|