clevis-luks-bind.1.adoc 2.2 KB

  2. ===================
  3. :doctype: manpage
  4. == NAME
  5. clevis-luks-bind - Bind a LUKS device using the specified policy
  6. == SYNOPSIS
  7. *clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
  8. == OVERVIEW
  9. The *clevis luks bind* command binds a LUKS device using the specified
  10. policy. This is accomplished with a simple command:
  11. $ clevis luks bind -d /dev/sda tang '{"url":...}'
  12. This command performs four steps:
  13. 1. Creates a new key with the same entropy as the LUKS master key.
  14. 2. Encrypts the new key with Clevis.
  15. 3. Stores the Clevis JWE in the LUKS header.
  16. 4. Enables the new key for use with LUKS.
  17. This disk can now be unlocked with your existing password as well as with
  18. the Clevis policy. You will additionally need to enable one or more of the
  19. Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)].
  20. == OPTIONS
  21. * *-f* :
  22. Do not prompt for LUKSMeta initialization
  23. * *-y* :
  24. Automatically answer yes for all questions. When using _tang_, it
  25. causes the advertisement trust check to be skipped, which can be
  26. useful in automated deployments
  27. * *-d* _DEV_ :
  28. The LUKS device on which to perform binding
  29. * *-s* _SLT_ :
  30. The LUKSMeta slot to use for metadata storage
  31. * *-t* _TKN_ID_ :
  32. The LUKS token ID to use; only available for LUKS2
  33. * *-k* _KEY_ :
  34. Non-interactively read LUKS password from KEY file
  35. * *-k* - :
  36. Non-interactively read LUKS password from standard input
  37. == CAVEATS
  38. This command does not change the LUKS master key. This implies that if you
  39. create a LUKS-encrypted image for use in a Virtual Machine or Cloud
  40. environment, all the instances that run this image will share a master key.
  41. This is extremely dangerous and should be avoided at all cost.
  42. This is not a limitation of Clevis but a design principle of LUKS. If you wish
  43. to have encrypted root volumes in the cloud, you will need to make sure that
  44. you perform the OS install method for each instance in the cloud as well.
  45. The images cannot be shared without also sharing a master key.
  46. == SEE ALSO
  47. link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
  48. link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
  49. link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
  50. link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]