clevis-luks-unlockers.7.adoc 2.3 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
  1. CLEVIS-LUKS-UNLOCKERS(7)
  2. ========================
  3. :doctype: manpage
  4. == NAME
  5. clevis-luks-unlockers - Overview of clevis luks unlockers
  6. == OVERVIEW
  7. Clevis provides unlockers for LUKS volumes which can use LUKS policy:
  8. * clevis-luks-unlock - Unlocks manually using the command line.
  9. * dracut - Unlocks automatically during early boot.
  10. * systemd - Unlocks automatically during late boot.
  11. * udisks2 - Unlocks automatically in a GNOME desktop session.
  12. Once a LUKS volume is bound using *clevis luks bind*, it can be unlocked using
  13. any of the above unlockers without using a password.
  14. == MANUAL UNLOCKING
  15. You can unlock a LUKS volume manually using the following command:
  16. $ sudo clevis luks unlock -d /dev/sda
  17. For more information, see link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)].
  18. == EARLY BOOT UNLOCKING
  19. If Clevis integration does not already ship in your initramfs, you may need to
  20. rebuild your initramfs with this command:
  21. $ sudo dracut -f
  22. Once Clevis is integrated into your initramfs, a simple reboot should unlock
  23. your root volume. Note, however, that early boot integration only works for the
  24. root volume. Non-root volumes should use the late boot unlocker.
  25. Dracut will not bring up your network by default. You can either have it come
  26. up via DHCP by using rd.neednet=1 in kernel cmdline or you can specify custom
  27. network parameters, such as static IP configuration, please consult the dracut
  28. documentation.
  29. DHCP can be easily added to early boot by setting it in a configuration file
  30. and rebuilding initramfs afterwards
  31. $ echo 'kernel_cmdline="rd.neednet=1"' | sudo tee /etc/dracut.conf.d/clevis.conf
  32. $ sudo dracut -f
  33. == LATE BOOT UNLOCKING
  34. You can enable late boot unlocking by executing the following command:
  35. $ sudo systemctl enable clevis-luks-askpass.path
  36. After a reboot, Clevis will attempt to unlock all devices listed in
  37. */etc/crypttab* that have clevis bindings when systemd prompts for their passwords.
  38. == DESKTOP UNLOCKING
  39. When the udisks2 unlocker is installed, your GNOME desktop session should
  40. unlock LUKS removable devices configured with Clevis automatically. You may
  41. need to restart your desktop session after installation for the unlocker to be
  42. loaded.
  43. == SEE ALSO
  44. link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)]
  45. link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]