12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 |
- CLEVIS-LUKS-UNLOCKERS(7)
- ========================
- :doctype: manpage
- == NAME
- clevis-luks-unlockers - Overview of clevis luks unlockers
- == OVERVIEW
- Clevis provides unlockers for LUKS volumes which can use LUKS policy:
- * clevis-luks-unlock - Unlocks manually using the command line.
- * dracut - Unlocks automatically during early boot.
- * systemd - Unlocks automatically during late boot.
- * udisks2 - Unlocks automatically in a GNOME desktop session.
- Once a LUKS volume is bound using *clevis luks bind*, it can be unlocked using
- any of the above unlockers without using a password.
- == MANUAL UNLOCKING
- You can unlock a LUKS volume manually using the following command:
- $ sudo clevis luks unlock -d /dev/sda
- For more information, see link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)].
- == EARLY BOOT UNLOCKING
- If Clevis integration does not already ship in your initramfs, you may need to
- rebuild your initramfs with this command:
- $ sudo dracut -f
- Once Clevis is integrated into your initramfs, a simple reboot should unlock
- your root volume. Note, however, that early boot integration only works for the
- root volume. Non-root volumes should use the late boot unlocker.
- Dracut will not bring up your network by default. You can either have it come
- up via DHCP by using rd.neednet=1 in kernel cmdline or you can specify custom
- network parameters, such as static IP configuration, please consult the dracut
- documentation.
- DHCP can be easily added to early boot by setting it in a configuration file
- and rebuilding initramfs afterwards
- $ echo 'kernel_cmdline="rd.neednet=1"' | sudo tee /etc/dracut.conf.d/clevis.conf
- $ sudo dracut -f
- == LATE BOOT UNLOCKING
- You can enable late boot unlocking by executing the following command:
- $ sudo systemctl enable clevis-luks-askpass.path
- After a reboot, Clevis will attempt to unlock all devices listed in
- */etc/crypttab* that have clevis bindings when systemd prompts for their passwords.
- == DESKTOP UNLOCKING
- When the udisks2 unlocker is installed, your GNOME desktop session should
- unlock LUKS removable devices configured with Clevis automatically. You may
- need to restart your desktop session after installation for the unlocker to be
- loaded.
- == SEE ALSO
- link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)]
- link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]
|