oracular (7) clevis-luks-unlockers.7.gz

Provided by: clevis-luks_20-1_amd64 bug

NAME

       clevis-luks-unlockers - Overview of clevis luks unlockers

OVERVIEW

       Clevis provides unlockers for LUKS volumes which can use LUKS policy:

       •   clevis-luks-unlock - Unlocks manually using the command line.

       •   dracut - Unlocks automatically during early boot.

       •   systemd - Unlocks automatically during late boot.

       •   udisks2 - Unlocks automatically in a GNOME desktop session.

       Once a LUKS volume is bound using clevis luks bind, it can be unlocked using any of the
       above unlockers without using a password.

MANUAL UNLOCKING

       You can unlock a LUKS volume manually using the following command:

           $ sudo clevis luks unlock -d /dev/sda

       For more information, see clevis-luks-unlock(1) <clevis-luks-unlock.1.adoc>.

EARLY BOOT UNLOCKING

       If Clevis integration does not already ship in your initramfs, you may need to rebuild
       your initramfs with this command:

           $ sudo dracut -f

       Once Clevis is integrated into your initramfs, a simple reboot should unlock your root
       volume. Note, however, that early boot integration only works for the root volume.
       Non-root volumes should use the late boot unlocker.

       Dracut will not bring up your network by default. You can either have it come up via DHCP
       by using rd.neednet=1 in kernel cmdline or you can specify custom network parameters, such
       as static IP configuration, please consult the dracut documentation.

       DHCP can be easily added to early boot by setting it in a configuration file and
       rebuilding initramfs afterwards

           $ echo 'kernel_cmdline="rd.neednet=1"' | sudo tee /etc/dracut.conf.d/clevis.conf
           $ sudo dracut -f

LATE BOOT UNLOCKING

       You can enable late boot unlocking by executing the following command:

           $ sudo systemctl enable clevis-luks-askpass.path

       After a reboot, Clevis will attempt to unlock all devices listed in /etc/crypttab that
       have clevis bindings when systemd prompts for their passwords.

DESKTOP UNLOCKING

       When the udisks2 unlocker is installed, your GNOME desktop session should unlock LUKS
       removable devices configured with Clevis automatically. You may need to restart your
       desktop session after installation for the unlocker to be loaded.

SEE ALSO

       clevis-luks-unlock(1) <clevis-luks-unlock.1.adoc> clevis-luks-bind(1)
       <clevis-luks-bind.1.adoc>

                                                                         CLEVIS-LUKS-UNLOCKERS(7)