'\" t .\" Title: clevis-luks-unlockers .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 03/30/2024 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" .TH "CLEVIS\-LUKS\-UNLOCK" "7" "03/30/2024" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" clevis-luks-unlockers \- Overview of clevis luks unlockers .SH "OVERVIEW" .sp Clevis provides unlockers for LUKS volumes which can use LUKS policy: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} clevis\-luks\-unlock \- Unlocks manually using the command line\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} dracut \- Unlocks automatically during early boot\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} systemd \- Unlocks automatically during late boot\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} udisks2 \- Unlocks automatically in a GNOME desktop session\&. .RE .sp Once a LUKS volume is bound using \fBclevis luks bind\fR, it can be unlocked using any of the above unlockers without using a password\&. .SH "MANUAL UNLOCKING" .sp You can unlock a LUKS volume manually using the following command: .sp .if n \{\ .RS 4 .\} .nf $ sudo clevis luks unlock \-d /dev/sda .fi .if n \{\ .RE .\} .sp For more information, see \fBclevis\-luks\-unlock\fR(1)\&. .SH "EARLY BOOT UNLOCKING" .sp If Clevis integration does not already ship in your initramfs, you may need to rebuild your initramfs with this command: .sp .if n \{\ .RS 4 .\} .nf $ sudo dracut \-f .fi .if n \{\ .RE .\} .sp Once Clevis is integrated into your initramfs, a simple reboot should unlock your root volume\&. Note, however, that early boot integration only works for the root volume\&. Non\-root volumes should use the late boot unlocker\&. .sp Dracut will not bring up your network by default\&. You can either have it come up via DHCP by using rd\&.neednet=1 in kernel cmdline or you can specify custom network parameters, such as static IP configuration, please consult the dracut documentation\&. .sp DHCP can be easily added to early boot by setting it in a configuration file and rebuilding initramfs afterwards .sp .if n \{\ .RS 4 .\} .nf $ echo \*(Aqkernel_cmdline="rd\&.neednet=1"\*(Aq | sudo tee /etc/dracut\&.conf\&.d/clevis\&.conf $ sudo dracut \-f .fi .if n \{\ .RE .\} .SH "LATE BOOT UNLOCKING" .sp You can enable late boot unlocking by executing the following command: .sp .if n \{\ .RS 4 .\} .nf $ sudo systemctl enable clevis\-luks\-askpass\&.path .fi .if n \{\ .RE .\} .sp After a reboot, Clevis will attempt to unlock all devices listed in \fB/etc/crypttab\fR that have clevis bindings when systemd prompts for their passwords\&. .SH "DESKTOP UNLOCKING" .sp When the udisks2 unlocker is installed, your GNOME desktop session should unlock LUKS removable devices configured with Clevis automatically\&. You may need to restart your desktop session after installation for the unlocker to be loaded\&. .SH "SEE ALSO" .sp \fBclevis\-luks\-unlock\fR(1) \fBclevis\-luks\-bind\fR(1)