1CLEVIS-LUKS-UNLOCKERS(1) CLEVIS-LUKS-UNLOCKERS(1)
2
6 Clevis provides unlockers for LUKS volumes which can use LUKS policy:
7 · clevis-luks-unlock - Unlocks manually using the command line.
9 · dracut - Unlocks automatically during early boot.
11 · systemd - Unlocks automatically during late boot.
13 · udisks2 - Unlocks automatically in a GNOME desktop session.
15 Once a LUKS volume is bound using clevis luks bind, it can be unlocked
17 using any of the above unlockers without using a password.
18
20 You can unlock a LUKS volume manually using the following command:
21 $ sudo clevis luks unlock -d /dev/sda
23 For more information, see clevis-luks-unlock(1).
25
27 If Clevis integration does not already ship in your initramfs, you may
28 need to rebuild your initramfs with this command:
29 $ sudo dracut -f
31 Once Clevis is integrated into your initramfs, a simple reboot should
33 unlock your root volume. Note, however, that early boot integration
34 only works for the root volume. Non-root volumes should use the late
35 boot unlocker.
36 Dracut will bring up your network using DHCP by default. If you need
38 to specify additional network parameters, such as static IP configura‐
39 tion, please consult the dracut documentation.
40
42 You can enable late boot unlocking by executing the following command:
43 $ sudo systemctl enable clevis-luks-askpass.path
45 After a reboot, Clevis will attempt to unlock all _netdev devices list‐
47 ed in /etc/crypttab when systemd prompts for their passwords. This im‐
48 plies that systemd support for _netdev is required.
49
51 When the udisks2 unlocker is installed, your GNOME desktop session
52 should unlock LUKS removable devices configured with Clevis automati‐
53 cally. You may need to restart your desktop session after installation
54 for the unlocker to be loaded.
55
57 clevis-luks-unlock(1) clevis-luks-bind(1)
58
60 Nathaniel McCallum <npmccallum@redhat.com>.
61 October 2017 CLEVIS-LUKS-UNLOCKERS(1)