1CLEVIS-LUKS-BIND(1)                                        CLEVIS-LUKS-BIND(1)
2
3
4

NAME

6       clevis-luks-bind - Bind a LUKSv1 device using the specified policy
7

SYNOPSIS

9       clevis luks bind [-f] -d DEV [-s SLT] [-k KEY] PIN CFG
10

OVERVIEW

12       The clevis luks bind command binds a LUKSv1 device using the specified
13       policy. This is accomplished with a simple command:
14
15           $ clevis luks bind -d /dev/sda tang '{"url":...}'
16
17       This command performs four steps:
18
19        1. Creates a new key with the same entropy as the LUKS master key.
20
21        2. Encrypts the new key with Clevis.
22
23        3. Stores the Clevis JWE in the LUKS header with LUKSMeta.
24
25        4. Enables the new key for use with LUKS.
26
27       This disk can now be unlocked with your existing password as well as
28       with the Clevis policy. You will additionally need to enable one or
29       more of the Clevis LUKS unlockers. See clevis-luks-unlockers(7).
30

OPTIONS

32       ·   -f : Do not prompt for LUKSMeta initialization
33
34       ·   -d DEV : The LUKS device on which to perform binding
35
36       ·   -s SLT : The LUKSMeta slot to use for metadata storage
37
38       ·   -k KEY : Non-interactively read LUKS password from KEY file
39
40       ·   -k - : Non-interactively read LUKS password from standard input
41

CAVEATS

43       This command does not change the LUKS master key. This implies that if
44       you create a LUKS-encrypted image for use in a Virtual Machine or Cloud
45       environment, all the instances that run this image will share a master
46       key. This is extremely dangerous and should be avoided at all cost.
47
48       This is not a limitation of Clevis but a design principle of LUKS. If
49       you wish to have encrypted root volumes in the cloud, you will need to
50       make sure that you perform the OS install method for each instance in
51       the cloud as well. The images cannot be shared without also sharing a
52       master key.
53

SEE ALSO

55       clevis-luks-unlockers(7), clevis-encrypt-tang(1),
56       clevis-encrypt-sss(1), clevis-decrypt(1)
57
58
59
60                                  01/28/2020               CLEVIS-LUKS-BIND(1)
Impressum