1CLEVIS-LUKS-BIND(1)                                        CLEVIS-LUKS-BIND(1)
2
3
4

NAME

6       clevis-luks-bind - Bind a LUKS device using the specified policy
7

SYNOPSIS

9       clevis luks bind [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e
10       EXISTING_TOKEN_ID] PIN CFG
11

OVERVIEW

13       The clevis luks bind command binds a LUKS device using the specified
14       policy. This is accomplished with a simple command:
15
16           $ clevis luks bind -d /dev/sda tang '{"url":...}'
17
18       This command performs four steps:
19
20        1. Creates a new key with the same entropy as the LUKS master key —
21           maximum entropy bits is 256.
22
23        2. Encrypts the new key with Clevis.
24
25        3. Stores the Clevis JWE in the LUKS header.
26
27        4. Enables the new key for use with LUKS.
28
29       This disk can now be unlocked with your existing password as well as
30       with the Clevis policy. You will additionally need to enable one or
31       more of the Clevis LUKS unlockers. See clevis-luks-unlockers(7).
32

OPTIONS

34       •   -f : Do not prompt for LUKSMeta initialization
35
36       •   -y : Automatically answer yes for all questions. When using tang,
37           it causes the advertisement trust check to be skipped, which can be
38           useful in automated deployments
39
40       •   -d DEV : The LUKS device on which to perform binding
41
42       •   -s SLT : The LUKSMeta slot to use for metadata storage
43
44       •   -t TKN_ID : The LUKS token ID to use; only available for LUKS2
45
46       •   -k KEY : Non-interactively read LUKS password from KEY file
47
48       •   -k - : Non-interactively read LUKS password from standard input
49
50       •   -e E_TKN_ID : LUKS token ID for existing passphrase; only available
51           for LUKS2. This parameter allows providing a configured token ID in
52           LUKS2 containing the existing passphrase for this device, so that
53           existing passphrase is not prompted by clevis
54

CAVEATS

56       This command does not change the LUKS master key. This implies that if
57       you create a LUKS-encrypted image for use in a Virtual Machine or Cloud
58       environment, all the instances that run this image will share a master
59       key. This is extremely dangerous and should be avoided at all cost.
60
61       This is not a limitation of Clevis but a design principle of LUKS. If
62       you wish to have encrypted root volumes in the cloud, you will need to
63       make sure that you perform the OS install method for each instance in
64       the cloud as well. The images cannot be shared without also sharing a
65       master key.
66

SEE ALSO

68       clevis-luks-unlockers(7), clevis-encrypt-tang(1),
69       clevis-encrypt-sss(1), clevis-decrypt(1)
70
71
72
73                                  12/17/2022               CLEVIS-LUKS-BIND(1)