1CLEVIS-LUKS-UNLOCK(7)                                    CLEVIS-LUKS-UNLOCK(7)
2
3
4

NAME

6       clevis-luks-unlockers - Overview of clevis luks unlockers
7

OVERVIEW

9       Clevis provides unlockers for LUKS volumes which can use LUKS policy:
10
11       •   clevis-luks-unlock - Unlocks manually using the command line.
12
13       •   dracut - Unlocks automatically during early boot.
14
15       •   systemd - Unlocks automatically during late boot.
16
17       •   udisks2 - Unlocks automatically in a GNOME desktop session.
18
19       Once a LUKS volume is bound using clevis luks bind, it can be unlocked
20       using any of the above unlockers without using a password.
21

MANUAL UNLOCKING

23       You can unlock a LUKS volume manually using the following command:
24
25           $ sudo clevis luks unlock -d /dev/sda
26
27       For more information, see clevis-luks-unlock(1).
28

EARLY BOOT UNLOCKING

30       If Clevis integration does not already ship in your initramfs, you may
31       need to rebuild your initramfs with this command:
32
33           $ sudo dracut -f
34
35       Once Clevis is integrated into your initramfs, a simple reboot should
36       unlock your root volume. Note, however, that early boot integration
37       only works for the root volume. Non-root volumes should use the late
38       boot unlocker.
39
40       Dracut will not bring up your network by default. You can either have
41       it come up via DHCP by using rd.neednet=1 in kernel cmdline or you can
42       specify custom network parameters, such as static IP configuration,
43       please consult the dracut documentation.
44
45       DHCP can be easily added to early boot by setting it in a configuration
46       file and rebuilding initramfs afterwards
47
48           $ echo 'kernel_cmdline="rd.neednet=1"' | sudo tee /etc/dracut.conf.d/clevis.conf
49           $ sudo dracut -f
50

LATE BOOT UNLOCKING

52       You can enable late boot unlocking by executing the following command:
53
54           $ sudo systemctl enable clevis-luks-askpass.path
55
56       After a reboot, Clevis will attempt to unlock all devices listed in
57       /etc/crypttab that have clevis bindings when systemd prompts for their
58       passwords.
59

DESKTOP UNLOCKING

61       When the udisks2 unlocker is installed, your GNOME desktop session
62       should unlock LUKS removable devices configured with Clevis
63       automatically. You may need to restart your desktop session after
64       installation for the unlocker to be loaded.
65

SEE ALSO

67       clevis-luks-unlock(1) clevis-luks-bind(1)
68
69
70
71                                  07/19/2023             CLEVIS-LUKS-UNLOCK(7)
Impressum