### Install Clevis with Ninja Source: https://github.com/latchset/clevis/blob/master/README.md Installs the compiled Clevis binaries and components. Requires root permissions. ```bash $ sudo ninja install ``` -------------------------------- ### Full Kernel Command Line Example Source: https://github.com/latchset/clevis/blob/master/README.md Example of a complete kernel command line in `/etc/default/grub` including `rd.lvm.lv` and `rd.luks.uuid` parameters for root and /var volumes. ```bash GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/root rd.luks.uuid=luks-21a9c1b8-c202-4985-809a-aba2d6fdab01 rd.lvm.lv=separate/var rd.luks.uuid=aa0ce19c-cde9-44a2-adbd-4afb1845a959 quiet" ``` -------------------------------- ### Install Clevis Source: https://github.com/latchset/clevis/blob/master/INSTALL.md Install the compiled Clevis software to the system. This command requires superuser privileges and installs Clevis to a location determined during the configure step. ```bash $ sudo ninja -C build install ``` -------------------------------- ### Grub Configuration with Automatic Detection Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Example of a kernel command line in `/etc/default/grub` when relying on automatic LVM detection from `/etc/crypttab`. This simplifies the configuration. ```bash GRUB_CMDLINE_LINUX="quiet" ``` -------------------------------- ### Setup Clevis Compilation with Meson Source: https://github.com/latchset/clevis/blob/master/README.md Configures the Clevis build environment using Meson. Assumes you are in the 'clevis-21' directory. ```bash $ meson setup .. ``` -------------------------------- ### Grub Configuration with TPM1.1 Options Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Example of a kernel command line in `/etc/default/grub` including TPM1.1 specific options for Clevis encryption. Ensure to update grub after changes. ```bash GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/root rd.luks.uuid=luks-21a9c1b8-c202-4985-809a-aba2d6fdab01 rd.lvm.lv=separate/var rd.luks.uuid=luks-aa0ce19c-cde9-44a2-adbd-4afb1845a959 quiet" ``` -------------------------------- ### Install Build Dependencies on Fedora Source: https://github.com/latchset/clevis/blob/master/INSTALL.md Use this command to install all the necessary packages required to build Clevis from source on Fedora systems. ```bash $ sudo dnf builddep clevis ``` -------------------------------- ### Verify Volume Setup with lsblk Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Use 'lsblk -fp' to verify the LVM on LUKS or LUKS on LVM encryption scheme and identify the correct UUIDs. ```shell lsblk -fp ``` -------------------------------- ### Install Clevis Packages on Fedora Source: https://github.com/latchset/clevis/blob/master/README.md Installs the core Clevis commands and various unlockers on Fedora systems using DNF. ```bash $ sudo dnf install clevis clevis-dracut clevis-udisks2 clevis-systemd clevis-luks ``` -------------------------------- ### TPM1.1 Logical Volume Table Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Example output from `lvs` command showing logical volume names and their Device Mapper paths. This information is crucial for configuring Clevis. ```text LV DMPath … separate/var /dev/mapper/separate-var … ``` -------------------------------- ### Encrypt with TPM2 specifying hash and key algorithms Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc Encrypts data using the TPM2 pin, allowing customization of the hash and key algorithms. This example specifies SHA1 for hashing and RSA for the key. ```bash $ clevis encrypt tpm2 '{"hash":"sha1","key":"rsa"}' < PT > JWE ``` -------------------------------- ### Install Clevis PKCS#11 Dependency Source: https://github.com/latchset/clevis/blob/master/README.md Installs the necessary Clevis package for PKCS#11 support. Ensure your system's package manager is up-to-date. ```bash $ sudo dnf install clevis-pin-pkcs11 ``` -------------------------------- ### PKCS#11 URI with PIN Value Source: https://github.com/latchset/clevis/blob/master/README.md Example of a PKCS#11 URI that includes the 'pin-value' parameter to specify the PIN directly. ```plaintext pkcs11:token=Software%20PKCS%2311%20softtoken;manufacturer=Snake%20Oil,%20Inc.?pin-value=the-pin ``` -------------------------------- ### Enable Clevis PKCS#11 Askpass Socket Source: https://github.com/latchset/clevis/blob/master/README.md Enables and starts the systemd socket unit responsible for handling passphrase prompts for PKCS#11 decryption. This ensures the system waits for the keyphrase via the socket. ```bash $ sudo systemctl enable --now clevis-luks-pkcs11-askpass.socket ``` -------------------------------- ### Basic PKCS#11 Encryption Source: https://github.com/latchset/clevis/blob/master/src/pins/pkcs11/clevis-encrypt-pkcs11.1.adoc Encrypt data using a PKCS#11 device with a basic configuration URI. The configuration object must contain the 'uri' key with a value starting with 'pkcs11:'. ```bash $ clevis encrypt pkcs11 '{"uri":"pkcs11:"}' < PT > JWE ``` -------------------------------- ### Encrypt with TPM2 sealing to PCR with provided digest Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc Encrypts data using the TPM2 pin and seals it to a specific PCR state using a provided base64 encoded PCR digest. This example seals to PCR 0 with a specific digest value. ```bash $ clevis encrypt tpm2 '{"pcr_ids":"0","pcr_digest":"xy7J5svCtqlfM03d1lE5gdoA8MI"}' < PT > JWE ``` -------------------------------- ### Encrypt with TPM2 sealing to PCR state Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc Encrypts data using the TPM2 pin and seals it to a specific Platform Configuration Register (PCR) state. This example seals to PCRs 0 and 1 for the SHA1 bank. ```bash $ clevis encrypt tpm2 '{"pcr_bank":"sha1","pcr_ids":"0,1"}' < PT > JWE ``` -------------------------------- ### Configure /etc/fstab for initramfs (x-initrd.mount) Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Use the 'x-initrd.mount' option in /etc/fstab to unlock and mount the /var volume during initrd bootup. ```shell UUID=767b750e-bba7-4ea7-b2b8-b1e6a2e22e43 /var xfs defaults,x-systemd.device-timeout=0,x-initrd.mount 0 0 ``` -------------------------------- ### Clevis LUKS Bind Help Source: https://github.com/latchset/clevis/blob/master/README.md Displays the usage information for the 'clevis luks bind' command, outlining available options. ```bash $ clevis luks bind -h ``` -------------------------------- ### Configure /etc/crypttab for initramfs (x-initrd.attach) Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Use the 'x-initrd.attach' option in /etc/crypttab to ensure the /var volume is unlocked during initrd bootup. ```shell luks-aa0ce19c-cde9-44a2-adbd-4afb1845a959 UUID=aa0ce19c-cde9-44a2-adbd-4afb1845a959 none discard,x-initrd.attach ``` -------------------------------- ### Configure Clevis Build Source: https://github.com/latchset/clevis/blob/master/INSTALL.md Run the meson build system to generate the necessary build files for Clevis. This command should be executed in the root directory of the Clevis source code. ```bash $ meson build ``` -------------------------------- ### Configure /etc/crypttab for initramfs Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Add the 'initramfs' option to the relevant line in /etc/crypttab on Debian-like systems to include the /var volume in the initramfs. ```shell luks-aa0ce19c-cde9-44a2-adbd-4afb1845a959 UUID=aa0ce19c-cde9-44a2-adbd-4afb1845a959 none discard,initramfs ``` -------------------------------- ### List public key URIs with module path Source: https://github.com/latchset/clevis/blob/master/README.md Lists public key URIs for a specific PKCS#11 module. This is useful when dealing with specific hardware modules that require a module path. ```bash $ pkcs11-tool --module /usr/lib64/libykcs11.so -O --type pubkey | grep uri ``` -------------------------------- ### Configure Clevis with Empty PKCS#11 URI Source: https://github.com/latchset/clevis/blob/master/README.md Binds Clevis to the first available PKCS#11 device found by Clevis. This method requires user selection if multiple keys match. ```bash $ clevis luks bind -d /dev/sda1 pkcs11 '{"uri": "pkcs11:"}' ``` -------------------------------- ### Check Available PKCS#11 Mechanisms Source: https://github.com/latchset/clevis/blob/master/README.md Execute this command to list all supported cryptographic mechanisms for a specific PKCS#11 token. This helps in identifying compatible mechanisms for Clevis configuration. ```bash $ pkcs11-tool -M Using slot 0 with a present token (0x0) Supported mechanisms: SHA-1, digest ... SHA512, digest MD5, digest ... RSA-PKCS-KEY-PAIR-GEN, keySize={2048,4096}, generate_key_pair ``` -------------------------------- ### Clevis LUKS Bind Usage Source: https://github.com/latchset/clevis/blob/master/README.md Shows the general usage syntax for binding a device with Clevis, including required arguments and optional flags. ```bash Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG ``` -------------------------------- ### Compile Clevis with Ninja Source: https://github.com/latchset/clevis/blob/master/README.md Compiles the Clevis project using the Ninja build system. ```bash $ ninja ``` -------------------------------- ### Add initramfs Option to /etc/crypttab Source: https://github.com/latchset/clevis/blob/master/README.md Add the 'initramfs' option to the relevant line in `/etc/crypttab` to ensure the /var volume is unlocked during initramfs bootup. This is for Debian-like systems. ```bash … luks-aa0ce19c-cde9-44a2-adbd-4afb1845a959 UUID=aa0ce19c-cde9-44a2-adbd-4afb1845a959 none discard,initramfs … ``` -------------------------------- ### Take TPM ownership with well-known SRK Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Initializes the TPM by taking ownership and configuring the Storage Root Key (SRK) to be well-known. This is required to avoid password prompts during encryption/decryption. ```bash $ tpm_takeownership --srk-well-known ``` -------------------------------- ### Configure Dracut for Network in Early Boot Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-unlockers.7.adoc Configure dracut to bring up the network during early boot by setting kernel command line options. This is useful for unlocking root volumes that require network access. ```bash $ echo 'kernel_cmdline="rd.neednet=1"' | sudo tee /etc/dracut.conf.d/clevis.conf ``` ```bash $ sudo dracut -f ``` -------------------------------- ### Update Initramfs with Initramfs-tools Source: https://github.com/latchset/clevis/blob/master/README.md Updates the initramfs for systems using initramfs-tools to enable Clevis unlockers. ```bash sudo update-initramfs -u -k 'all' ``` -------------------------------- ### List Clevis LUKS Bindings Source: https://github.com/latchset/clevis/blob/master/README.md Checks the Clevis bindings for a specific LUKS device, displaying the associated PKCS#11 configuration. ```bash $ clevis luks list -d /dev/sda1 ``` -------------------------------- ### Listing PKCS#11 Mechanisms Source: https://github.com/latchset/clevis/blob/master/src/pins/pkcs11/clevis-encrypt-pkcs11.1.adoc List all supported encryption/decryption mechanisms for PKCS#11 devices. This command is useful for identifying compatible mechanisms when configuring Clevis. ```bash $ pkcs11-tool -M ``` -------------------------------- ### List all pins bound to a LUKS device Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-list.1.adoc Use this command to view all pins bound to a specified LUKS device. The output includes slot numbers, pin types, and their associated configurations. ```bash clevis luks list -d /dev/sda1 1: sss '{"t":1,"pins":{"tang":[{"url":"addr1"},{"url":"addr2"}],"tpm2":[{"hash":"sha256","key":"ecc"}],"sss":{"t":1,"pins":{"tang":[{"url":"addr3"}]}}}}' 2: tang '{"url":"addr"}' 3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}' ``` -------------------------------- ### List public key URIs for a specific slot Source: https://github.com/latchset/clevis/blob/master/README.md Lists the URIs of public key objects available in a specified PKCS#11 slot. This helps in selecting the correct public key for binding. ```bash $ pkcs11-tool -O --slot-index 1 --type pubkey | grep uri ``` -------------------------------- ### List Clevis Bindings Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-edit.1.adoc View the existing Clevis bindings for a LUKS device to identify the slot number for editing. ```bash clevis luks list -d /dev/sda1 ``` -------------------------------- ### Rebuild Initrd with Dracut Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc After changing /etc/crypttab and/or /etc/fstab, rebuild the initrd using 'dracut -f'. ```shell dracut -f ``` -------------------------------- ### Update Initramfs (Debian-like) Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc After modifying /etc/crypttab, run 'update-initramfs -u' on Debian-like systems. ```shell update-initramfs -u ``` -------------------------------- ### List Logical Volume Information Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Use this command to find the correct `rd.lvm.lv` value for your logical volume. It displays the full name and Device Mapper path. ```bash lvs -o lv_full_name,lv_dm_path ``` -------------------------------- ### Bind LUKS Device with TANG Policy Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-bind.1.adoc Use this command to bind a LUKS device using a TANG policy. Ensure the device path and TANG configuration are correct. ```bash $ clevis luks bind -d /dev/sda tang '{"url":...}' ``` -------------------------------- ### Bind LUKS device with public key URI and module path Source: https://github.com/latchset/clevis/blob/master/README.md Binds a LUKS device using a PKCS#11 token identified by its public key URI, including the specific module path. This ensures the correct module is used for the operation. ```bash $ clevis luks bind -d /dev/sda pkcs11 '{"uri":"pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=28083311;token=YubiKey%20PIV%20%2328083311;id=%03;object=Public%20key%20for%20Key%20Management;type=public;module-path=/usr/lib64/libykcs11.so"}' ``` -------------------------------- ### Configure Clevis with PKCS#11 URI Source: https://github.com/latchset/clevis/blob/master/README.md Binds a Clevis configuration to a specific LUKS device using a detailed PKCS#11 URI. Ensure the URI accurately identifies the device and key. ```bash $ clevis luks bind -d /dev/sda1 pkcs11 '{"uri": "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II; serial=0a35ba26b062b9c5;token=clevis;id=%02;object=Encryption%20Key"}' ``` -------------------------------- ### List current LUKS binding configuration Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-regen.1.adoc Use 'clevis luks list' to view the current binding configuration for a LUKS device. This helps identify the slot and configuration details before regenerating. ```bash # clevis luks list -d /dev/sda1 1: tang '{"url":"http://tang.server"}' 2: tpm2 '{"hash":"sha256","key":"ecc"}' ``` -------------------------------- ### Configure Clevis with PKCS#11 Module Path Source: https://github.com/latchset/clevis/blob/master/README.md Binds Clevis to a PKCS#11 device using a specified module path. This is useful when the default OpenSC software does not support the card. ```bash $ clevis-luks-bind -d /dev/sda1 pkcs11 '{"uri": "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II; serial=0a35ba26b062b9c5;token=clevis;id=%02;object=Encryption%20Key? module-path=/usr/local/lib64/libmypkcs11.so"}' ``` -------------------------------- ### Download Clevis Binaries Source: https://github.com/latchset/clevis/blob/master/README.md Downloads the latest release of Clevis binaries using wget. Note that the version number may change. ```bash $ wget https://github.com/latchset/clevis/releases/download/v21/clevis-21.tar.xz ``` -------------------------------- ### List PKCS#11 token URIs Source: https://github.com/latchset/clevis/blob/master/README.md Lists available PKCS#11 tokens and their URIs. This command is useful for identifying tokens and their associated public keys for multi-device configurations. ```bash $ pkcs11-tool -L | grep uri ``` -------------------------------- ### Recovery Commands Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc A set of helpful commands for system recovery, including opening encrypted devices, mounting volumes, and scanning LVM. ```shell cryptsetup open /dev/ ``` ```shell mount /dev/mapper/ / ``` ```shell lvm vgscan ``` ```shell lvm lvdisplay -o lv_full_name,lv_dm_path ``` -------------------------------- ### Rebuild Initramfs with Dracut Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-unlockers.7.adoc Rebuild the initramfs to integrate Clevis for early boot unlocking. This command is necessary if Clevis is not already present in your initramfs. ```bash $ sudo dracut -f ``` -------------------------------- ### Update initramfs on Fedora-like systems Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Recreates the initramfs image on Fedora-based systems using dracut after changing the TPM SRK to a well-known key. This is necessary for the TPM to be accessible early in the boot process. ```bash $ dracut -f ``` -------------------------------- ### Configure /etc/crypttab for PKCS#11 Source: https://github.com/latchset/clevis/blob/master/README.md Modifies the /etc/crypttab file to use the Clevis PKCS#11 socket for unlocking encrypted disks. This prevents console prompts and uses the AF_UNIX socket for keyphrase exchange. Includes a recommended keyfile-timeout. ```diff $ sudo diff -Nuar /etc/crypttab.ori /etc/crypttab --- /etc/crypttab.ori 2024-07-04 10:46:16.295073739 +0200 +++ /etc/crypttab 2024-07-03 17:14:27.764743860 +0200 @@ -1 +1,2 @@ -luks-6e38d5e1-7f83-43cc-819a-7416bcbf9f84 UUID=6e38d5e1-7f83-43cc-819a-7416bcbf9f84 - - +luks-6e38d5e1-7f83-43cc-819a-7416bcbf9f84 UUID=6e38d5e1-7f83-43cc-819a-7416bcbf9f84 /run/systemd/clevis-pkcs11.sock keyfile-timeout=30s ``` -------------------------------- ### List summarized pins bound to a LUKS device Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-list.1.adoc This option provides a concise, sorted, space-separated list of pin types bound to the LUKS device, omitting detailed configurations. ```bash clevis luks list -d /dev/sda1 -p 1: sss tang tpm2 2: tang 3: tpm2 ``` -------------------------------- ### Encrypt with SSS Policy (Basic) Source: https://github.com/latchset/clevis/blob/master/src/pins/sss/clevis-encrypt-sss.1.adoc Encrypts a plaintext file using a Shamir's Secret Sharing policy with a threshold of 1 and multiple Tang servers. This configuration ensures decryption is possible as long as at least one Tang server is available. ```bash $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}' $ clevis encrypt sss "$cfg" < PT > JWE ``` -------------------------------- ### Bind LUKS Volume with Tang Pin Source: https://github.com/latchset/clevis/blob/master/README.md Binds a LUKS volume using the Tang pin. Requires user confirmation for the advertisement and the existing LUKS password. ```bash $ sudo clevis luks bind -d /dev/sda1 tang '{"url": "http://tang.local"}' The advertisement is signed with the following keys: kWwirxc5PhkFIH0yE28nc-EvjDY Do you wish to trust the advertisement? [yN] y Enter existing LUKS password: ``` -------------------------------- ### Configure Clevis with Empty JSON Object URI Source: https://github.com/latchset/clevis/blob/master/README.md A shorthand for binding to the first available PKCS#11 device using an empty JSON object for the URI. Clevis will handle device detection and error reporting. ```bash $ clevis luks bind -d /dev/sda1 pkcs11 '{}' ``` -------------------------------- ### Fetch Tang Server Advertisement Source: https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang.1.adoc Fetches the Tang server's advertisement file using curl. Ensure network security when fetching advertisements. ```bash $ curl -f $URL/adv > adv.jws ``` -------------------------------- ### Bind LUKS device with specific public key URI Source: https://github.com/latchset/clevis/blob/master/README.md Binds a LUKS device using a PKCS#11 token identified by its full public key URI. This is the recommended method for multi-device configurations. ```bash $ clevis luks bind -d /dev/sda pkcs11 '{"uri":"pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=000f06080f4f;token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=public"}' ``` -------------------------------- ### Bind PKCS11 Device to Clevis Source: https://github.com/latchset/clevis/blob/master/README.md Binds the specified device partition to Clevis using the PKCS#11 pin. The 'uri' parameter specifies the PKCS#11 token to use. ```bash $ sudo clevis luks bind -d /dev/sda5 pkcs11 '{"uri":"pkcs11:"}' ``` ```bash $ sudo clevis luks bind -d /dev/sda5 pkcs11 '{"uri":"pkcs11:module-path=/usr/lib64/libykcs11.so.2"}' ``` -------------------------------- ### Update Grub Configuration Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Commands to update the Grub configuration after modifying kernel command line parameters. Use the appropriate command for your distribution. ```bash update-grub2 ``` ```bash grub2-mkconfig -o /etc/grub2.cfg ``` -------------------------------- ### List PKCS#11 token labels and serial numbers Source: https://github.com/latchset/clevis/blob/master/README.md Lists PKCS#11 tokens, displaying their labels and serial numbers. This is used when the PKCS#11 URI cannot be directly obtained and requires identification via serial and token label. ```bash # pkcs11-tool -L | grep "token label\|serial" ``` -------------------------------- ### Update initramfs on Debian-like systems Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Recreates the initramfs image on Debian-based systems after changing the TPM SRK to a well-known key. This ensures that the TPM runtime data is included in the boot image. ```bash $ update-initramfs -u ``` -------------------------------- ### Encrypt data using clevis-encrypt-@pin@ Source: https://github.com/latchset/clevis/blob/master/src/pins/template/clevis-encrypt-@pin@.1.adoc Use this command to encrypt data with a specific policy. Provide the policy configuration as a JSON string and the plaintext data via standard input. ```bash $ clevis encrypt @pin@ '{"@mand1@":"@@","@mand2":"@@"}' < PT > JWE ``` -------------------------------- ### List Pins Bound to LUKS Volume Source: https://github.com/latchset/clevis/blob/master/README.md Lists all Clevis pins that are currently bound to a given LUKS volume. ```bash $ sudo clevis luks list -d /dev/sda1 ``` -------------------------------- ### Bind LUKS device with serial and token label Source: https://github.com/latchset/clevis/blob/master/README.md Binds a LUKS device using PKCS#11 identification based on the device's serial number and token label. This method is a fallback when full URIs are not available. ```bash $ clevis luks bind -d /dev/sda pkcs11 '{"uri":"pkcs11:model=PKCS%2315%20emulated;serial=000f06080f4f;token=OpenPGP%20card%20%28User%20PIN%29"}' ``` -------------------------------- ### Clevis LUKS Binding Details Source: https://github.com/latchset/clevis/blob/master/README.md Shows the details of a Clevis LUKS binding, including the PKCS#11 URI and module path if specified. ```plaintext 1: pkcs11 '{"uri": "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II; serial=0a35ba26b062b9c5;token=clevis;id=%02;object=Encryption%20Key? module-path=/usr/local/lib64/libmypkcs11.so"}' ``` -------------------------------- ### Enable Late Boot Unlocking with Systemd Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-unlockers.7.adoc Enable the systemd path unit to allow Clevis to automatically unlock LUKS devices listed in /etc/crypttab during late boot. This requires a reboot to take effect. ```bash $ sudo systemctl enable clevis-luks-askpass.path ``` -------------------------------- ### Encrypt Data with Pre-shared Advertisement Source: https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang.1.adoc Encrypts data using a Tang server by providing a pre-shared advertisement file in the configuration. This enables offline encryption. ```bash $ clevis encrypt tang '{"url":...,"adv":"adv.jws"}' < PT > JWE ``` -------------------------------- ### Test Clevis PKCS#11 Encryption/Decryption Source: https://github.com/latchset/clevis/blob/master/README.md Encrypts a string using Clevis with PKCS#11 and then decrypts it. This one-liner tests the basic functionality, requiring the PIN to be provided in the URI. ```bash $ echo "top secret" | clevis encrypt pkcs11 '{"uri":"pkcs11:module-path=/usr/lib64/libykcs11.so.2?pin-value=123456"}' | clevis decrypt ``` -------------------------------- ### Regenerate Clevis LUKS binding Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-regen.1.adoc Execute 'clevis luks regen' with the device and slot to regenerate the binding. This command uses the existing configuration for the specified slot and device. ```bash # clevis luks regen -d /dev/sda1 -s 1 ``` -------------------------------- ### Encrypt Data with Tang Server Source: https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang.1.adoc Encrypts data using a Tang server. It prompts for trust confirmation of the server's signing keys on first use. ```bash $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE ``` -------------------------------- ### Encrypt data using Tang pin Source: https://github.com/latchset/clevis/blob/master/src/clevis.1.adoc Encrypts data using the Tang pin. Requires a Tang server URL and handles trust-on-first-use for signing keys. ```bash $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE The advertisement contains the following signing keys: _OsIk0T-E2l6qjfdDiwVmidoZjA Do you wish to trust these keys? [ynYN] y ``` -------------------------------- ### Encrypt Data with File Policy Source: https://github.com/latchset/clevis/blob/master/src/pins/file/clevis-encrypt-file.1.adoc Use this command to encrypt data using a file policy. The configuration specifies the path to the file where the JWK will be stored. Ensure the target file does not already exist. ```bash $ clevis encrypt file '{"name":"/path/to/file"}' < PT > JWE ``` -------------------------------- ### Compile Clevis Source Code Source: https://github.com/latchset/clevis/blob/master/INSTALL.md Compile the Clevis software using the ninja build tool. The -j flag allows for parallel compilation, utilizing all available processor cores for faster build times. ```bash $ ninja -C build -j$(nproc) ``` -------------------------------- ### Redirect Passphrase to a File Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-pass.1.adoc Redirect the output of the clevis-luks-pass command to a file to store the passphrase. This file can then be used as a key file with tools like cryptsetup. ```bash clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase ``` -------------------------------- ### Extract Clevis Binaries Source: https://github.com/latchset/clevis/blob/master/README.md Extracts the downloaded Clevis binaries archive using tar. ```bash $ tar Jxvf clevis-21.tar.xz ``` -------------------------------- ### List pin bound to a specific slot on a LUKS device Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-list.1.adoc To inspect the pin configuration for a particular slot, use the -s option followed by the slot number. This is useful for detailed analysis or replication of specific pin policies. ```bash clevis luks list -d /dev/sda1 -s 2 2: tang '{"url":"addr"}' ``` -------------------------------- ### PKCS#11 Encryption with Module Path Source: https://github.com/latchset/clevis/blob/master/src/pins/pkcs11/clevis-encrypt-pkcs11.1.adoc Encrypt data using a PKCS#11 device, specifying the path to the module library in the URI. This is useful when the PKCS#11 module is not in a default location. ```bash $ clevis encrypt pkcs11 '{"uri":"pkcs11:module-path=/usr/lib64/libykcs11.so"}' < PT > JWE ``` -------------------------------- ### Encrypt Data using TPM1 PIN Source: https://github.com/latchset/clevis/blob/master/README.md Encrypts data using the TPM1 PIN. An empty JSON object is passed as configuration. ```bash $ echo hi | clevis encrypt tpm1 '{}' > hi.jwe ``` -------------------------------- ### Encrypt with SSS and TPM2/Tang Pins Source: https://github.com/latchset/clevis/blob/master/README.md Encrypts data using Shamir Secret Sharing (SSS) with a threshold of 2, combining TPM2 and Tang pins. Both child pins must succeed for decryption. ```bash $ echo hi | clevis encrypt sss \ '{"t": 2, "pins": {"tpm2": {"pcr_ids": "0"}, "tang": {"url": "http://tang.local"}}}' \ > hi.jwe ``` -------------------------------- ### Encrypt Data with Automatic Trust Confirmation Source: https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang.1.adoc Encrypts data using a Tang server and automatically answers 'yes' to all prompts, including the advertisement trust check, using the -y option. Useful for automated deployments. ```bash $ clevis encrypt tang '{"url":...}' -y < PT > JWE ``` -------------------------------- ### Bind LUKS device with PKCS#11 slot ID Source: https://github.com/latchset/clevis/blob/master/README.md Binds a LUKS device using a PKCS#11 token identified by its slot ID. Note: Using slot ID is not recommended as it may not be stable across initializations. ```bash $ clevis luks bind -d /dev/sda1 pkcs11 '{"uri": "pkcs11:slot-id=0"}' ``` -------------------------------- ### Encrypt data using TPM2 pin Source: https://github.com/latchset/clevis/blob/master/src/clevis.1.adoc Encrypts data using the TPM2 pin. Uses default configurations for hierarchy, hash, and key algorithms, but these can be customized. ```bash $ clevis encrypt tpm2 '{}' < PT > JWE ``` -------------------------------- ### Encrypt Data with Clevis Source: https://github.com/latchset/clevis/blob/master/README.md Encrypts plaintext data from standard input to a JWE object on standard output. Requires a PIN plugin and its configuration. ```bash $ clevis encrypt PIN CONFIG < PLAINTEXT > CIPHERTEXT.jwe ``` -------------------------------- ### Encrypt data with TPM 1.2 Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Encrypts data using a TPM 1.2 chip. The configuration is an empty JSON object, and input data is read from stdin, with the JWE output to stdout. ```bash $ clevis encrypt tpm1 '{}' < PT > JWE ``` -------------------------------- ### Identify LUKS Volume UUID with lsblk Source: https://github.com/latchset/clevis/blob/master/README.md Use `lsblk -fp` to identify the UUID of the LUKS volume corresponding to the /var directory. This is crucial for correctly configuring `/etc/crypttab`. ```bash … └─/dev/vda3 crypto_LUKS 2 aa0ce19c-cde9-44a2-adbd-4afb1845a959 └─/dev/mapper/luks-aa0ce19c-cde9-44a2-adbd-4afb1845a959 LVM2_member LVM2 001 lgk4ap-Fo39-PemI-eqKn-fxW2-e3Zt-CPGIv2 └─/dev/mapper/separate-var xfs 767b750e-bba7-4ea7-b2b8-b1e6a2e22e43 753,3M 22% /var … ``` ```bash … └─/dev/vda3 LVM2_member LVM2 001 lgk4ap-Fo39-PemI-eqKn-fxW2-e3Zt-CPGIv2 └─/dev/mapper/separate-var crypto_LUKS 2 aa0ce19c-cde9-44a2-adbd-4afb1845a959 └─/dev/mapper/luks-aa0ce19c-cde9-44a2-adbd-4afb1845a959 xfs 767b750e-bba7-4ea7-b2b8-b1e6a2e22e43 781,5M 19% /var ` ``` -------------------------------- ### Encrypt Data using TPM2 PIN Source: https://github.com/latchset/clevis/blob/master/README.md Encrypts data using the TPM2 PIN. An empty JSON object is passed as configuration. ```bash $ echo hi | clevis encrypt tpm2 '{}' > hi.jwe ``` -------------------------------- ### PKCS#11 Encryption with Stored PIN Source: https://github.com/latchset/clevis/blob/master/src/pins/pkcs11/clevis-encrypt-pkcs11.1.adoc Encrypt data using a PKCS#11 device, providing the PIN value directly in the configuration. This method is not recommended for security reasons. ```bash $ clevis encrypt pkcs11 '{"uri":"pkcs11:?pin-value=123456"}' < PT > JWE ``` -------------------------------- ### Unlock a LUKS device with Clevis Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-unlock.1.adoc Use this command to unlock a LUKS device that is already provisioned with a Clevis policy. Ensure you specify the correct LUKS device path. ```bash clevis luks unlock -d /dev/sda ``` -------------------------------- ### Encrypt with SSS and Multiple Tang Pins Source: https://github.com/latchset/clevis/blob/master/README.md Encrypts data using Shamir Secret Sharing (SSS) with a threshold of 1, utilizing multiple Tang pin instances. If any of the Tang pins succeed during decryption, SSS will succeed. ```bash $ echo hi | clevis encrypt sss \ '{"t": 1, "pins": {"tang": [{"url": "http://server1.local/key"}, {"url": "http://server2.local/key"}]}}' \ > hi.jwe ``` -------------------------------- ### Check PKCS11 Device Accessibility Source: https://github.com/latchset/clevis/blob/master/README.md Verifies that the PKCS#11 device is recognized and accessible by the 'pkcs11-tool'. This step is crucial for Clevis to interact with the hardware security module. ```bash $ pkcs11-tool -L pkcs11-tool -L Available slots: Slot 0 (0x0): Yubico YubiKey OTP+CCID 00 00 token label : clevis ... uri : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=42facd1f749ece7f;token=clevis ``` -------------------------------- ### Encrypt Data with Trusted Thumbprint Source: https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang.1.adoc Encrypts data using a Tang server, specifying a trusted signing key's thumbprint in the configuration to bypass the trust prompt. ```bash $ cfg='{"url":"http://tang.srv","thp":"_OsIk0T-E2l6qjfdDiwVmidoZjA"}' $ clevis encrypt tang "$cfg" < PT > JWE ``` -------------------------------- ### Encrypt with SSS Policy (Auto-Yes) Source: https://github.com/latchset/clevis/blob/master/src/pins/sss/clevis-encrypt-sss.1.adoc Encrypts data using an SSS policy with the -y option, which automatically answers yes to prompts. This is useful for automated deployments, as it bypasses the Tang server advertisement trust check. ```bash $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}' $ clevis encrypt sss "$cfg" -y < PT > JWE ``` -------------------------------- ### Extract LUKS Passphrase for a Slot Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-pass.1.adoc Use this command to extract the passphrase for a given LUKS device and slot. The output may be non-printable. ```bash clevis luks pass -d /dev/sda1 -s 1 ``` -------------------------------- ### Encrypt data with TPM 1.2 and PCR policy Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Encrypts data using a TPM 1.2 chip, sealing it to specific PCR values (0, 4, and 7). The configuration specifies the PCR IDs, and input/output are handled via stdin/stdout. ```bash $ clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' < PT > JWE ``` -------------------------------- ### Manually Unlock LUKS Volume Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-unlockers.7.adoc Use this command to manually unlock a LUKS volume from the command line. Ensure the device path is correct. ```bash $ sudo clevis luks unlock -d /dev/sda ``` -------------------------------- ### Encrypt Data using Tang PIN Source: https://github.com/latchset/clevis/blob/master/README.md Encrypts data using the Tang PIN. Requires the URL of the Tang server. You may be prompted to trust the server's advertisement keys. ```bash $ echo hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe The advertisement is signed with the following keys: kWwirxc5PhkFIH0yE28nc-EvjDY Do you wish to trust the advertisement? [yN] y ``` -------------------------------- ### Unlock LUKS Device with Clevis Source: https://github.com/latchset/clevis/blob/master/README.md Unlocks a LUKS device that has been bound to a Clevis policy. ```bash $ sudo clevis luks unlock -d /dev/sda1 ``` -------------------------------- ### Check TPM PCR values Source: https://github.com/latchset/clevis/blob/master/src/pins/tpm1/clevis-encrypt-tpm1.1.adoc Displays the current values of the TPM's Platform Configuration Registers (PCRs). This is useful for understanding the system state that data can be sealed to. ```bash $ cat /sys/class/tpm/tpm0/pcrs ``` -------------------------------- ### Check LUKS Pin Rotation Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-report.1.adoc Use this command to check if the pin bound to a specific slot in a LUKS device has been rotated. Ensure the device and slot number are correct. ```bash # clevis luks report -d /dev/sda1 -s 1 ``` -------------------------------- ### Edit Clevis Binding Interactively Source: https://github.com/latchset/clevis/blob/master/src/luks/clevis-luks-edit.1.adoc Open a text editor to modify the configuration of a Clevis binding in a specified slot on a LUKS device. The default editor is vi if $EDITOR is not set. ```bash clevis luks edit -d /dev/sda1 -s 1 ```