CLEVIS-LUKS-BIND(1) | CLEVIS-LUKS-BIND(1) |
clevis-luks-bind - Bind a LUKS device using the specified policy
clevis luks bind [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG
The clevis luks bind command binds a LUKS device using the specified policy. This is accomplished with a simple command:
$ clevis luks bind -d /dev/sda tang '{"url":...}'
This command performs four steps:
This disk can now be unlocked with your existing password as well as with the Clevis policy. You will additionally need to enable one or more of the Clevis LUKS unlockers. See clevis-luks-unlockers(7) <clevis-luks-unlockers.7.adoc>.
This command does not change the LUKS master key. This implies that if you create a LUKS-encrypted image for use in a Virtual Machine or Cloud environment, all the instances that run this image will share a master key. This is extremely dangerous and should be avoided at all cost.
This is not a limitation of Clevis but a design principle of LUKS. If you wish to have encrypted root volumes in the cloud, you will need to make sure that you perform the OS install method for each instance in the cloud as well. The images cannot be shared without also sharing a master key.
clevis-luks-unlockers(7) <clevis-luks-unlockers.7.adoc>, clevis-encrypt-tang(1) <clevis-encrypt-tang.1.adoc>, clevis-encrypt-sss(1) <clevis-encrypt-sss.1.adoc>, clevis-decrypt(1) <clevis-decrypt.1.adoc>