{"id":13529868,"url":"https://github.com/latchset/clevis","last_synced_at":"2025-04-01T17:31:15.954Z","repository":{"id":38361992,"uuid":"47423688","full_name":"latchset/clevis","owner":"latchset","description":"Automated Encryption Framework","archived":false,"fork":false,"pushed_at":"2025-03-13T11:58:17.000Z","size":590,"stargazers_count":988,"open_issues_count":139,"forks_count":107,"subscribers_count":29,"default_branch":"master","last_synced_at":"2025-03-13T12:35:42.194Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/latchset.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-12-04T19:09:08.000Z","updated_at":"2025-03-13T11:58:22.000Z","dependencies_parsed_at":"2024-01-03T04:12:57.160Z","dependency_job_id":"9d3bc290-5a44-4e8f-801f-e7f4636cd637","html_url":"https://github.com/latchset/clevis","commit_stats":null,"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fclevis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fclevis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fclevis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/latchset%2Fclevis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/latchset","download_url":"https://codeload.github.com/latchset/clevis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246680252,"owners_count":20816660,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T07:00:40.157Z","updated_at":"2025-04-01T17:31:15.947Z","avatar_url":"https://github.com/latchset.png","language":"Shell","funding_links":[],"categories":["Automation","Shell","others","自动化工具","Automation and Convention"],"sub_categories":["零碎的"],"readme":"[![build](https://github.com/latchset/clevis/workflows/build/badge.svg)](https://github.com/latchset/clevis/actions)\n\n# Clevis\n\n## Welcome to Clevis!\nClevis is a pluggable framework for automated decryption. It can be used to\nprovide automated decryption of data or even automated unlocking of LUKS\nvolumes.\n\n### Encrypting Data\n\nWhat does this look like? Well, the first step is encrypting some data. We do\nthis with a simple command:\n\n```bash\n$ clevis encrypt PIN CONFIG \u003c PLAINTEXT \u003e CIPHERTEXT.jwe\n```\n\nThis command takes plaintext on standard input and produces an encrypted JWE\nobject on standard output. Besides the plaintext, we need to specify two\nadditional input parameters.\n\nFirst, is the pin. In clevis terminology, a pin is a plugin which implements\nautomated decryption. We simply pass the name of a pin here.\n\nSecond, is the config. The config is a JSON object which will be passed\ndirectly to the pin. It contains all the necessary configuration to perform\nencryption and setup automated decryption.\n\nTo decrypt our JWE, we simply perform the following:\n\n```bash\n$ clevis decrypt \u003c CIPHERTEXT.jwe \u003e PLAINTEXT\n```\n\nNotice that no additional input or interaction is required for the decrypt\ncommand. Let's look at some more concrete examples.\n\n#### PIN: Tang\n\n[Tang](http://github.com/latchset/tang) is a server implementation which\nprovides cryptographic binding services without the need for an escrow.\nClevis has full support for Tang. Here is an example of how to use Clevis with\nTang:\n\n```bash\n$ echo hi | clevis encrypt tang '{\"url\": \"http://tang.local\"}' \u003e hi.jwe\nThe advertisement is signed with the following keys:\n        kWwirxc5PhkFIH0yE28nc-EvjDY\n\nDo you wish to trust the advertisement? [yN] y\n```\n\nIn this example, we encrypt the message \"hi\" using the Tang pin. The only\nparameter needed in this case is the URL of the Tang server. During the\nencryption process, the Tang pin requests the key advertisement from the\nserver and asks you to trust the keys. This works similarly to SSH.\n\nAlternatively, you can manually load the advertisement using the `adv`\nparameter. This parameter takes either a string referencing the file where the\nadvertisement is stored, or the JSON contents of the advertisement itself. When\nthe advertisement is specified manually like this, Clevis presumes that the\nadvertisement is trusted.\n\n#### PIN: TPM2\n\nClevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)\nchip. The cryptographically-strong, random key used for encryption is encrypted\nusing the TPM2 chip, and is decrypted using TPM2 at the time of decryption to allow clevis to decrypt the secret stored in the JWE.\n\nFor example:\n\n```bash\n$ echo hi | clevis encrypt tpm2 '{}' \u003e hi.jwe\n```\n\nClevis store the public and private keys of the encrypted key in the JWE object,\nso those can be fetched on decryption to unseal the key encrypted using the TPM2.\n\n#### PIN: PKCS#11\n\nClevis can perform the role of a PKCS#11 application, as described in the [RFC 7512: The PKCS#11 URI Scheme](https://www.rfc-editor.org/rfc/rfc7512.html).\n\nPKCS#11 protocol determines that a PIN (Personal Identity Number) must be configured into the hardware device so that the unlocking process is successful. Clevis will allow users to unlock a particular encrypted disk, and will provide a way to get the PIN. There will be two possibilities:\n\n1 - Provide the PIN at boot time: In this first case, Clevis will detect PKCS#11 device and will prompt for its PIN.\nIn case PIN is wrong, Clevis will prompt for the PIN again. It is the user's responsibility to be aware of the possible lock / brick of the device in case PIN is unknown.\n\n2 - Provide the PIN at Clevis configuration time: In this second case, Clevis will be configured with the PIN value.\n\nInitially, RFC7512 defines a mechanism to specify a special kind of URI (the `pkcs11` URI), that allows identifying both a device and also the information required for it to be unlocked. Special attention deserves the parameters `pin-value`, which allow specifying the value of the PIN or the location of the PIN respectively. Clevis will understand, initially, the 'pin-value' parameter. Below you can find and example of PKCS#11 URIs using previous parameter:\n\n* PKCS#11 URI with `pin-value` defined:\n\n```\npkcs11:token=Software%20PKCS%2311%20softtoken;manufacturer=Snake%20Oil,%20Inc.?pin-value=the-pin\n```\n\nIn the next section, Clevis configuration examples are provided, so that it is clarified what are the different options for a PKCS#11 device to be bound to an encrypted disk.\n\n##### Clevis configuration\n\nClevis will provide a mechanism for the user to bind a particular PKCS#11 device to an encrypted device. The name of the new pin for Clevis will be `pkcs11`, and the way to configure it will be the same that is currently used:\n\n```\n$ clevis luks bind -h\n```\n\n```\nUsage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG\n```\n\n##### Configuration to provide a PKCS#11 URI to Clevis\nAs first example, a user can provide the information of the device by specifying its URI to Clevis:\n\n```\n$ clevis luks bind -d /dev/sda1 pkcs11 '{\"uri\": \"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;\nserial=0a35ba26b062b9c5;token=clevis;id=%02;object=Encryption%20Key\"}'\n```\n\n##### Configuration to bind Clevis to the first PKCS#11 device found\nAn additional option is to provide Clevis a configuration so that the first PKCS#11 device found by Clevis is bound. To do so, an empty URI can be provided as shown below:\n\n```\n$ clevis luks bind -d /dev/sda1 pkcs11 '{\"uri\": \"pkcs11:\"}'\n```\n\nAn even shorter configuration command, equivalent to the previous one, is shown below:\n\n```\n$ clevis luks bind -d /dev/sda1 pkcs11 '{}'\n```\n\nIn this case, Clevis will be responsible for the detection of the device and, if no device is found, responsible for dumping the corresponding error.\n\nIt must be clarified that providing an empty URI will make Clevis to prompt also to select one of the available keys matched on the token to avoid accidentally encryption with unwanted keys.\n\n##### Configuration to provide a module path to Clevis PKCS#11 pin:\nA module path can be provided to Clevis, so that it uses that module to access a device. This is only required in case the card is not supported by underlying Clevis software (OpenSC). For this reason, the module path field is completely optional. To provide the module location the user can provide the \"module-path\" to the \"uri\" Clevis configuration:\n\n```\n$ clevis-luks-bind -d /dev/sda1 pkcs11 '{\"uri\": \"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;\nserial=0a35ba26b062b9c5;token=clevis;id=%02;object=Encryption%20Key?\nmodule-path=/usr/local/lib64/libmypkcs11.so\"}'\n```\n\nAs it happens with the rest of devices, encrypted disks that have been bound to a PKCS#11 device can be checked with `clevis luks list` command:\n\n```\n$ clevis luks list -d /dev/sda1\n```\n\n```\n1: pkcs11 '{\"uri\": \"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;\nserial=0a35ba26b062b9c5;token=clevis;id=%02;object=Encryption%20Key?\nmodule-path=/usr/local/lib64/libmypkcs11.so\"}'\n```\n\n##### Configuration to provide PKCS#11 tool a different mechanism\n\nIn the first phase of development, Clevis will be used in top of OpenSC to provide PKCS#11 functionality.\nOpenSC, and, in particular, `pkcs11-tool`, provides an option to indicate the mechanism to use for decryption.\nFor testing purposes, some libraries, such as [SoftHSM](https://www.opendnssec.org/softhsm)), don't work with default `pkcs11-tool` mechanism,\nso it is  required to provide a particular mechanism to use. For this reason, Clevis can be provided with\nthe mechanism to use, in case the default one, `RSA-PKCS-OAEP`, is not valid:\n\n```\n$ clevis luks bind -d /dev/sda1 pkcs11 '{\"uri\": \"pkcs11:\", \"mechanism\":\"RSA-PKCS\"}'\n```\n\nIn order to check available mechanisms for a specific token, command `pkcs11-tool -M` can be used:\n\n\n```\n$ pkcs11-tool -M\nUsing slot 0 with a present token (0x0)\nSupported mechanisms:\n  SHA-1, digest\n...\n  SHA512, digest\n  MD5, digest\n...\n  RSA-PKCS-KEY-PAIR-GEN, keySize={2048,4096}, generate_key_pair\n```\n\nAt this time, only RSA mechanisms are supported by Clevis. Due to a limitation of the rest of the algorithms, no other asymmetric cryptographic algorithm can do encryption easily.  The ECC supports only signatures and key derivation, but not encryption. The encryption operation can be somehow constructed from the key derivation, but it is not a straightforward operation.\n\nIt must be highlighted that the RSA-PKCS mechanism (PKCS#1.5 padding for encryption) is [considered to be not secure](https://people.redhat.com/~hkario/marvin/) and it is mostly provided for compatibility, but it is not recommended using it in production.\n\n##### Multi-device configuration\nClevis will allow specifying the slot where a PKCS#11 device is located through the parameters provided to the URI:\n\n```\n$ clevis luks bind -d /dev/sda1 pkcs11 '{\"uri\": \"pkcs11:slot-id=0\"}'\n```\n\nIt must be clarified that providing just the slot information will make Clevis to guess one of the available keys matched on the token in the selected slot, which could cause accidentally encryption with unwanted keys. **It is not recommended to use slot as device selector, as slot id is a number that is not guaranteed to be stable across PKCS#11 module initializations**. However, there are certain libraries and modules that provide stable slot identifiers, so it can be used for these particular cases.\n\nThere are two better options to distinguish between different PKCS#11 devices:\n\n1 - Multi-device configuration with public key object (**recommended**):\n\nWith recent versions of `OpenSC` (from OpenSC 0.26.0 release) onwards, `pkcs11-tool`, which is used by Clevis to handle most of the PKCS#11 commands, the PKCS#11 URI is dumped for both the tokens and the objects of a particular token:\n\n```\n$ pkcs11-tool -L | grep uri\n  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=42facd1f749ece7f;token=clevis\n  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=000f06080f4f;token=OpenPGP%20card%20%28User%20PIN%29\n$ pkcs11-tool -O --slot-index 1 --type pubkey | grep uri\nising slot 0 with a present token (0x0)\n  uri:        pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=000f06080f4f;token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=public\n```\n\nIn this particular cases, when multiple PKCS#11 devices exist, select the public key of the particular device and bind it to Clevis:\n\n```\n$ clevis luks bind -d /dev/sda pkcs11 '{\"uri\":\"pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=000f06080f4f;token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=public\"}'\n```\n**In case you are using module-path, you will have to use the one returned when providing --module option:**\n\n```\n$ pkcs11-tool --module /usr/lib64/libykcs11.so -O --type pubkey | grep uri\n /usr/local/bin/pkcs11-tool.manual --module /usr/lib64/libykcs11.so -O --type pubkey | grep uri\nUsing slot 0 with a present token (0x0)\n  uri:        pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=28083311;token=YubiKey%20PIV%20%2328083311;id=%03;object=Public%20key%20for%20Key%20Management;type=public\n  uri:        pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=28083311;token=YubiKey%20PIV%20%2328083311;id=%19;object=Public%20key%20for%20PIV%20Attestation;type=public\n$ clevis luks bind -d /dev/sda pkcs11 '{\"uri\":\"pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=28083311;token=YubiKey%20PIV%20%2328083311;id=%03;object=Public%20key%20for%20Key%20Management;type=public;module-path=/usr/lib64/libykcs11.so\"}'\n```\n\n2 - Multi-device configuration with serial + token specification:\n\n**For versions where `pkcs11-tool` does not dump the URI for the tokens/objects**, specific identification will be \"tried\" by Clevis by using the device `serial` + `token label` pair.\nIn this type of scenarios, identification can be performed with these two parameters, although `model` should be provided also to ease Clevis informing about the device when asking for the PIN:\n\n```\n# pkcs11-tool -L | grep \"token label\\|serial\"\n  token label        : OpenPGP card (User PIN)\n  serial num         : 42facd1f749ece7f\n$ clevis luks bind -d /dev/sda pkcs11 '{\"uri\":\"pkcs11:model=PKCS%2315%20emulated;serial=000f06080f4f;token=OpenPGP%20card%20%28User%20PIN%29\"}'\n```\n\nRemember that special characters must be defined in percent mode, as defined in [RFC 7512: The PKCS#11 URI Scheme](https://www.rfc-editor.org/rfc/rfc7512.html).\n\n##### Clevis PKCS#11 installation and configuration\n\nFor installation and configuration of the clevis PKCS#11 feature, next steps must be followed:\n\n1 - Install Clevis required dependencies, including PKCS#11 dependencies:\n\n```\n$ sudo dnf install clevis-pin-pkcs11\n```\n\n2 - The PKCS11 device must be accessible by “pkcs11-tool”:\n\n```\n$ pkcs11-tool -L\npkcs11-tool -L\nAvailable slots:\nSlot 0 (0x0): Yubico YubiKey OTP+CCID 00 00\n  token label        : clevis\n  ...\n  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=42facd1f749ece7f;token=clevis\n```\n\n3 - Configure device to bind with clevis:\n\n```\n$ sudo clevis luks bind -d /dev/sda5 pkcs11 '{\"uri\":\"pkcs11:\"}'\n```\n\nIn case it is required to provide the module to use, it can be done through `module-path` URI parameter:\n\n```\n$ sudo clevis luks bind -d /dev/sda5 pkcs11 '{\"uri\":\"pkcs11:module-path=/usr/lib64/libykcs11.so.2\"}'\n```\n\n4 - Enable clevis-luks-pkcs11-askpass.socket unit:\n\n```\n$ sudo systemctl enable --now clevis-luks-pkcs11-askpass.socket\n```\n\n5 - /etc/crypttab configuration:\n\nFor PKCS#11 feature to work appropriately, `/etc/crypttab` file must be configured so that systemd uses an AF\\_UNIX socket to wait for the keyphrase that will unlock the disk and not to prompt it through the console.\n\nClevis PKCS#11 unit file will configure a socket in path `/run/systemd/clevis-pkcs11.sock` to send and receive information about disk unlocking. For disks that will be unlocked through PKCS#11 Clevis pin, that socket file must be configured as key file. So, next change must be introduced in `/etc/crypttab` for unlocking to take place:\n\n```\n$ sudo diff -Nuar /etc/crypttab.ori /etc/crypttab\n--- /etc/crypttab.ori   2024-07-04 10:46:16.295073739 +0200\n+++ /etc/crypttab       2024-07-03 17:14:27.764743860 +0200\n@@ -1 +1,2 @@\n-luks-6e38d5e1-7f83-43cc-819a-7416bcbf9f84 UUID=6e38d5e1-7f83-43cc-819a-7416bcbf9f84 - -\n+luks-6e38d5e1-7f83-43cc-819a-7416bcbf9f84 UUID=6e38d5e1-7f83-43cc-819a-7416bcbf9f84 /run/systemd/clevis-pkcs11.sock keyfile-timeout=30s\n```\n\nIt is highly recommended setting a `keyfile-timeout` option to configure a fall-through mechanism in case some unlocking error occurs and passphrase is required to be entered manually through console.\n\n6 - Reboot and test:\n\nSystem should boot and ask for the PKCS#11 device PIN, and decrypt the corresponding configured encrypted disk only in case PIN is correct.\n\n7 - In case no boot process needs to be tested, encrypt and decrypt with next command (note it is necessary to provide the PIN value for it to work appropriately) and check encryption/decryption of a string can be performed with this one-liner, and no error takes place:\n\n```\n$ echo \"top secret\" | clevis encrypt pkcs11 '{\"uri\":\"pkcs11:module-path=/usr/lib64/libykcs11.so.2?pin-value=123456\"}' | clevis decrypt\n```\n\nThe `top secret` string should be returned\n\n#### PIN: Shamir Secret Sharing\n\nClevis provides a way to mix pins together to provide sophisticated unlocking\npolicies. This is accomplished by using an algorithm called Shamir Secret\nSharing (SSS).\n\nSSS is a thresholding scheme. It creates a key and divides it into a number of\npieces. Each piece is encrypted using another pin (possibly even SSS\nrecursively). Additionally, you define the threshold `t`. If at least `t`\npieces can be decrypted, then the encryption key can be recovered and\ndecryption can succeed.\n\nHere is an example where we use the SSS pin with both the Tang and TPM2 pins:\n\n```bash\n$ echo hi | clevis encrypt sss \\\n'{\"t\": 2, \"pins\": {\"tpm2\": {\"pcr_ids\": \"0\"}, \"tang\": {\"url\": \"http://tang.local\"}}}' \\\n\u003e hi.jwe\n```\n\nIn the above example, we define two child pins and have a threshold of 2.\nThis means that during decryption **both** child pins must succeed in order for\nSSS itself to succeed.\n\nHere is another example where we use just the Tang pin:\n\n```bash\n$ echo hi | clevis encrypt sss \\\n'{\"t\": 1, \"pins\": {\"tang\": [{\"url\": \"http://server1.local/key\"}, {\"url\": \"http://server2.local/key\"}]}}' \\\n\u003e hi.jwe\n```\n\nIn this example, we define two child instances of the Tang pin - each with its\nown configuration. Since we have a threshold of 1, if **either** of the Tang\npin instances succeed during decryption, SSS will succeed.\n\n### Binding LUKS Volumes\n\nClevis can be used to bind a LUKS volume using a pin so that it can be\nautomatically unlocked.\n\nHow this works is rather simple. We generate a new, cryptographically strong\nkey. This key is added to LUKS as an additional passphrase. We then encrypt\nthis key using Clevis, and store the output JWE inside the LUKS header using\n[LUKSMeta](http://github.com/latchset/luksmeta).\n\nHere is an example where we bind `/dev/sda1` using the Tang pin:\n\n```bash\n$ sudo clevis luks bind -d /dev/sda1 tang '{\"url\": \"http://tang.local\"}'\nThe advertisement is signed with the following keys:\n        kWwirxc5PhkFIH0yE28nc-EvjDY\n\nDo you wish to trust the advertisement? [yN] y\nEnter existing LUKS password:\n```\n\nUpon successful completion of this binding process, the disk can be unlocked\nusing one of the provided unlockers.\n\n#### Network based unlocking\nIf you want to use network based unlocking you will need to specify `rd.neednet=1` as kernel argument or use `--hostonly-cmdline` when creating with dracut.\n\nIf you're using **Tang** with TLS (Example: `'{\"url\": \"https://tang.remote\"}'`), the folder `/etc/ssl` should be included in the initramfs image, `--include /etc/ssl /etc/ssl --force` when creating with dracut.\n\n#### Unlocker: Dracut\n\nThe Dracut unlocker attempts to automatically unlock volumes during early\nboot. This permits automated root volume encryption. Enabling the Dracut\nunlocker is easy. Just rebuild your initramfs after installing Clevis:\n\n```bash\n$ sudo dracut -f\n```\n\nUpon reboot, you will be prompted to unlock the volume using a password. In\nthe background, Clevis will attempt to unlock the volume automatically. If it\nsucceeds, the password prompt will be cancelled and boot will continue.\n\n#### Unlocker: Initramfs-tools\n\nWhen using Clevis with initramfs-tools, in order to rebuild your\ninitramfs you will need to run:\n\n```bash\nsudo update-initramfs -u -k 'all'\n```\n\nUpon reboot, it will behave exactly as if using Dracut.\n\n#### Unlocker: UDisks2\n\nOur UDisks2 unlocker runs in your desktop session. You should not need to\nmanually enable it; just install the Clevis UDisks2 unlocker and restart your\ndesktop session. The unlocker should be started automatically.\n\nThis unlocker works almost exactly the same as the Dracut unlocker. If you\ninsert a removable storage device that has been bound with Clevis, we will\nattempt to unlock it automatically in parallel with a desktop password prompt.\nIf automatic unlocking succeeds, the password prompt will be dismissed without\nuser intervention.\n\n#### Unlocker: Clevis command\n\nA LUKS device bound to a Clevis policy can also be unlocked by using the clevis\nluks unlock command.\n\n```bash\n$ sudo clevis luks unlock -d /dev/sda1\n```\n\n#### Unbinding LUKS volumes\n\nLUKS volumes can be unbound using the clevis luks unbind command. For example:\n\n```bash\n$ sudo clevis luks unbind -d /dev/sda1 -s 1\n```\n\n#### Listing pins bound to LUKS volumes\n\nThe pins that are bound to a given LUKS volume can be listed using the clevis\nluks list command. For example:\n\n```bash\n$ sudo clevis luks list -d /dev/sda1\n```\n\n## Installing Clevis\n\nPlease don't install Clevis directly. Instead, use your preferred\ndistribution's packages.\n\n### Fedora 24+\n\nThis command installs the core Clevis commands, the Dracut, Systemd and LUKs unlockers,\nand the UDisks2 unlocker, respectively.\n\n```bash\n$ sudo dnf install clevis clevis-dracut clevis-udisks2 clevis-systemd clevis-luks\n```\n\n## Manual compilation\n\nAs remarked in the previous section, **it is suggested not to install Clevis directly**.\nHowever, in case no Clevis packages exist for your Linux distribution, the steps to\nmanually compile and install Clevis are next ones:\n\n* Download latest version of the binaries (note that the latest version could change):\n```bash\n$ wget https://github.com/latchset/clevis/releases/download/v21/clevis-21.tar.xz\n```\n\n* Untar the binaries file:\n```bash\n$ tar Jxvf clevis-21.tar.xz\n```\n\n* Create build directory and change path to it:\n```bash\n$ cd clevis-21\n$ mkdir build\n$ cd build\n```\n\n* Execute `meson` to setup compilation:\n```bash\n$ meson setup ..\n```\n\n* Compile with `ninja` command:\n```bash\n$ ninja\n```\n\n* Install with `ninja install` command (you will need root permissions for it):\n```bash\n$ sudo ninja install\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flatchset%2Fclevis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flatchset%2Fclevis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flatchset%2Fclevis/lists"}