diff options
| author | Alyssa Ross <hi@alyssa.is> | 2023-12-07 14:04:47 +0100 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-12-07 14:04:47 +0100 |
| commit | ba08e4e99b00a6916c4360de7288a7bfcef85328 (patch) | |
| tree | 347c8b6ad50fcaafc08e50f1307a861378650440 /nixpkgs/nixos/modules/system/boot/clevis.md | |
| parent | 190fd93d11701ad81af757be6260df9635bdb41a (diff) | |
| parent | 2c7f3c0fb7c08a0814627611d9d7d45ab6d75335 (diff) | |
| download | nixlib-ba08e4e99b00a6916c4360de7288a7bfcef85328.tar nixlib-ba08e4e99b00a6916c4360de7288a7bfcef85328.tar.gz nixlib-ba08e4e99b00a6916c4360de7288a7bfcef85328.tar.bz2 nixlib-ba08e4e99b00a6916c4360de7288a7bfcef85328.tar.lz nixlib-ba08e4e99b00a6916c4360de7288a7bfcef85328.tar.xz nixlib-ba08e4e99b00a6916c4360de7288a7bfcef85328.tar.zst nixlib-ba08e4e99b00a6916c4360de7288a7bfcef85328.zip | |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos/modules/system/boot/clevis.md')
| -rw-r--r-- | nixpkgs/nixos/modules/system/boot/clevis.md | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/system/boot/clevis.md b/nixpkgs/nixos/modules/system/boot/clevis.md new file mode 100644 index 000000000000..91eb728a919e --- /dev/null +++ b/nixpkgs/nixos/modules/system/boot/clevis.md @@ -0,0 +1,51 @@ +# Clevis {#module-boot-clevis} + +[Clevis](https://github.com/latchset/clevis) +is a framework for automated decryption of resources. +Clevis allows for secure unattended disk decryption during boot, using decryption policies that must be satisfied for the data to decrypt. + + +## Create a JWE file containing your secret {#module-boot-clevis-create-secret} + +The first step is to embed your secret in a [JWE](https://en.wikipedia.org/wiki/JSON_Web_Encryption) file. +JWE files have to be created through the clevis command line. 3 types of policies are supported: + +1) TPM policies + +Secrets are pinned against the presence of a TPM2 device, for example: +``` +echo hi | clevis encrypt tpm2 '{}' > hi.jwe +``` +2) Tang policies + +Secrets are pinned against the presence of a Tang server, for example: +``` +echo hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe +``` + +3) Shamir Secret Sharing + +Using Shamir's Secret Sharing ([sss](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing)), secrets are pinned using a combination of the two preceding policies. For example: +``` +echo hi | clevis encrypt sss \ +'{"t": 2, "pins": {"tpm2": {"pcr_ids": "0"}, "tang": {"url": "http://tang.local"}}}' \ +> hi.jwe +``` + +For more complete documentation on how to generate a secret with clevis, see the [clevis documentation](https://github.com/latchset/clevis). + + +## Activate unattended decryption of a resource at boot {#module-boot-clevis-activate} + +In order to activate unattended decryption of a resource at boot, enable the `clevis` module: + +``` +boot.initrd.clevis.enable = true; +``` + +Then, specify the device you want to decrypt using a given clevis secret. Clevis will automatically try to decrypt the device at boot and will fallback to interactive unlocking if the decryption policy is not fulfilled. +``` +boot.initrd.clevis.devices."/dev/nvme0n1p1".secretFile = ./nvme0n1p1.jwe; +``` + +Only `bcachefs`, `zfs` and `luks` encrypted devices are supported at this time. |