]>
Commit | Line | Data |
---|---|---|
cf1e172d LP |
1 | <?xml version="1.0"?> |
2 | <!--*-nxml-*--> | |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
5 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> | |
6 | <refentry id="systemd-cryptenroll" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_LIBCRYPTSETUP'> | |
7 | ||
8 | <refentryinfo> | |
9 | <title>systemd-cryptenroll</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd-cryptenroll</refentrytitle> | |
15 | <manvolnum>1</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd-cryptenroll</refname> | |
20 | <refpurpose>Enroll PKCS#11, FIDO2, TPM2 token/devices to LUKS2 encrypted volumes</refpurpose> | |
21 | </refnamediv> | |
22 | ||
23 | <refsynopsisdiv> | |
24 | <cmdsynopsis> | |
25 | <command>systemd-cryptenroll <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">DEVICE</arg></command> | |
26 | </cmdsynopsis> | |
27 | </refsynopsisdiv> | |
28 | ||
29 | <refsect1> | |
30 | <title>Description</title> | |
31 | ||
32 | <para><command>systemd-cryptenroll</command> is a tool for enrolling hardware security tokens and devices into a | |
33 | LUKS2 encrypted volume, which may then be used to unlock the volume during boot. Specifically, it supports | |
34 | tokens and credentials of the following kind to be enrolled:</para> | |
35 | ||
36 | <orderedlist> | |
37 | <listitem><para>PKCS#11 security tokens and smartcards that may carry an RSA key pair (e.g. various YubiKeys)</para></listitem> | |
38 | ||
39 | <listitem><para>FIDO2 security tokens that implement the <literal>hmac-secret</literal> extension (most FIDO2 keys, including YubiKeys)</para></listitem> | |
40 | ||
41 | <listitem><para>TPM2 security devices</para></listitem> | |
42 | ||
43 | <listitem><para>Recovery keys. These are similar to regular passphrases, however are randomly generated | |
44 | on the computer and thus generally have higher entropy than user chosen passphrases. Their character | |
45 | set has been designed to ensure they are easy to type in, while having high entropy. They may also be | |
46 | scanned off screen using QR codes. Recovery keys may be used for unlocking LUKS2 volumes wherever | |
47 | passphrases are accepted. They are intended to be used in combination with an enrolled hardware | |
48 | security token, as a recovery option when the token is lost.</para></listitem> | |
49 | ||
50 | <listitem><para>Regular passphrases</para></listitem> | |
51 | </orderedlist> | |
52 | ||
53 | <para>In addition, the tool may be used to enumerate currently enrolled security tokens and wipe a subset | |
54 | of them. The latter may be combined with the enrollment operation of a new security token, in order to | |
55 | update or replace enrollments.</para> | |
56 | ||
57 | <para>The tool supports only LUKS2 volumes, as it stores token meta-information in the LUKS2 JSON token | |
58 | area, which is not available in other encryption formats.</para> | |
59 | </refsect1> | |
60 | ||
61 | <refsect1> | |
62 | <title>Options</title> | |
63 | ||
64 | <para>The following options are understood:</para> | |
65 | ||
66 | <variablelist> | |
67 | <varlistentry> | |
68 | <term><option>--password</option></term> | |
69 | ||
70 | <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to | |
71 | <command>cryptsetup luksAddKey</command>, however may be combined with | |
72 | <option>--wipe-slot=</option> in one call, see below.</para></listitem> | |
73 | </varlistentry> | |
74 | ||
75 | <varlistentry> | |
76 | <term><option>--recovery-key</option></term> | |
77 | ||
78 | <listitem><para>Enroll a recovery key. Recovery keys are most identical to passphrases, but are | |
79 | computer generated instead of human chosen, and thus have a guaranteed high entropy. The key uses a | |
80 | character set that is easy to type in, and may be scanned off screen via a QR code.</para></listitem> | |
81 | </varlistentry> | |
82 | ||
83 | <varlistentry> | |
84 | <term><option>--pkcs11-token-uri=</option><replaceable>URI</replaceable></term> | |
85 | ||
86 | <listitem><para>Enroll a PKCS#11 security token or smartcard (e.g. a YubiKey). Expects a PKCS#11 | |
be0d27ee | 87 | smartcard URI referring to the token. Alternatively the special value <literal>auto</literal> may |
cf1e172d LP |
88 | be specified, in order to automatically determine the URI of a currently plugged in security token |
89 | (of which there must be exactly one). The special value <literal>list</literal> may be used to | |
90 | enumerate all suitable PKCS#11 tokens currently plugged in. The security token must contain an RSA | |
91 | key pair which is used to encrypt the randomly generated key that is used to unlock the LUKS2 | |
92 | volume. The encrypted key is then stored in the LUKS2 JSON token header area.</para> | |
93 | ||
94 | <para>In order to unlock a LUKS2 volume with an enrolled PKCS#11 security token, specify the | |
95 | <option>pkcs11-uri=</option> option in the respective <filename>/etc/crypttab</filename> line:</para> | |
96 | ||
97 | <programlisting>myvolume /dev/sda1 - pkcs11-uri=auto</programlisting> | |
98 | ||
99 | <para>See | |
100 | <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a | |
101 | more comprehensive example of a <command>systemd-cryptenroll</command> invocation and its matching | |
102 | <filename>/etc/crypttab</filename> line.</para></listitem> | |
103 | </varlistentry> | |
104 | ||
105 | <varlistentry> | |
106 | <term><option>--fido2-device=</option><replaceable>PATH</replaceable></term> | |
107 | ||
108 | <listitem><para>Enroll a FIDO2 security token that implements the <literal>hmac-secret</literal> | |
109 | extension (e.g. a YubiKey). Expects a <filename>hidraw</filename> device referring to the FIDO2 | |
110 | device (e.g. <filename>/dev/hidraw1</filename>). Alternatively the special value | |
111 | <literal>auto</literal> may be specified, in order to automatically determine the device node of a | |
112 | currently plugged in security token (of which there must be exactly one). The special value | |
113 | <literal>list</literal> may be used to enumerate all suitable FIDO2 tokens currently plugged in. Note | |
114 | that many hardware security tokens that implement FIDO2 also implement the older PKCS#11 | |
115 | standard. Typically FIDO2 is preferable, given it's simpler to use and more modern.</para> | |
116 | ||
117 | <para>In order to unlock a LUKS2 volume with an enrolled FIDO2 security token, specify the | |
118 | <option>fido2-device=</option> option in the respective <filename>/etc/crypttab</filename> line:</para> | |
119 | ||
120 | <programlisting>myvolume /dev/sda1 - fido2-device=auto</programlisting> | |
121 | ||
122 | <para>See | |
123 | <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a | |
124 | more comprehensive example of a <command>systemd-cryptenroll</command> invocation and its matching | |
125 | <filename>/etc/crypttab</filename> line.</para></listitem> | |
126 | </varlistentry> | |
127 | ||
cde2f860 LB |
128 | <varlistentry> |
129 | <term><option>--fido2-with-client-pin=</option><replaceable>BOOL</replaceable></term> | |
130 | ||
72c15422 LP |
131 | <listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to enter |
132 | a PIN when unlocking the volume (the FIDO2 <literal>clientPin</literal> feature). Defaults to | |
133 | <literal>yes</literal>. (Note: this setting is without effect if the security token does not support | |
134 | the <literal>clientPin</literal> feature at all, or does not allow enabling or disabling | |
135 | it.)</para></listitem> | |
cde2f860 LB |
136 | </varlistentry> |
137 | ||
06f08719 LB |
138 | <varlistentry> |
139 | <term><option>--fido2-with-user-presence=</option><replaceable>BOOL</replaceable></term> | |
140 | ||
141 | <listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to | |
142 | verify presence (tap the token, the FIDO2 <literal>up</literal> feature) when unlocking the volume. | |
72c15422 LP |
143 | Defaults to <literal>yes</literal>. (Note: this setting is without effect if the security token does not support |
144 | the <literal>up</literal> feature at all, or does not allow enabling or disabling it.) | |
06f08719 LB |
145 | </para></listitem> |
146 | </varlistentry> | |
147 | ||
896cc0da LB |
148 | <varlistentry> |
149 | <term><option>--fido2-with-user-verification=</option><replaceable>BOOL</replaceable></term> | |
150 | ||
151 | <listitem><para>When enrolling a FIDO2 security token, controls whether to require user verification | |
72c15422 LP |
152 | when unlocking the volume (the FIDO2 <literal>uv</literal> feature). Defaults to |
153 | <literal>no</literal>. (Note: this setting is without effect if the security token does not support | |
154 | the <literal>uv</literal> feature at all, or does not allow enabling or disabling it.)</para></listitem> | |
896cc0da LB |
155 | </varlistentry> |
156 | ||
cf1e172d LP |
157 | <varlistentry> |
158 | <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term> | |
159 | ||
160 | <listitem><para>Enroll a TPM2 security chip. Expects a device node path referring to the TPM2 chip | |
161 | (e.g. <filename>/dev/tpmrm0</filename>). Alternatively the special value <literal>auto</literal> may | |
162 | be specified, in order to automatically determine the device node of a currently discovered TPM2 | |
163 | device (of which there must be exactly one). The special value <literal>list</literal> may be used to | |
164 | enumerate all suitable TPM2 devices currently discovered.</para> | |
165 | ||
166 | <para>In order to unlock a LUKS2 volume with an enrolled TPM2 security chip, specify the | |
167 | <option>tpm2-device=</option> option in the respective <filename>/etc/crypttab</filename> line:</para> | |
168 | ||
169 | <programlisting>myvolume /dev/sda1 - tpm2-device=auto</programlisting> | |
170 | ||
171 | <para>See | |
172 | <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a | |
173 | more comprehensive example of a <command>systemd-cryptenroll</command> invocation and its matching | |
174 | <filename>/etc/crypttab</filename> line.</para> | |
175 | ||
176 | <para>Use <option>--tpm2-pcrs=</option> (see below) to configure which TPM2 PCR indexes to bind the | |
177 | enrollment to.</para></listitem> | |
178 | </varlistentry> | |
179 | ||
180 | <varlistentry> | |
181 | <term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term> | |
182 | ||
183 | <listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind the enrollment | |
a1788a69 LP |
184 | requested via <option>--tpm2-device=</option> to. Takes a <literal>+</literal> separated list of |
185 | numeric PCR indexes in the range 0…23. If not used, defaults to PCR 7 only. If an empty string is | |
186 | specified, binds the enrollment to no PCRs at all. PCRs allow binding the enrollment to specific | |
187 | software versions and system state, so that the enrolled unlocking key is only accessible (may be | |
188 | "unsealed") if specific trusted software and/or configuration is used.</para></listitem> | |
cf1e172d LP |
189 | |
190 | <table> | |
191 | <title>Well-known PCR Definitions</title> | |
192 | ||
193 | <tgroup cols='2' align='left' colsep='1' rowsep='1'> | |
194 | <colspec colname="pcr" /> | |
195 | <colspec colname="definition" /> | |
196 | ||
197 | <thead> | |
198 | <row> | |
199 | <entry>PCR</entry> | |
200 | <entry>Explanation</entry> | |
201 | </row> | |
202 | </thead> | |
203 | ||
204 | <tbody> | |
205 | <row> | |
206 | <entry>0</entry> | |
207 | <entry>Core system firmware executable code; changes on firmware updates</entry> | |
208 | </row> | |
209 | ||
210 | <row> | |
211 | <entry>1</entry> | |
212 | <entry>Core system firmware data/host platform configuration; typically contains serial and model numbers, changes on basic hardware/CPU/RAM replacements</entry> | |
213 | </row> | |
214 | ||
215 | <row> | |
216 | <entry>2</entry> | |
217 | <entry>Extended or pluggable executable code; includes option ROMs on pluggable hardware</entry> | |
218 | </row> | |
219 | ||
220 | <row> | |
221 | <entry>3</entry> | |
222 | <entry>Extended or pluggable firmware data; includes information about pluggable hardware</entry> | |
223 | </row> | |
224 | ||
225 | <row> | |
226 | <entry>4</entry> | |
227 | <entry>Boot loader; changes on boot loader updates</entry> | |
228 | </row> | |
229 | ||
230 | <row> | |
231 | <entry>5</entry> | |
232 | <entry>GPT/Partition table; changes when the partitions are added, modified or removed</entry> | |
233 | </row> | |
234 | ||
235 | <row> | |
236 | <entry>6</entry> | |
237 | <entry>Power state events; changes on system suspend/sleep</entry> | |
238 | </row> | |
239 | ||
240 | <row> | |
241 | <entry>7</entry> | |
242 | <entry>Secure boot state; changes when UEFI SecureBoot mode is enabled/disabled</entry> | |
243 | </row> | |
244 | ||
245 | <row> | |
246 | <entry>8</entry> | |
29d898cc | 247 | <entry><citerefentry><refentrytitle>sd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures the kernel command line in this PCR.</entry> |
cf1e172d LP |
248 | </row> |
249 | </tbody> | |
250 | </tgroup> | |
251 | </table> | |
252 | ||
253 | </varlistentry> | |
254 | ||
255 | <varlistentry> | |
256 | <term><option>--wipe-slot=</option><arg rep="repeat">SLOT</arg></term> | |
257 | ||
258 | <listitem><para>Wipes one or more LUKS2 key slots. Takes a comma separated list of numeric slot | |
259 | indexes, or the special strings <literal>all</literal> (for wiping all key slots), | |
260 | <literal>empty</literal> (for wiping all key slots that are unlocked by an empty passphrase), | |
261 | <literal>password</literal> (for wiping all key slots that are unlocked by a traditional passphrase), | |
262 | <literal>recovery</literal> (for wiping all key slots that are unlocked by a recovery key), | |
263 | <literal>pkcs11</literal> (for wiping all key slots that are unlocked by a PKCS#11 token), | |
264 | <literal>fido2</literal> (for wiping all key slots that are unlocked by a FIDO2 token), | |
265 | <literal>tpm2</literal> (for wiping all key slots that are unlocked by a TPM2 chip), or any | |
266 | combination of these strings or numeric indexes, in which case all slots matching either are | |
267 | wiped. As safety precaution an operation that wipes all slots without exception (so that the volume | |
268 | cannot be unlocked at all anymore, unless the volume key is known) is refused.</para> | |
269 | ||
270 | <para>This switch may be used alone, in which case only the requested wipe operation is executed. It | |
271 | may also be used in combination with any of the enrollment options listed above, in which case the | |
272 | enrollment is completed first, and only when successful the wipe operation executed — and the newly | |
273 | added slot is always excluded from the wiping. Combining enrollment and slot wiping may thus be used to | |
274 | update existing enrollments:</para> | |
275 | ||
276 | <programlisting>systemd-cryptenroll /dev/sda1 --wipe-slot=tpm2 --tpm2-device=auto</programlisting> | |
277 | ||
45861042 | 278 | <para>The above command will enroll the TPM2 chip, and then wipe all previously created TPM2 |
cf1e172d LP |
279 | enrollments on the LUKS2 volume, leaving only the newly created one. Combining wiping and enrollment |
280 | may also be used to replace enrollments of different types, for example for changing from a PKCS#11 | |
281 | enrollment to a FIDO2 one:</para> | |
282 | ||
283 | <programlisting>systemd-cryptenroll /dev/sda1 --wipe-slot=pkcs11 --fido2-device=auto</programlisting> | |
284 | ||
285 | <para>Or for replacing an enrolled empty password by TPM2:</para> | |
286 | ||
287 | <programlisting>systemd-cryptenroll /dev/sda1 --wipe-slot=empty --tpm2-device=auto</programlisting> | |
288 | </listitem> | |
289 | </varlistentry> | |
290 | ||
291 | <xi:include href="standard-options.xml" xpointer="help" /> | |
292 | <xi:include href="standard-options.xml" xpointer="version" /> | |
293 | </variablelist> | |
294 | ||
295 | </refsect1> | |
296 | ||
297 | <refsect1> | |
298 | <title>Exit status</title> | |
299 | ||
300 | <para>On success, 0 is returned, a non-zero failure code otherwise.</para> | |
301 | </refsect1> | |
302 | ||
303 | <refsect1> | |
304 | <title>See Also</title> | |
305 | <para> | |
306 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
307 | <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
308 | <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
309 | <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
310 | </para> | |
311 | </refsect1> | |
312 | ||
313 | </refentry> |