HiveBrain v1.2.0
Get Started
← Back to all entries
snippetbashTip

systemd-cryptenroll — Interactively enroll or remove methods used to unlock LUKS2-encrypted devices. Uses a password to un

Submitted by: @import:tldr-pages··
0
Viewed 0 times
tldrsystemd-cryptenrollcommand-lineclilinux
enrollcommandinteractivelyremovesystemd-cryptenrollmethodsusedcli
linux

Problem

How to use the systemd-cryptenroll command: Interactively enroll or remove methods used to unlock LUKS2-encrypted devices. Uses a password to unlock the device unless otherwise specified. In order to allow a partition to be unlocked during system boot, update the /etc/crypttab file or the initramfs. More information: <https://www.freedesktop.org/software/systemd/man/latest/systemd-cryptenroll.html>.

Solution

systemd-cryptenroll — Interactively enroll or remove methods used to unlock LUKS2-encrypted devices. Uses a password to unlock the device unless otherwise specified. In order to allow a partition to be unlocked during system boot, update the /etc/crypttab file or the initramfs. More information: <https://www.freedesktop.org/software/systemd/man/latest/systemd-cryptenroll.html>.

Enroll a new password (similar to cryptsetup luksAddKey):
systemd-cryptenroll --password {{path/to/luks2_block_device}}


Enroll a new recovery key (i.e. a randomly generated passphrase that can be used as a fallback):
systemd-cryptenroll --recovery-key {{path/to/luks2_block_device}}


List available tokens, or enroll a new PKCS#11 token:
systemd-cryptenroll --pkcs11-token-uri {{list|auto|pkcs11_token_uri}} {{path/to/luks2_block_device}}


List available FIDO2 devices, or enroll a new FIDO2 device (auto can be used as the device name when there is only one token plugged in):
systemd-cryptenroll --fido2-device {{list|auto|path/to/fido2_hidraw_device}} {{path/to/luks2_block_device}}


Enroll a new FIDO2 device with user verification (biometrics):
systemd-cryptenroll --fido2-device {{auto|path/to/fido2_hidraw_device}} --fido2-with-user-verification yes {{path/to/luks2_block_device}}


Unlock using a FIDO2 device, and enroll a new FIDO2 device:
systemd-cryptenroll --unlock-fido2-device {{path/to/fido2_hidraw_unlock_device}} --fido2-device {{path/to/fido2_hidraw_enroll_device}} {{path/to/luks2_block_device}}


Enroll a TPM2 security chip (only secure-boot-policy PCR) and require an additional alphanumeric PIN:
systemd-cryptenroll --tpm2-device {{auto|path/to/tpm2_block_device}} --tpm2-with-pin yes {{path/to/luks2_block_device}}


Remove all empty passwords/all passwords/all FIDO2 devices/all PKCS#11 tokens/all TPM2 security chips/all recovery keys/all methods:
systemd-cryptenroll --wipe-slot {{empty|password|fido2|pkcs#11|tpm2|recovery|all}} {{path/to/luks2_block_device}}

Code Snippets

Enroll a new password (similar to `cryptsetup luksAddKey`)

systemd-cryptenroll --password {{path/to/luks2_block_device}}

Enroll a new recovery key (i.e. a randomly generated passphrase that can be used as a fallback)

systemd-cryptenroll --recovery-key {{path/to/luks2_block_device}}

List available tokens, or enroll a new PKCS#11 token

systemd-cryptenroll --pkcs11-token-uri {{list|auto|pkcs11_token_uri}} {{path/to/luks2_block_device}}

List available FIDO2 devices, or enroll a new FIDO2 device (`auto` can be used as the device name when there is only one token plugged in)

systemd-cryptenroll --fido2-device {{list|auto|path/to/fido2_hidraw_device}} {{path/to/luks2_block_device}}

Enroll a new FIDO2 device with user verification (biometrics)

systemd-cryptenroll --fido2-device {{auto|path/to/fido2_hidraw_device}} --fido2-with-user-verification yes {{path/to/luks2_block_device}}

Context

tldr-pages: linux/systemd-cryptenroll

Revisions (0)

No revisions yet.