Q/FR: luks bind with key-files, pin config as file

[felsgaertner]

Hello,

two short questions, may be feature requests:

1) clevis luks bind always asks for a passphrase that I have to enter manually. Is it possible to provide a key file instead of a passphrase, which would be cryptsetup's option --key-file?

2) As discussed in https://github.com/latchset/clevis/issues/444#issuecomment-1863071248, a config could become longer and therefore hard to read/verify. Is it possible to provide the pin config as file? So e.g. if the config is a file instead of a json object, take the config parameter as file name and use the file contents for jose etc.
Without that one would have to do things like subshell expansion to compact a readable multi line JSON to a single string for command line as a workaround, e.g. for SSS

clevis luks bind -d /dev/DEVICE sss $(cat pinconfig.json | jq -c)

[felsgaertner]

With jq == https://github.com/jqlang/jq

[sarroutbi]

Hello @felsgaertner .

Yes, both should be possible. Indeed, it is being done in the clevis test suite: https://github.com/RedHat-SP-Security/clevis-tests/blob/master/Sanity/automate-clevis-luks-bind/runtest.sh#L60

Hope this helps

[felsgaertner]

Thanks, seems to be parameter -k for key files.