There is a situation where there is no possibility to provide a PIN for "on the fly" decryption. You can perform "on the fly" encryption/decryption through next command:
$ echo "test" | clevis encrypt pkcs11 '{"uri":"pkcs11:?pin-value=000000"}' | clevis decrypt
test
However, taking into consideration that next command is completely valid:
echo "test" | clevis encrypt pkcs11 '{}' > test.jwe
An option should be provided in decryption to provide the PIN for unlocking:
echo "test" | clevis encrypt pkcs11 '{}' > test.jwe
$ cat test.jwe | clevis-decrypt
Using slot 0 with a present token (0x0)
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Unable to decrypt the JWK
Invalid PIN?
There is a situation where there is no possibility to provide a PIN for "on the fly" decryption. You can perform "on the fly" encryption/decryption through next command:
However, taking into consideration that next command is completely valid:
An option should be provided in decryption to provide the PIN for unlocking: