LinuxCommandLibrary

boltctl

Manage Thunderbolt devices

TLDR

List connected (and authorized) devices

$ boltctl
copy

List connected devices, including unauthorized ones
$ boltctl list
copy

Authorize a device temporarily
$ boltctl authorize [device_uuid]
copy

Authorize and remember a device
$ boltctl enroll [device_uuid]
copy

Revoke a previously authorized device
$ boltctl forget [device_uuid]
copy

Show more information about a device
$ boltctl info [device_uuid]
copy

SYNOPSIS

boltctl [OPTIONS...] [{list|show|authorize|enroll|forget|policy}] [UUID|PATH]

PARAMETERS

-h, --help
    Print help text and exit

-v, --version
    Print boltctl version

--json[=STYLE]
    JSON output when=auto|never|always

--no-pager
    Disable output paging

--path=PATH
    Select device by sysfs path

--uuid=UUID
    Select device by UUID

--application-id=ID
    Override D-Bus application ID

--device-tree
    Show hierarchical device tree

DESCRIPTION

boltctl is the command-line interface to the Bolt daemon, a user-space service for managing Thunderbolt and USB4 devices on Linux. Thunderbolt technology enables high-speed docking, eGPUs, and peripherals but introduces security risks via direct memory access (DMA). Bolt mitigates this by tracking devices, verifying their identity via unique UUIDs, and enforcing user authorization policies.

It lists connected devices with details like vendor, model, serial, status (authorized/unauthorized), and policy. Users can enroll devices for persistent authorization, authorize on-demand, forget devices, or adjust policies. Policies include auto (connect-time auth), manual (prompt user), secure (enroll with challenge-response), and none (no security).

boltctl requires the Bolt D-Bus service (enabled via systemd) and Polkit for privileged actions. Output supports human-readable tables or JSON for automation. Essential for laptops/desktops with Thunderbolt ports to safely use external hardware without root access.

CAVEATS

Requires running bolt daemon (systemctl --user start bolt.service). Some actions need Polkit authorization. Supports Intel/Apple controllers; AMD USB4 partial. Devices may appear unauthorized until enrolled.

COMMANDS

list: Enumerate all devices
show [UUID]: Device details
authorize UUID: Temporarily authorize
enroll UUID [--policy=POLICY]: Persist authorization
forget UUID: Revoke enrollment
policy UUID [POLICY]: Set policy

POLICIES

auto: Authorize on connect
manual: Prompt user each time
secure: Enroll with key challenge
none: Disable security

HISTORY

Developed 2016 by systemd community for Thunderbolt 3 security. Maintained by Collabora since 2018; version 0.10+ supports USB4. Integrated in major distros like Fedora, Ubuntu.

SEE ALSO

systemctl(1), polkit(8), lsusb(1), udevadm(1)

Copied to clipboard