ZFS-TPM2-CLEAR-KEY(8) System Manager's Manual ZFS-TPM2-CLEAR-KEY(8)

zfs-tpm2-clear-keyrewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata

zfs-tpm2-clear-key dataset

After verifying dataset was encrypted with tzpfms backend :

  1. performs the equivalent of zfs change-key -o keylocation=prompt -o keyformat=passphrase dataset,
  2. frees the sealed key previously used to encrypt dataset,
  3. removes the xyz.nabijaczleweli:tzpfms.{backend, key} properties from dataset.

See zfs-tpm2-change-key(8) for a detailed description.

If set and nonempty, will be run as
/bin/sh -c "$TZPFMS_PASSPHRASE_HELPER" "$TZPFMS_PASSPHRASE_HELPER" "prepared prompt" "target" "[new]" "[again]"
to provide a passphrase, instead of reading from the standard input.

The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any. The second argument contains either the dataset name or the element of the TPM hierarchy. The third argument is new if this is for a new passphrase, and the fourth is again if it's the second prompt for that passphrase. The first argument already contains all of this information, as a pre-formatted noun phrase.

If the helper doesn't exist (the shell exits with ), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.

An example value would be: 'systemd-ask-password --id="tzpfms:$2" "$1: "'.

Any of: , , WARNING, , , . Default: WARNING.

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

The TPM 2.0 specifications, mainly at https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf and related pages.

To all who support further development, in particular:

https://todo.sr.ht/~nabijaczleweli/tzpfms

~nabijaczleweli/tzpfms@lists.sr.ht, archived at https://lists.sr.ht/~nabijaczleweli/tzpfms.

https://git.sr.ht/~nabijaczleweli/tzpfms

November 15, 2021 tzpfms 0.1-14