ZFS-TPM2-CLEAR-KEY(8) | System Manager's Manual | ZFS-TPM2-CLEAR-KEY(8) |
zfs-tpm2-clear-key
—
rewrap ZFS dataset key in passsword and clear tzpfms TPM2
metadata
zfs-tpm2-clear-key |
dataset |
After verifying dataset was encrypted with
tzpfms
backend
TPM2:
zfs
change-key
-o
keylocation=prompt
-o
keyformat=passphrase
dataset,xyz.nabijaczleweli:tzpfms.
{backend
,
key
} properties from
dataset.See zfs-tpm2-change-key(8) for a detailed description.
TZPFMS_PASSPHRASE_HELPER
/bin/sh
-c
"$TZPFMS_PASSPHRASE_HELPER"
"$TZPFMS_PASSPHRASE_HELPER"
"prepared prompt"
"target"
"[new
]"
"[again
]"
The standard output stream of the helper is tied to an
anonymous file and used in its entirety as the passphrase, except for a
trailing new-line, if any. The second argument contains either the
dataset name or the element of the TPM hierarchy. The third argument is
new
if this is for a new passphrase, and the
fourth is again
if it's the second prompt for
that passphrase. The first argument already contains all of this
information, as a pre-formatted noun phrase.
If the helper doesn't exist (the shell exits with 127), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.
An example value would be:
'systemd-ask-password
--id
=
"tzpfms:
$2"
"$1:
"'.
The library libtss2-tcti-default.so
can be
linked to any of the libtss2-tcti-*.so libraries to
select the default, otherwise /dev/tpmrm0, then
/dev/tpm0, then
localhost:2321 will be tried, in order (see
ESYS_CONTEXT(3)).
The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.
The TPM 2.0 specifications, mainly at https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf and related pages.
To all who support further development, in particular:
https://todo.sr.ht/~nabijaczleweli/tzpfms
~nabijaczleweli/tzpfms@lists.sr.ht, archived at https://lists.sr.ht/~nabijaczleweli/tzpfms.
November 15, 2021 | tzpfms 0.1-14 |