ZFS-TPM2-CLEAR-KEY(8) | System Manager's Manual | ZFS-TPM2-CLEAR-KEY(8) |
zfs-tpm2-clear-key
—
rewrap ZFS dataset key in passsword and clear tzpfms TPM2
metadata
zfs-tpm2-clear-key |
dataset |
After verifying dataset was encrypted with
tzpfms
backend
TPM2:
zfs
change-key
-o
keylocation=prompt
-o
keyformat=passphrase
dataset,xyz.nabijaczleweli:tzpfms.
{backend
,
key
} properties from
dataset.See zfs-tpm2-change-key(8) for a detailed description.
TZPFMS_PASSPHRASE_HELPER
sh
-c
to provide a passphrase, instead of reading
from the standard input stream.
The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any. The arguments are:
If the helper doesn't exist (the shell exits with 127), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.
The library libtss2-tcti-default.so
can be
linked to any of the libtss2-tcti-*.so libraries to
select the default, otherwise /dev/tpmrm0, then
/dev/tpm0, then
localhost:2321 will be tried, in order (see
ESYS_CONTEXT(3)).
The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.
The TPM 2.0 specifications, mainly at https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf and related pages.
To all who support further development, in particular:
https://todo.sr.ht/~nabijaczleweli/tzpfms
~nabijaczleweli/tzpfms@lists.sr.ht, archived at https://lists.sr.ht/~nabijaczleweli/tzpfms.
November 20, 2021 | tzpfms 0.1-18 |