From 7dc56023f126240ad5a000a0866c4a8f89df29fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1=20autouploader?= Date: Sun, 25 Oct 2020 12:07:50 +0000 Subject: [PATCH] Manpage update by job 327356 --- index.txt | 1 + zfs-tpm1x-change-key.8 | 60 +++++++++ zfs-tpm1x-change-key.8.html | 186 +++++++++++++++++++++++++++ zfs-tpm1x-change-key.8.html_fragment | 105 +++++++++++++++ zfs-tpm1x-change-key.md | 89 +++++++++++++ zfs-tpm1x-clear-key.8 | 40 ++++++ zfs-tpm1x-clear-key.8.html | 139 ++++++++++++++++++++ zfs-tpm1x-clear-key.8.html_fragment | 59 +++++++++ zfs-tpm1x-clear-key.md | 51 ++++++++ zfs-tpm1x-load-key.8 | 41 ++++++ zfs-tpm1x-load-key.8.html | 145 +++++++++++++++++++++ zfs-tpm1x-load-key.8.html_fragment | 64 +++++++++ zfs-tpm1x-load-key.md | 56 ++++++++ 13 files changed, 1036 insertions(+) create mode 100644 zfs-tpm1x-change-key.8 create mode 100644 zfs-tpm1x-change-key.8.html create mode 100644 zfs-tpm1x-change-key.8.html_fragment create mode 100644 zfs-tpm1x-change-key.md create mode 100644 zfs-tpm1x-clear-key.8 create mode 100644 zfs-tpm1x-clear-key.8.html create mode 100644 zfs-tpm1x-clear-key.8.html_fragment create mode 100644 zfs-tpm1x-clear-key.md create mode 100644 zfs-tpm1x-load-key.8 create mode 100644 zfs-tpm1x-load-key.8.html create mode 100644 zfs-tpm1x-load-key.8.html_fragment create mode 100644 zfs-tpm1x-load-key.md diff --git a/index.txt b/index.txt index f83ce9f..befd9ee 100644 --- a/index.txt +++ b/index.txt @@ -3,6 +3,7 @@ zfs-tpm2-load-key(8) zfs-tpm2-load-key.8.ronn zfs-tpm2-clear-key(8) zfs-tpm2-clear-key.8.ronn zfs(8) https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html +tcsd(8) https://manpages.debian.org/bullseye/trousers/tcsd.8.en.html tpm2_unseal(1) https://manpages.debian.org/bullseye/tpm2-tools/tpm2_unseal.1.en.html ESYS_CONTEXT(3) https://www.mankier.com/3/ESYS_CONTEXT diff --git a/zfs-tpm1x-change-key.8 b/zfs-tpm1x-change-key.8 new file mode 100644 index 0000000..1854aac --- /dev/null +++ b/zfs-tpm1x-change-key.8 @@ -0,0 +1,60 @@ +.\" generated with Ronn-NG/v0.9.1 +.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 +.TH "ZFS\-TPM1X\-CHANGE\-KEY" "8" "October 2020" "tzpfms developers" +.SH "NAME" +\fBzfs\-tpm1x\-change\-key\fR \- change ZFS dataset key to one stored on the TPM +.SH "SYNOPSIS" +\fBzfs\-tpm1x\-change\-key\fR [\-b file] \fIdataset\fR +.SH "DESCRIPTION" +To normalise \fBdataset\fR, zfs\-tpm1x\-change\-key(8) will open its encryption root in its stead\. zfs\-tpm1x\-change\-key(8) will \fInever\fR create or destroy encryption roots; use \fBzfs(8) change\-key\fR for that\. +.P +First, a connection is made to the TPM, which \fImust\fR be TPM\-1\.X\-compatible\. +.P +If \fBdataset\fR was previously encrypted with tzpfms and the \fITPM1\.X\fR back\-end was used, the metadata will be silently cleared\. Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream\. +.P +Next, a new wrapping key is be generated on the TPM, optionally backed up (see \fIOPTIONS\fR), and sealed on the TPM; if the SRK passphrase, set when taking ownership, is not "well\-known" (all zeroes), the user is prompted for it; the user is always prompted for an optional passphrase to protect the key with\. +.P +The following properties are set on \fBdataset\fR: +.IP "\[ci]" 4 +\fBxyz\.nabijaczleweli:tzpfms\.backend\fR=\fBTPM1\.X\fR +.IP "\[ci]" 4 +\fBxyz\.nabijaczleweli:tzpfms\.key\fR=\fI(parent key blob)\fR\fB:\fR\fI(sealed object blob)\fR +.IP "" 0 +.P +\fBtzpfms\.backend\fR identifies this dataset for work with \fITPM1\.X\fR\-back\-ended tzpfms tools (namely zfs\-tpm1x\-change\-key(8), zfs\-tpm1x\-load\-key(8), and zfs\-tpm1x\-clear\-key(8))\. +.P +\fBtzpfms\.key\fR is a colon\-separated pair of hexadecimal\-string (i\.e\. "4F7730" for "Ow0") blobs; the first one represents the RSA key protecting the blob, and it is protected with either the password, if provided, or the SHA1 constant \fICE4CF677875B5EB8993591D5A9AF1ED24A3A8736\fR; the second represents the sealed object containing the wrapping key, and is protected with the SHA1 constant \fIB9EE715DBE4B243FAA81EA04306E063710383E35\fR\. There exists no other user\-land tool for decrypting this\. (TODO: make an LD_PRELOADable for extracting the key maybe) +.P +Finally, the equivalent of \fBzfs(8) change\-key \-o keylocation=prompt \-o keyformat=raw dataset\fR is performed with the new key\. If an error occurred, best effort is made to clean up the properties, or to issue a note for manual intervention into the standard error stream\. +.P +A final verification should be made by running \fBzfs\-tpm1x\-load\-key(8) \-n dataset\fR\. If that command succeeds, all is well, but otherwise the dataset can be manually rolled back to a password with \fBzfs\-tpm1x\-clear\-key(8) dataset\fR (or, if that fails to work, \fBzfs(8) change\-key \-o keyformat=passphrase dataset\fR), and you are hereby asked to report a bug, please\. +.P +\fBzfs\-tpm1x\-clear\-key(8) dataset\fR can be used to clear the properties and go back to using a password\. +.SH "OPTIONS" +.TP +\fB\-b\fR \fIfile\fR +Save a back\-up of the key to \fIfile\fR, which must not exist beforehand\. This back\-up \fBmust\fR be stored securely, off\-site\. In case of a catastrophic event, the key can be loaded by running \fBzfs(8) load\-key dataset < backup\-file\fR\. +.SH "TPM1\.X back\-end configuration" +.SS "TPM selection" +The tzpfms suite always connects to a local tcsd(8) process (at \fBlocalhost:30003\fR)\. +.P +The TrouSerS tcsd(8) daemon will try \fB/dev/tpm0\fR, then \fB/udev/tpm0\fR, then \fB/dev/tpm\fR; by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected\. +.SS "See also" +The TrouSerS project page at \fIhttps://sourceforge\.net/projects/trousers\fR\. +.P +The TPM 1\.2 main specification index at <\fIhttps://trustedcomputinggroup\.org/resource/tpm\-main\-specification\fR>\. +.SH "AUTHOR" +Written by наб <\fInabijaczleweli@nabijaczleweli\.xyz\fR> +.SH "SPECIAL THANKS" +To all who support further development, in particular: +.IP "\[ci]" 4 +ThePhD +.IP "\[ci]" 4 +Embark Studios +.IP "" 0 +.SH "REPORTING BUGS" +<\fIhttps://todo\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.P +<\fI~nabijaczleweli/tzpfms@lists\.sr\.ht\fR>, archived at <\fIhttps://lists\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.SH "SEE ALSO" +<\fIhttps://git\.sr\.ht/~nabijaczleweli/tzpfms\fR> diff --git a/zfs-tpm1x-change-key.8.html b/zfs-tpm1x-change-key.8.html new file mode 100644 index 0000000..5bf8b7c --- /dev/null +++ b/zfs-tpm1x-change-key.8.html @@ -0,0 +1,186 @@ + + + + + + zfs-tpm1x-change-key(8) - change ZFS dataset key to one stored on the TPM + + + + +
+ + + +
    +
  1. zfs-tpm1x-change-key(8)
    2. +
  2. +
  3. zfs-tpm1x-change-key(8)
    4. +
+ + + +

NAME

+

+ zfs-tpm1x-change-key - change ZFS dataset key to one stored on the TPM +

+

SYNOPSIS

+ +

zfs-tpm1x-change-key [-b file] dataset

+ +

DESCRIPTION

+ +

To normalise dataset, zfs-tpm1x-change-key(8) will open its encryption root in its stead. +zfs-tpm1x-change-key(8) will never create or destroy encryption roots; use zfs(8) change-key for that.

+ +

First, a connection is made to the TPM, which must be TPM-1.X-compatible.

+ +

If dataset was previously encrypted with tzpfms and the TPM1.X back-end was used, the metadata will be silently cleared. +Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream.

+ +

Next, a new wrapping key is be generated on the TPM, optionally backed up (see OPTIONS), +and sealed on the TPM; +if the SRK passphrase, set when taking ownership, is not "well-known" (all zeroes), the user is prompted for it; +the user is always prompted for an optional passphrase to protect the key with.

+ +

The following properties are set on dataset:

+ + + +

tzpfms.backend identifies this dataset for work with TPM1.X-back-ended tzpfms tools +(namely zfs-tpm1x-change-key(8), zfs-tpm1x-load-key(8), and zfs-tpm1x-clear-key(8)).

+ +

tzpfms.key is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs; +the first one represents the RSA key protecting the blob, +and it is protected with either the password, if provided, or the SHA1 constant CE4CF677875B5EB8993591D5A9AF1ED24A3A8736; +the second represents the sealed object containing the wrapping key, +and is protected with the SHA1 constant B9EE715DBE4B243FAA81EA04306E063710383E35. +There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe)

+ +

Finally, the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset is performed with the new key. +If an error occurred, best effort is made to clean up the properties, +or to issue a note for manual intervention into the standard error stream.

+ +

A final verification should be made by running zfs-tpm1x-load-key(8) -n dataset. +If that command succeeds, all is well, +but otherwise the dataset can be manually rolled back to a password with zfs-tpm1x-clear-key(8) dataset (or, if that fails to work, zfs(8) change-key -o keyformat=passphrase dataset), and you are hereby asked to report a bug, please.

+ +

zfs-tpm1x-clear-key(8) dataset can be used to clear the properties and go back to using a password.

+ +

OPTIONS

+ +
+
+-b file +
+
Save a back-up of the key to file, which must not exist beforehand. +This back-up must be stored securely, off-site. +In case of a catastrophic event, the key can be loaded by running zfs(8) load-key dataset < backup-file.
+
+ +

TPM1.X back-end configuration

+ +

TPM selection

+ +

The tzpfms suite always connects to a local tcsd(8) process (at localhost:30003).

+ +

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.

+ +

See also

+ +

The TrouSerS project page at https://sourceforge.net/projects/trousers.

+ +

The TPM 1.2 main specification index at <https://trustedcomputinggroup.org/resource/tpm-main-specification>.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ + + +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+ +
    +
  1. tzpfms developers
    2. +
  2. October 2020
    3. +
  3. zfs-tpm1x-change-key(8)
    4. +
+ +
+ + diff --git a/zfs-tpm1x-change-key.8.html_fragment b/zfs-tpm1x-change-key.8.html_fragment new file mode 100644 index 0000000..e092a29 --- /dev/null +++ b/zfs-tpm1x-change-key.8.html_fragment @@ -0,0 +1,105 @@ +
+ +

NAME

+

+ zfs-tpm1x-change-key - change ZFS dataset key to one stored on the TPM +

+

SYNOPSIS

+ +

zfs-tpm1x-change-key [-b file] dataset

+ +

DESCRIPTION

+ +

To normalise dataset, zfs-tpm1x-change-key(8) will open its encryption root in its stead. +zfs-tpm1x-change-key(8) will never create or destroy encryption roots; use zfs(8) change-key for that.

+ +

First, a connection is made to the TPM, which must be TPM-1.X-compatible.

+ +

If dataset was previously encrypted with tzpfms and the TPM1.X back-end was used, the metadata will be silently cleared. +Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream.

+ +

Next, a new wrapping key is be generated on the TPM, optionally backed up (see OPTIONS), +and sealed on the TPM; +if the SRK passphrase, set when taking ownership, is not "well-known" (all zeroes), the user is prompted for it; +the user is always prompted for an optional passphrase to protect the key with.

+ +

The following properties are set on dataset:

+ + + +

tzpfms.backend identifies this dataset for work with TPM1.X-back-ended tzpfms tools +(namely zfs-tpm1x-change-key(8), zfs-tpm1x-load-key(8), and zfs-tpm1x-clear-key(8)).

+ +

tzpfms.key is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs; +the first one represents the RSA key protecting the blob, +and it is protected with either the password, if provided, or the SHA1 constant CE4CF677875B5EB8993591D5A9AF1ED24A3A8736; +the second represents the sealed object containing the wrapping key, +and is protected with the SHA1 constant B9EE715DBE4B243FAA81EA04306E063710383E35. +There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe)

+ +

Finally, the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset is performed with the new key. +If an error occurred, best effort is made to clean up the properties, +or to issue a note for manual intervention into the standard error stream.

+ +

A final verification should be made by running zfs-tpm1x-load-key(8) -n dataset. +If that command succeeds, all is well, +but otherwise the dataset can be manually rolled back to a password with zfs-tpm1x-clear-key(8) dataset (or, if that fails to work, zfs(8) change-key -o keyformat=passphrase dataset), and you are hereby asked to report a bug, please.

+ +

zfs-tpm1x-clear-key(8) dataset can be used to clear the properties and go back to using a password.

+ +

OPTIONS

+ +
+
+-b file +
+
Save a back-up of the key to file, which must not exist beforehand. +This back-up must be stored securely, off-site. +In case of a catastrophic event, the key can be loaded by running zfs(8) load-key dataset < backup-file.
+
+ +

TPM1.X back-end configuration

+ +

TPM selection

+ +

The tzpfms suite always connects to a local tcsd(8) process (at localhost:30003).

+ +

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.

+ +

See also

+ +

The TrouSerS project page at https://sourceforge.net/projects/trousers.

+ +

The TPM 1.2 main specification index at <https://trustedcomputinggroup.org/resource/tpm-main-specification>.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ + + +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+
diff --git a/zfs-tpm1x-change-key.md b/zfs-tpm1x-change-key.md new file mode 100644 index 0000000..5f60917 --- /dev/null +++ b/zfs-tpm1x-change-key.md @@ -0,0 +1,89 @@ +zfs-tpm1x-change-key(8) -- change ZFS dataset key to one stored on the TPM +========================================================================== + +## SYNOPSIS + +`zfs-tpm1x-change-key` [-b file] + +## DESCRIPTION + +To normalise `dataset`, zfs-tpm1x-change-key(8) will open its encryption root in its stead. +zfs-tpm1x-change-key(8) will *never* create or destroy encryption roots; use **zfs(8) change-key** for that. + +First, a connection is made to the TPM, which *must* be TPM-1.X-compatible. + +If `dataset` was previously encrypted with tzpfms and the *TPM1.X* back-end was used, the metadata will be silently cleared. +Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream. + +Next, a new wrapping key is be generated on the TPM, optionally backed up (see [OPTIONS][]), +and sealed on the TPM; +if the SRK passphrase, set when taking ownership, is not "well-known" (all zeroes), the user is prompted for it; +the user is always prompted for an optional passphrase to protect the key with. + +The following properties are set on `dataset`: + + * `xyz.nabijaczleweli:tzpfms.backend`=`TPM1.X` + * `xyz.nabijaczleweli:tzpfms.key`=*(parent key blob)*`:`*(sealed object blob)* + +`tzpfms.backend` identifies this dataset for work with *TPM1.X*-back-ended tzpfms tools +(namely zfs-tpm1x-change-key(8), zfs-tpm1x-load-key(8), and zfs-tpm1x-clear-key(8)). + +`tzpfms.key` is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs; +the first one represents the RSA key protecting the blob, +and it is protected with either the password, if provided, or the SHA1 constant *CE4CF677875B5EB8993591D5A9AF1ED24A3A8736*; +the second represents the sealed object containing the wrapping key, +and is protected with the SHA1 constant *B9EE715DBE4B243FAA81EA04306E063710383E35*. +There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe) + +Finally, the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset** is performed with the new key. +If an error occurred, best effort is made to clean up the properties, +or to issue a note for manual intervention into the standard error stream. + +A final verification should be made by running **zfs-tpm1x-load-key(8) -n dataset**. +If that command succeeds, all is well, +but otherwise the dataset can be manually rolled back to a password with **zfs-tpm1x-clear-key(8) dataset** (or, if that fails to work, **zfs(8) change-key -o keyformat=passphrase dataset**), and you are hereby asked to report a bug, please. + +**zfs-tpm1x-clear-key(8) dataset** can be used to clear the properties and go back to using a password. + +## OPTIONS + + * `-b` *file*: + Save a back-up of the key to *file*, which must not exist beforehand. + This back-up **must** be stored securely, off-site. + In case of a catastrophic event, the key can be loaded by running **zfs(8) load-key dataset < backup-file**. + +## TPM1.X back-end configuration + +### TPM selection + +The tzpfms suite always connects to a local tcsd(8) process (at `localhost:30003`). + +The TrouSerS tcsd(8) daemon will try `/dev/tpm0`, then `/udev/tpm0`, then `/dev/tpm`; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected. + +### See also + +The TrouSerS project page at . + +The TPM 1.2 main specification index at <>. + +## AUTHOR + +Written by наб <> + +## SPECIAL THANKS + +To all who support further development, in particular: + + * ThePhD + * Embark Studios + +## REPORTING BUGS + +<> + +<>, archived at <> + +## SEE ALSO + +<> diff --git a/zfs-tpm1x-clear-key.8 b/zfs-tpm1x-clear-key.8 new file mode 100644 index 0000000..5b30614 --- /dev/null +++ b/zfs-tpm1x-clear-key.8 @@ -0,0 +1,40 @@ +.\" generated with Ronn-NG/v0.9.1 +.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 +.TH "ZFS\-TPM1X\-CLEAR\-KEY" "8" "October 2020" "tzpfms developers" +.SH "NAME" +\fBzfs\-tpm1x\-clear\-key\fR \- rewrap ZFS dataset key in passsword and clear tzpfms TPM1\.X metadata +.SH "SYNOPSIS" +\fBzfs\-tpm1x\-clear\-key\fR \fIdataset\fR +.SH "DESCRIPTION" +zfs\-tpm1x\-clear\-key(8), after verifying that \fBdataset\fR was encrypted with tzpfms backend \fITPM1\.X\fR will: +.IP "1." 4 +perform the equivalent of \fBzfs(8) change\-key \-o keylocation=prompt \-o keyformat=passphrase dataset\fR, +.IP "2." 4 +remove the \fBxyz\.nabijaczleweli:tzpfms\.{backend,key}\fR properties from \fBdataset\fR\. +.IP "" 0 +.P +See zfs\-tpm1x\-change\-key(8) for a detailed description\. +.SH "TPM1\.X back\-end configuration" +.SS "TPM selection" +The tzpfms suite always connects to a local tcsd(8) process (at \fBlocalhost:30003\fR)\. +.P +The TrouSerS tcsd(8) daemon will try \fB/dev/tpm0\fR, then \fB/udev/tpm0\fR, then \fB/dev/tpm\fR; by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected\. +.SS "See also" +The TrouSerS project page at \fIhttps://sourceforge\.net/projects/trousers\fR\. +.P +The TPM 1\.2 main specification index at <\fIhttps://trustedcomputinggroup\.org/resource/tpm\-main\-specification\fR>\. +.SH "AUTHOR" +Written by наб <\fInabijaczleweli@nabijaczleweli\.xyz\fR> +.SH "SPECIAL THANKS" +To all who support further development, in particular: +.IP "\[ci]" 4 +ThePhD +.IP "\[ci]" 4 +Embark Studios +.IP "" 0 +.SH "REPORTING BUGS" +<\fIhttps://todo\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.P +<\fI~nabijaczleweli/tzpfms@lists\.sr\.ht\fR>, archived at <\fIhttps://lists\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.SH "SEE ALSO" +<\fIhttps://git\.sr\.ht/~nabijaczleweli/tzpfms\fR> diff --git a/zfs-tpm1x-clear-key.8.html b/zfs-tpm1x-clear-key.8.html new file mode 100644 index 0000000..d09ca11 --- /dev/null +++ b/zfs-tpm1x-clear-key.8.html @@ -0,0 +1,139 @@ + + + + + + zfs-tpm1x-clear-key(8) - rewrap ZFS dataset key in passsword and clear tzpfms TPM1.X metadata + + + + +
+ + + +
    +
  1. zfs-tpm1x-clear-key(8)
    2. +
  2. +
  3. zfs-tpm1x-clear-key(8)
    4. +
+ + + +

NAME

+

+ zfs-tpm1x-clear-key - rewrap ZFS dataset key in passsword and clear tzpfms TPM1.X metadata +

+

SYNOPSIS

+ +

zfs-tpm1x-clear-key dataset

+ +

DESCRIPTION

+ +

zfs-tpm1x-clear-key(8), after verifying that dataset was encrypted with tzpfms backend TPM1.X will:

+ +
    +
  1. perform the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=passphrase dataset,
    2. +
  2. remove the xyz.nabijaczleweli:tzpfms.{backend,key} properties from dataset.
    3. +
+ +

See zfs-tpm1x-change-key(8) for a detailed description.

+ +

TPM1.X back-end configuration

+ +

TPM selection

+ +

The tzpfms suite always connects to a local tcsd(8) process (at localhost:30003).

+ +

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.

+ +

See also

+ +

The TrouSerS project page at https://sourceforge.net/projects/trousers.

+ +

The TPM 1.2 main specification index at <https://trustedcomputinggroup.org/resource/tpm-main-specification>.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+ +
    +
  1. tzpfms developers
    2. +
  2. October 2020
    3. +
  3. zfs-tpm1x-clear-key(8)
    4. +
+ +
+ + diff --git a/zfs-tpm1x-clear-key.8.html_fragment b/zfs-tpm1x-clear-key.8.html_fragment new file mode 100644 index 0000000..847d6fa --- /dev/null +++ b/zfs-tpm1x-clear-key.8.html_fragment @@ -0,0 +1,59 @@ +
+ +

NAME

+

+ zfs-tpm1x-clear-key - rewrap ZFS dataset key in passsword and clear tzpfms TPM1.X metadata +

+

SYNOPSIS

+ +

zfs-tpm1x-clear-key dataset

+ +

DESCRIPTION

+ +

zfs-tpm1x-clear-key(8), after verifying that dataset was encrypted with tzpfms backend TPM1.X will:

+ +
    +
  1. perform the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=passphrase dataset,
    2. +
  2. remove the xyz.nabijaczleweli:tzpfms.{backend,key} properties from dataset.
    3. +
+ +

See zfs-tpm1x-change-key(8) for a detailed description.

+ +

TPM1.X back-end configuration

+ +

TPM selection

+ +

The tzpfms suite always connects to a local tcsd(8) process (at localhost:30003).

+ +

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.

+ +

See also

+ +

The TrouSerS project page at https://sourceforge.net/projects/trousers.

+ +

The TPM 1.2 main specification index at <https://trustedcomputinggroup.org/resource/tpm-main-specification>.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+
diff --git a/zfs-tpm1x-clear-key.md b/zfs-tpm1x-clear-key.md new file mode 100644 index 0000000..c9990f3 --- /dev/null +++ b/zfs-tpm1x-clear-key.md @@ -0,0 +1,51 @@ +zfs-tpm1x-clear-key(8) -- rewrap ZFS dataset key in passsword and clear tzpfms TPM1.X metadata +============================================================================================== + +## SYNOPSIS + +`zfs-tpm1x-clear-key` + +## DESCRIPTION + +zfs-tpm1x-clear-key(8), after verifying that `dataset` was encrypted with tzpfms backend *TPM1.X* will: + + 1. perform the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=passphrase dataset**, + 2. remove the `xyz.nabijaczleweli:tzpfms.{backend,key}` properties from `dataset`. + +See zfs-tpm1x-change-key(8) for a detailed description. + +## TPM1.X back-end configuration + +### TPM selection + +The tzpfms suite always connects to a local tcsd(8) process (at `localhost:30003`). + +The TrouSerS tcsd(8) daemon will try `/dev/tpm0`, then `/udev/tpm0`, then `/dev/tpm`; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected. + +### See also + +The TrouSerS project page at . + +The TPM 1.2 main specification index at <>. + +## AUTHOR + +Written by наб <> + +## SPECIAL THANKS + +To all who support further development, in particular: + + * ThePhD + * Embark Studios + +## REPORTING BUGS + +<> + +<>, archived at <> + +## SEE ALSO + +<> diff --git a/zfs-tpm1x-load-key.8 b/zfs-tpm1x-load-key.8 new file mode 100644 index 0000000..edbe7a0 --- /dev/null +++ b/zfs-tpm1x-load-key.8 @@ -0,0 +1,41 @@ +.\" generated with Ronn-NG/v0.9.1 +.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 +.TH "ZFS\-TPM1X\-LOAD\-KEY" "8" "October 2020" "tzpfms developers" +.SH "NAME" +\fBzfs\-tpm1x\-load\-key\fR \- load tzpfms TPM1\.X\-encrypted ZFS dataset key +.SH "SYNOPSIS" +\fBzfs\-tpm1x\-load\-key\fR [\-n] \fIdataset\fR +.SH "DESCRIPTION" +zfs\-tpm1x\-load\-key(8), after verifying that \fBdataset\fR was encrypted with tzpfms backend \fITPM1\.X\fR will unseal the key and load it into \fBdataset\fR\. +.P +The user is prompted for, first, the SRK passphrase, set when taking ownership, if it\'s not "well\-known" (all zeroes), then the additional passphrase set when creating the key, if it was provided\. +.P +See zfs\-tpm1x\-change\-key(8) for a detailed description\. +.SH "OPTIONS" +.TP +\fB\-n\fR +Do a no\-op/dry run, can be used even if the key is already loaded\. Equivalent to \fBzfs(8) load\-key\fR\'s \fB\-n\fR option\. +.SH "TPM1\.X back\-end configuration" +.SS "TPM selection" +The tzpfms suite always connects to a local tcsd(8) process (at \fBlocalhost:30003\fR)\. +.P +The TrouSerS tcsd(8) daemon will try \fB/dev/tpm0\fR, then \fB/udev/tpm0\fR, then \fB/dev/tpm\fR; by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected\. +.SS "See also" +The TrouSerS project page at \fIhttps://sourceforge\.net/projects/trousers\fR\. +.P +The TPM 1\.2 main specification index at <\fIhttps://trustedcomputinggroup\.org/resource/tpm\-main\-specification\fR>\. +.SH "AUTHOR" +Written by наб <\fInabijaczleweli@nabijaczleweli\.xyz\fR> +.SH "SPECIAL THANKS" +To all who support further development, in particular: +.IP "\[ci]" 4 +ThePhD +.IP "\[ci]" 4 +Embark Studios +.IP "" 0 +.SH "REPORTING BUGS" +<\fIhttps://todo\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.P +<\fI~nabijaczleweli/tzpfms@lists\.sr\.ht\fR>, archived at <\fIhttps://lists\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.SH "SEE ALSO" +<\fIhttps://git\.sr\.ht/~nabijaczleweli/tzpfms\fR> diff --git a/zfs-tpm1x-load-key.8.html b/zfs-tpm1x-load-key.8.html new file mode 100644 index 0000000..f700a7f --- /dev/null +++ b/zfs-tpm1x-load-key.8.html @@ -0,0 +1,145 @@ + + + + + + zfs-tpm1x-load-key(8) - load tzpfms TPM1.X-encrypted ZFS dataset key + + + + +
+ + + +
    +
  1. zfs-tpm1x-load-key(8)
    2. +
  2. +
  3. zfs-tpm1x-load-key(8)
    4. +
+ + + +

NAME

+

+ zfs-tpm1x-load-key - load tzpfms TPM1.X-encrypted ZFS dataset key +

+

SYNOPSIS

+ +

zfs-tpm1x-load-key [-n] dataset

+ +

DESCRIPTION

+ +

zfs-tpm1x-load-key(8), after verifying that dataset was encrypted with tzpfms backend TPM1.X will unseal the key and load it into dataset.

+ +

The user is prompted for, first, the SRK passphrase, set when taking ownership, if it's not "well-known" (all zeroes), +then the additional passphrase set when creating the key, if it was provided.

+ +

See zfs-tpm1x-change-key(8) for a detailed description.

+ +

OPTIONS

+ +
+
-n
+
Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to zfs(8) load-key's -n option.
+
+ +

TPM1.X back-end configuration

+ +

TPM selection

+ +

The tzpfms suite always connects to a local tcsd(8) process (at localhost:30003).

+ +

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.

+ +

See also

+ +

The TrouSerS project page at https://sourceforge.net/projects/trousers.

+ +

The TPM 1.2 main specification index at <https://trustedcomputinggroup.org/resource/tpm-main-specification>.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+ +
    +
  1. tzpfms developers
    2. +
  2. October 2020
    3. +
  3. zfs-tpm1x-load-key(8)
    4. +
+ +
+ + diff --git a/zfs-tpm1x-load-key.8.html_fragment b/zfs-tpm1x-load-key.8.html_fragment new file mode 100644 index 0000000..d236e97 --- /dev/null +++ b/zfs-tpm1x-load-key.8.html_fragment @@ -0,0 +1,64 @@ +
+ +

NAME

+

+ zfs-tpm1x-load-key - load tzpfms TPM1.X-encrypted ZFS dataset key +

+

SYNOPSIS

+ +

zfs-tpm1x-load-key [-n] dataset

+ +

DESCRIPTION

+ +

zfs-tpm1x-load-key(8), after verifying that dataset was encrypted with tzpfms backend TPM1.X will unseal the key and load it into dataset.

+ +

The user is prompted for, first, the SRK passphrase, set when taking ownership, if it's not "well-known" (all zeroes), +then the additional passphrase set when creating the key, if it was provided.

+ +

See zfs-tpm1x-change-key(8) for a detailed description.

+ +

OPTIONS

+ +
+
-n
+
Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to zfs(8) load-key's -n option.
+
+ +

TPM1.X back-end configuration

+ +

TPM selection

+ +

The tzpfms suite always connects to a local tcsd(8) process (at localhost:30003).

+ +

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.

+ +

See also

+ +

The TrouSerS project page at https://sourceforge.net/projects/trousers.

+ +

The TPM 1.2 main specification index at <https://trustedcomputinggroup.org/resource/tpm-main-specification>.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+
diff --git a/zfs-tpm1x-load-key.md b/zfs-tpm1x-load-key.md new file mode 100644 index 0000000..5083757 --- /dev/null +++ b/zfs-tpm1x-load-key.md @@ -0,0 +1,56 @@ +zfs-tpm1x-load-key(8) -- load tzpfms TPM1.X-encrypted ZFS dataset key +===================================================================== + +## SYNOPSIS + +`zfs-tpm1x-load-key` [-n] + +## DESCRIPTION + +zfs-tpm1x-load-key(8), after verifying that `dataset` was encrypted with tzpfms backend *TPM1.X* will unseal the key and load it into `dataset`. + +The user is prompted for, first, the SRK passphrase, set when taking ownership, if it's not "well-known" (all zeroes), +then the additional passphrase set when creating the key, if it was provided. + +See zfs-tpm1x-change-key(8) for a detailed description. + +## OPTIONS + + * `-n`: + Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to **zfs(8) load-key**'s `-n` option. + +## TPM1.X back-end configuration + +### TPM selection + +The tzpfms suite always connects to a local tcsd(8) process (at `localhost:30003`). + +The TrouSerS tcsd(8) daemon will try `/dev/tpm0`, then `/udev/tpm0`, then `/dev/tpm`; +by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected. + +### See also + +The TrouSerS project page at . + +The TPM 1.2 main specification index at <>. + +## AUTHOR + +Written by наб <> + +## SPECIAL THANKS + +To all who support further development, in particular: + + * ThePhD + * Embark Studios + +## REPORTING BUGS + +<> + +<>, archived at <> + +## SEE ALSO + +<>