third-party-mirrors/tzpfms
1
0
Fork 0
mirror of https://git.sr.ht/~nabijaczleweli/tzpfms synced 2025-04-17 09:42:19 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Manpage update by job 1159361

Browse Source
This commit is contained in:
наб autouploader 2024-02-29 07:28:31 +00:00
parent 80e98ecac1
commit 9b09cb86fa
6 changed files with 428 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
tzpfms.pdf
View File

Binary file not shown.

196
tzpfms.ps
View File

@ -1,15 +1,15 @@
%!PS-Adobe-3.0
%%Creator: groff version 1.23.0
%%CreationDate: Thu Feb 29 01:12:30 2024
%%CreationDate: Thu Feb 29 07:28:31 2024
%%DocumentNeededResources: font Times-Roman
%%+ font Times-Bold
%%+ font Courier-Bold
%%+ font Courier-Oblique
%%+ font Times-Italic
%%+ font Courier
%%+ font Times-Italic
%%+ font Symbol
%%DocumentSuppliedResources: procset grops 1.23 0
%%Pages: 14
%%Pages: 15
%%PageOrder: Ascend
%%DocumentMedia: Default 595 842 0 () ()
%%Orientation: Portrait
@ -236,8 +236,8 @@ setpacking
%%IncludeResource: font Times-Bold
%%IncludeResource: font Courier-Bold
%%IncludeResource: font Courier-Oblique
%%IncludeResource: font Times-Italic
%%IncludeResource: font Courier
%%IncludeResource: font Times-Italic
%%IncludeResource: font Symbol
grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
@ -267,7 +267,7 @@ def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
/Courier@0 ENC0/Courier RE/Times-Italic@0 ENC0/Times-Italic RE
/Times-Italic@0 ENC0/Times-Italic RE/Courier@0 ENC0/Courier RE
/Courier-Oblique@0 ENC0/Courier-Oblique RE/Courier-Bold@0 ENC0
/Courier-Bold RE/Times-Bold@0 ENC0/Times-Bold RE/Times-Roman@0 ENC0
/Times-Roman RE
@ -276,18 +276,108 @@ def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF(ZFS-FIDO2-ADD-B)72 48 Q -.4(AC)-.35 G 42.103
(KUP\(8\) System).4 F(Manager')2.5 E 2.5(sM)-.55 G 39.602
(anual ZFS-FIDO2-ADD-B)-2.5 F -.4(AC)-.35 G(KUP\(8\)).4 E/F1 10
/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0 SF
(zfs-fido2-add-backup)108 96 Q F0 2.5<8a61>2.5 G(llo)-2.5 E 2.5(wa)-.25
G(nother FIDO2 de)-2.5 E(vice to unlock ZFS dataset)-.25 E F1(SYNOPSIS)
72 112.8 Q F2(zfs-fido2-add-backup)108 124.8 Q/F3 10/Courier-Oblique@0
SF(dataset)2.5 E F1(DESCRIPTION)72 141.6 Q F0(After)108 153.6 Q/F4 10
/Courier@0 SF(zfs-fido2-change-key)7.564 E F0 5.064(\(8\) deri)B -.15
(ve)-.25 G 7.563(st).15 G 5.063(he k)-7.563 F 5.363 -.15(ey f)-.1 H
5.063(or a dataset from a FIDO2 de).15 F(vice,)-.25 E F2
(zfs-fido2-add-backup)108 165.6 Q F0(may be e)2.5 E -.15(xe)-.15 G
(cuted to e).15 E(xtend this to an)-.15 E 2.5(yn)-.15 G
(umber of additional de)-2.5 E(vices.)-.25 E 8.082
(First, the wrapping k)108 182.4 R 8.382 -.15(ey i)-.1 H 10.582(se).15 G
8.082(xtracted from the "primary" de)-10.732 F 8.082
(vice as normal during)-.25 F F4(zfs-fido2-load-key)108 194.4 Q F0 1.019
(\(8\), then a credential is made as-if during)B F4
(zfs-fido2-change-key)3.519 E F0(\(8\))A(\(e)108 206.4 Q 1.582
(xcept the "primary" de)-.15 F 1.582(vice is e)-.25 F 1.583
(xcluded from the search\); ho)-.15 F(we)-.25 E -.15(ve)-.25 G 2.383 -.4
(r, t).15 H(he).4 E F4(hmac-secret)4.083 E F0 1.583(is instead)4.083 F
.708(used as a symmetric AES-256-GCM \()108 218.4 R F4(EVP_CIPHER-AES)A
F0 .708(\(7ssl\)\) k)B 1.008 -.15(ey t)-.1 H 3.208(oe).15 G .708
(ncrypt the wrapping k)-3.208 F 1.007 -.15(ey d)-.1 H(i-).15 E
(rectly with a random IV)108 230.4 Q(.)-1.29 E(This turns the)108 247.2
Q F4(xyz.nabijaczleweli:tzpfms.key)2.5 E F0 -.25(va)2.5 G(riable into)
.25 E F3(salt)108 259.2 Q F2(:)A F3(credential-ID)A F2(:)A F3
(credential-public-key)A F0([)A F2(.)A F3(backup-salt)A F2(:)A F3
(backup-credential-ID)108 271.2 Q F2(:)A F3
(backup-credential-public-key)A F2(:)A F3(IV)A F2(:)A F3(encrypted-key)A
F0 1.666(]...)C F4(tzpfms.key)108 288 Q F0 2.238
(is actually a dot-separated list of de)4.738 F 2.238(vice b)-.25 F
4.738(undles. The)-.2 F 2.239(\214rst one is as-described in)4.738 F F4
(zfs-fido2-change-key)108 300 Q F0 5.181(\(8\). Subsequent)B 2.681
(ones also include \(identically-encoded\) IVs and en-)5.181 F
(crypted blobs.)108 312 Q F4(zfs-fido2-load-key)108 328.8 Q F0 .081
(\(8\) shops assertions around de)B .081(vices in a de)-.25 F .082
(vice-major order \212 depending on)-.25 F(de)108 340.8 Q
(vice numbering, a backup may be loaded e)-.25 E -.15(ve)-.25 G 2.5(ni)
.15 G 2.5(ft)-2.5 G(he primary de)-2.5 E(vice is present.)-.25 E F1
(ENVIR)72 357.6 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 E F4
(TZPFMS_PASSPHRASE_HELPER)108 369.6 Q F0 .046(By def)133 381.6 R .045(a\
ult, passphrases are prompted for and read in on the standard output an\
d input streams.)-.1 F(If)5.045 E F4(TZPFMS_PASSPHRASE_HELPER)133 393.6
Q F0 1.595(is set and nonempty)4.095 F 4.096(,i)-.65 G 4.096(tw)-4.096 G
1.596(ill be run via)-4.096 F F4(/bin/)4.096 E F2 3.262(sh \255c)B F0
(to)4.096 E(pro)133 405.6 Q(vide each passphrase, instead.)-.15 E .643
(The standard output stream of the helper is tied to an anon)133 422.4 R
.643(ymous \214le and used in its entirety as)-.15 F(the passphrase, e)
133 434.4 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65
(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F4($1)143 446.4 Q F0
(Pre-formatted noun phrase with all the information belo)160 446.4 Q 1.3
-.65(w, f)-.25 H(or use as a prompt).65 E F4($2)143 458.4 Q F0
(Either the dataset name or the element of the TPM hierarch)160 458.4 Q
2.5(yb)-.05 G(eing prompted for)-2.5 E F4($3)143 470.4 Q F0("ne)160
470.4 Q(w" if this is for a ne)-.25 E 2.5(wp)-.25 G
(assphrase, otherwise blank)-2.5 E F4($4)143 482.4 Q F0("ag)160 482.4 Q
(ain" if it')-.05 E 2.5(st)-.55 G
(he second prompt for that passphrase, otherwise blank)-2.5 E .177
(If the helper doesn')133 499.2 R 2.677(te)-.18 G .177
(xist \(the shell e)-2.827 F .177(xits with)-.15 F F1(127)2.677 E F0
.178(\), a diagnostic is issued and the normal prompt)B(is used as f)133
511.2 Q 2.5(all-back. If)-.1 F(it f)2.5 E(ails for an)-.1 E 2.5(yo)-.15
G(ther reason, the prompting is aborted.)-2.5 E F1 1.666
(FIDO2 back-end con\214guration)72 528 R(En)87 540 Q(vir)-.4 E .625
(onment v)-.18 F(ariables)-.1 E F4(FIDO_DEBUG)108 552 Q F0
(If set, enables lib\214do2 deb)173 552 Q
(ug logging to the standard error stream.)-.2 E F1(De)87 568.8 Q .625
(vice selection)-.15 F F0 .727(When creating, the \214rst de)108 580.8 R
.727(vice which supports the)-.25 F F4(hmac-secret)3.226 E F0 -.15(ex)
3.226 G .726(tension is used.).15 F .726(When loading,)5.726 F
(the assertion is shopped around to e)108 592.8 Q -.15(ve)-.25 G
(ry such de).15 E(vice.)-.25 E F1 .625(See also)87 609.6 R F0
(The lib\214do2 documentation at https://de)108 621.6 Q -.15(ve)-.25 G
(lopers.yubico.com/lib\214do2/.).15 E F1 1.666(SPECIAL THANKS)72 638.4 R
F0 1.6 -.8(To a)108 650.4 T(ll who support further de).8 E -.15(ve)-.25
G(lopment, in particular:).15 E F1<83>128 662.4 Q F0(ThePhD)7.5 E F1<83>
128 674.4 Q F0(Embark Studios)7.5 E F1<83>128 686.4 Q F0(Jasper Bekk)7.5
E(ers)-.1 E F1<83>128 698.4 Q F0(EvModder)7.5 E F1(REPOR)72 715.2 Q
1.666(TING B)-.4 F(UGS)-.1 E F0(https://todo.sr)108 727.2 Q
(.ht/\001nabijaczle)-.55 E(weli/fzifdso)-.25 E F4
(\001nabijaczleweli/tzpfms@lists.sr.ht)108 744 Q F0 83.762(,a)C(rchi)
-83.762 E -.15(ve)-.25 G 83.763(da).15 G(t)-83.763 E(https://lists.sr)
108 756 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)-.25 E(fzifdso 0)72
817.889 Q(February 29, 2024)153.568 E(1)183.837 E 0 Cg EP
%%Page: 1 2
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 41.363(ZFS-FIDO2-CHANGE-KEY\(8\) System)72 48 R
(Manager')2.5 E 2.5(sM)-.55 G 38.862(anual ZFS-FIDO2-CHANGE-KEY\(8\))
-2.5 F/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0
SF(zfs-fido2-change-key)108 96 Q F0 2.5<8a63>2.5 G(hange ZFS dataset k)
-2.5 E .3 -.15(ey t)-.1 H 2.5(oo).15 G(ne authenticated by a FIDO2 de)
-2.5 E(vice)-.25 E F1(SYNOPSIS)72 112.8 Q F2(zfs-fido2-change-key)108
-2.5 E(vice)-.25 E F1(SYNOPSIS)72 112.8 Q F2(zfs-fido2-add-backup)108
124.8 Q F0([)2.5 E F2<ad62>1.666 E/F3 10/Courier-Oblique@0 SF
(backup-file)6 E F0(])A F3(dataset)2.5 E F1(DESCRIPTION)72 141.6 Q F0
2.867 -.8(To n)108 153.6 T 1.267(ormalise the).8 F F3(dataset)3.767 E F0
(,)A F2(zfs-fido2-change-key)3.766 E F0 1.266
(,)A F2(zfs-fido2-add-backup)3.766 E F0 1.266
(will open its encryption root in its stead.)3.766 F F2
(zfs-fido2-change-key)108 165.6 Q F0(will)14.654 E/F4 10/Times-Italic@0
(zfs-fido2-add-backup)108 165.6 Q F0(will)14.654 E/F4 10/Times-Italic@0
SF(ne)14.654 E(ver)-.15 E F0 12.154(create or destro)14.654 F 14.655(ye)
-.1 G 12.155(ncryption roots; use)-14.655 F/F5 10/Courier@0 SF
(zfs-change-key)108 177.6 Q F0(\(8\) for that.)A
@ -317,17 +407,19 @@ H .138(which is optionally back).15 F .138(ed up \(see)-.1 F F1(OPTIONS)
(wing properties are set on)-.25 E F3(dataset)2.5 E F0(:)A F1<83>128
345.6 Q F5(xyz.nabijaczleweli:tzpfms.backend)7.5 E F0(=)A F1(FIDO2)A<83>
128 357.6 Q F5(xyz.nabijaczleweli:tzpfms.key)7.5 E F0(=)A F3(salt)A F2
(:)A F3(credential-ID)A F2(:)A F3(credential-public-key)139 369.6 Q F5
(tzpfms.backend)108 386.4 Q F0 2.708(identi\214es this dataset for w)
5.208 F 2.707(ork with)-.1 F F1(FIDO2)5.207 E F0(-back-ended)A F2
(tzpfms)5.207 E F0 2.707(tools \(i.e.)5.207 F F2(fzifdso)108 398.4 Q F5
(zfs-fido2-change-key)36.505 E F0(\(8\),)A F5(zfs-fido2-load-key)33.005
E F0 30.505(\(8\), and)B F5(zfs-fido2-clear-key)108 410.4 Q F0(\(8\)\).)
A F5(tzpfms.key)108 427.2 Q F0 .486(is a colon-separated tuple of unpad\
ded URL-safe base64 blobs; the \214rst one is the ran-)2.986 F .217(dom\
salt; the second represents the ID of created credential, and the thir\
d \211 its public k)108 439.2 R -.15(ey)-.1 G 5.217(.T)-.5 G .217
(here e)-5.217 F(xists)-.15 E(no other user)108 451.2 Q
(:)A F3(credential-ID)A F2(:)A F3(credential-public-key)139 369.6 Q F0
([)A F2(.)A F0 1.666(...)1.666 G 1.666(]...)-1.666 G F5(tzpfms.backend)
108 386.4 Q F0 2.708(identi\214es this dataset for w)5.208 F 2.707
(ork with)-.1 F F1(FIDO2)5.207 E F0(-back-ended)A F2(tzpfms)5.207 E F0
2.707(tools \(i.e.)5.207 F F2(fzifdso)108 398.4 Q F5
(zfs-fido2-change-key)60.227 E F0(\(8\),)A F5(zfs-fido2-load-key)56.728
E F0(\(8\),)A F5(zfs-fido2-add-backup)108 410.4 Q F0(\(8\), and)A F5
(zfs-fido2-clear-key)2.5 E F0(\(8\)\).)A F5(tzpfms.key)108 427.2 Q F0
.486(is a colon-separated tuple of unpadded URL-safe base64 blobs; the \
\214rst one is the ran-)2.986 F .217(dom salt; the second represents th\
e ID of created credential, and the third \211 its public k)108 439.2 R
-.15(ey)-.1 G 5.217(.T)-.5 G .217(here e)-5.217 F(xists)-.15 E
(no other user)108 451.2 Q
(-land tool for deciphering this; perhaps there should be.)-.2 E
(Finally)108 468 Q 12.006(,t)-.65 G 9.506(he equi)-12.006 F -.25(va)-.25
G 9.506(lent of).25 F F2 9.505(zfs change-key)12.005 F<ad6f>17.171 E F5
@ -372,8 +464,8 @@ put and input streams.)-.1 F(If)5.045 E F5(TZPFMS_PASSPHRASE_HELPER)133
(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F5($1)143 744 Q F0
(Pre-formatted noun phrase with all the information belo)160 744 Q 1.3
-.65(w, f)-.25 H(or use as a prompt).65 E(fzifdso 0)72 817.889 Q
(February 28, 2024)153.568 E(1)183.837 E 0 Cg EP
%%Page: 2 2
(February 29, 2024)153.568 E(1)183.837 E 0 Cg EP
%%Page: 2 3
%%BeginPageSetup
BP
%%EndPageSetup
@ -410,8 +502,8 @@ F0 1.6 -.8(To a)108 276 T(ll who support further de).8 E -.15(ve)-.25 G
(\001nabijaczleweli/tzpfms@lists.sr.ht)108 369.6 Q F0 83.762(,a)C(rchi)
-83.762 E -.15(ve)-.25 G 83.763(da).15 G(t)-83.763 E(https://lists.sr)
108 381.6 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)-.25 E(fzifdso 0)72
817.889 Q(February 28, 2024)153.568 E(2)183.837 E 0 Cg EP
%%Page: 1 3
817.889 Q(February 29, 2024)153.568 E(2)183.837 E 0 Cg EP
%%Page: 1 4
%%BeginPageSetup
BP
%%EndPageSetup
@ -421,7 +513,7 @@ F/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0 SF
(zfs-fido2-clear-key)108 96 Q F0 3.587<8a72>3.588 G -.25(ew)-3.587 G
1.087(rap ZFS dataset k).25 F 1.387 -.15(ey i)-.1 H 3.587(np).15 G
(asssw)-3.587 E 1.087(ord and clear tzpfms FIDO2 meta-)-.1 F(data)108
108 Q F1(SYNOPSIS)72 124.8 Q F2(zfs-fido2-change-key)108 136.8 Q/F3 10
108 Q F1(SYNOPSIS)72 124.8 Q F2(zfs-fido2-add-backup)108 136.8 Q/F3 10
/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 153.6 Q F0
(After v)108 165.6 Q(erifying)-.15 E F3(dataset)2.5 E F0 -.1(wa)2.5 G
2.5(se).1 G(ncrypted with)-2.5 E F2(tzpfms)2.5 E F0(back)2.5 E(end)-.1 E
@ -478,7 +570,7 @@ F0 1.6 -.8(To a)108 540 T(ll who support further de).8 E -.15(ve)-.25 G
-83.763 E -.15(ve)-.25 G 83.762(da).15 G(t)-83.762 E(https://lists.sr)
108 645.6 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)-.25 E(fzifdso 0)72
817.889 Q(February 28, 2024)153.568 E(1)183.837 E 0 Cg EP
%%Page: 1 4
%%Page: 1 5
%%BeginPageSetup
BP
%%EndPageSetup
@ -487,7 +579,7 @@ BP
(AD-KEY\(8\))-.35 E/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10
/Courier-Bold@0 SF(zfs-fido2-load-key)108 96 Q F0 2.5<8a6c>2.5 G
(oad FIDO2-encrypted ZFS dataset k)-2.5 E -.15(ey)-.1 G F1(SYNOPSIS)72
112.8 Q F2(zfs-fido2-change-key)108 124.8 Q F0([)2.5 E F2<ad6e>1.666 E
112.8 Q F2(zfs-fido2-add-backup)108 124.8 Q F0([)2.5 E F2<ad6e>1.666 E
F0(])A/F3 10/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 141.6
Q F0 1.141(After v)108 153.6 R(erifying)-.15 E F3(dataset)3.641 E F0 -.1
(wa)3.641 G 3.641(se).1 G 1.141(ncrypted with)-3.641 F F2(tzpfms)3.641 E
@ -537,7 +629,7 @@ Q F0(Jasper Bekk)7.5 E(ers)-.1 E F1<83>128 470.4 Q F0(EvModder)7.5 E F1
-83.762 E -.15(ve)-.25 G 83.763(da).15 G(t)-83.763 E(https://lists.sr)
108 528 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)-.25 E(fzifdso 0)72
817.889 Q(February 28, 2024)153.568 E(1)183.837 E 0 Cg EP
%%Page: 1 5
%%Page: 1 6
%%BeginPageSetup
BP
%%EndPageSetup
@ -545,7 +637,7 @@ BP
(Manager')2.5 E 2.5(sM)-.55 G 91.062(anual ZFS-TPM-LIST\(8\))-2.5 F/F1
10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0 SF
(zfs-tpm-list)108 96 Q F0 2.5<8a70>2.5 G(rint dataset tzpfms metadata)
-2.5 E F1(SYNOPSIS)72 112.8 Q F2(zfs-fido2-change-key)108 124.8 Q F0([)
-2.5 E F1(SYNOPSIS)72 112.8 Q F2(zfs-fido2-add-backup)108 124.8 Q F0([)
2.5 E F2<ad48>1.666 E F0 2.5(][)C F2<ad72>-.834 E F0(|)A F2<ad64>1.666 E
/F3 10/Courier-Oblique@0 SF(depth)6 E F0 2.5(][)C F2<ad61>-.834 E F0(|)A
F2<ad62>1.666 E F3(back-end)6 E F0 2.5(][)C F2<ad75>-.834 E F0(|)A F2
@ -591,28 +683,28 @@ listed \212 by def)108 307.2 R .966(ault, those managed by)-.1 F F2
G(re una)-2.5 E -.25(va)-.2 G(ilable.).25 E F2<ad6c>109.666 446.4 Q F0
(List only encryption roots whose k)185 446.4 Q -.15(ey)-.1 G 2.5(sa).15
G(re a)-2.5 E -.25(va)-.2 G(ilable.).25 E F1(EXAMPLES)72 463.2 Q F4($)
108 475.2 Q F2(zfs-fido2-change-key)6 E F4 72(NAME BACK-END)108 487.2 R
108 475.2 Q F2(zfs-fido2-add-backup)6 E F4 72(NAME BACK-END)108 487.2 R
18(KEYSTATUS COHERENT)12 F 36(tarta-zoot TPM1.X)108 499.2 R 18
(available yes)24 F 6(tarta-zoot/home TPM2)108 511.2 R 6
(unavailable yes)36 F($)108 535.2 Q F2 1.666
(zfs-fido2-change-key \255ad0)6 F F4 24(NAME BACK-END)108 547.2 R 6
(zfs-fido2-add-backup \255ad0)6 F F4 24(NAME BACK-END)108 547.2 R 6
(KEYSTATUS COHERENT)12 F 6(filling -)108 559.2 R 6(available yes)54 F($)
108 583.2 Q F2 1.666(zfs-fido2-change-key \255b)6 F F1(TPM2)6 E F4 72
108 583.2 Q F2 1.666(zfs-fido2-add-backup \255b)6 F F1(TPM2)6 E F4 72
(NAME BACK-END)108 595.2 R 18(KEYSTATUS COHERENT)12 F 6
(tarta-zoot/home TPM2)108 607.2 R 6(unavailable yes)36 F($)108 631.2 Q
F2 1.666(zfs-fido2-change-key \255ra)6 F F3(tarta-zoot)6 E F4 72
F2 1.666(zfs-fido2-add-backup \255ra)6 F F3(tarta-zoot)6 E F4 72
(NAME BACK-END)108 643.2 R 18(KEYSTATUS COHERENT)12 F 36
(tarta-zoot TPM1.X)108 655.2 R 18(available yes)24 F 6
(tarta-zoot/home TPM2)108 667.2 R 6(unavailable yes)36 F 12
(tarta-zoot/bkp -)108 679.2 R 18(available yes)54 F 18(tarta-zoot/vm -)
108 691.2 R 18(available yes)54 F($)108 715.2 Q F2 1.666
(zfs-fido2-change-key \255al)6 F F4 72(NAME BACK-END)108 727.2 R 6
(zfs-fido2-add-backup \255al)6 F F4 72(NAME BACK-END)108 727.2 R 6
(KEYSTATUS COHERENT)12 F 54(filling -)108 739.2 R 6(available yes)54 F
36(tarta-zoot TPM1.X)108 751.2 R 6(available yes)24 F 12
(tarta-zoot/bkp -)108 763.2 R 6(available yes)54 F 18(tarta-zoot/vm -)
108 775.2 R 6(available yes)54 F F0(tzpfms 0.3.4-10-g6a143b6)72 817.889
Q(December 4, 2022)83.023 E(1)183.842 E 0 Cg EP
%%Page: 2 6
%%Page: 2 7
%%BeginPageSetup
BP
%%EndPageSetup
@ -629,7 +721,7 @@ F0 83.762(,a)C(rchi)-83.762 E -.15(ve)-.25 G 83.763(da).15 G(t)-83.763 E
(https://lists.sr)108 201.6 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)
-.25 E(tzpfms 0.3.4-10-g6a143b6)72 817.889 Q(December 4, 2022)83.023 E
(2)183.842 E 0 Cg EP
%%Page: 1 7
%%Page: 1 8
%%BeginPageSetup
BP
%%EndPageSetup
@ -638,14 +730,14 @@ BP
-2.5 F/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0
SF(zfs-tpm1x-change-key)108 96 Q F0 2.5<8a63>2.5 G(hange ZFS dataset k)
-2.5 E .3 -.15(ey t)-.1 H 2.5(oo).15 G(ne stored on the TPM)-2.5 E F1
(SYNOPSIS)72 112.8 Q F2(zfs-fido2-change-key)108 124.8 Q F0([)2.5 E F2
(SYNOPSIS)72 112.8 Q F2(zfs-fido2-add-backup)108 124.8 Q F0([)2.5 E F2
<ad62>1.666 E/F3 10/Courier-Oblique@0 SF(backup-file)6 E F0 2.5(][)C F2
<ad50>-.834 E F3(PCR)6 E F0([)A F2(,)A F3(PCR)A F0 1.666(]...)C(])-1.666
E F3(dataset)2.5 E F1(DESCRIPTION)72 141.6 Q F0 2.867 -.8(To n)108 153.6
T 1.267(ormalise the).8 F F3(dataset)3.767 E F0(,)A F2
(zfs-fido2-change-key)3.766 E F0 1.266
(zfs-fido2-add-backup)3.766 E F0 1.266
(will open its encryption root in its stead.)3.766 F F2
(zfs-fido2-change-key)108 165.6 Q F0(will)14.654 E/F4 10/Times-Italic@0
(zfs-fido2-add-backup)108 165.6 Q F0(will)14.654 E/F4 10/Times-Italic@0
SF(ne)14.654 E(ver)-.15 E F0 12.154(create or destro)14.654 F 14.655(ye)
-.1 G 12.155(ncryption roots; use)-14.655 F/F5 10/Courier@0 SF
(zfs-change-key)108 177.6 Q F0(\(8\) for that.)A
@ -737,7 +829,7 @@ F 4.096(,i)-.65 G 4.096(tw)-4.096 G 1.596(ill be run via)-4.096 F F5
133 744 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65
(y. T)-.15 H(he ar).65 E(guments are:)-.18 E(tzpfms 0.3.4-10-g6a143b6)72
817.889 Q(February 28, 2024)83.018 E(1)183.837 E 0 Cg EP
%%Page: 2 8
%%Page: 2 9
%%BeginPageSetup
BP
%%EndPageSetup
@ -791,7 +883,7 @@ F0 83.762(,a)C(rchi)-83.762 E -.15(ve)-.25 G 83.763(da).15 G(t)-83.763 E
r_TPM_2p0_Systems_v51.pdf, Section 2.3.4 "PCR Usage", T)108 475.2 Q
(able)-.8 E(1.)108 487.2 Q(tzpfms 0.3.4-10-g6a143b6)72 817.889 Q
(February 28, 2024)83.018 E(2)183.837 E 0 Cg EP
%%Page: 1 9
%%Page: 1 10
%%BeginPageSetup
BP
%%EndPageSetup
@ -801,7 +893,7 @@ F/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0 SF
(zfs-tpm1x-clear-key)108 96 Q F0 3.008<8a72>3.008 G -.25(ew)-3.008 G
.508(rap ZFS dataset k).25 F .808 -.15(ey i)-.1 H 3.008(np).15 G(asssw)
-3.008 E .508(ord and clear tzpfms TPM1.X meta-)-.1 F(data)108 108 Q F1
(SYNOPSIS)72 124.8 Q F2(zfs-fido2-change-key)108 136.8 Q/F3 10
(SYNOPSIS)72 124.8 Q F2(zfs-fido2-add-backup)108 136.8 Q/F3 10
/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 153.6 Q F0
(After v)108 165.6 Q(erifying)-.15 E F3(dataset)2.5 E F0 -.1(wa)2.5 G
2.5(se).1 G(ncrypted with)-2.5 E F2(tzpfms)2.5 E F0(back)2.5 E(end)-.1 E
@ -843,7 +935,7 @@ F0 83.763(,a)C(rchi)-83.763 E -.15(ve)-.25 G 83.762(da).15 G(t)-83.762 E
(https://lists.sr)108 504 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)-.25
E(tzpfms 0.3.4-10-g6a143b6)72 817.889 Q(December 4, 2022)83.023 E(1)
183.842 E 0 Cg EP
%%Page: 1 10
%%Page: 1 11
%%BeginPageSetup
BP
%%EndPageSetup
@ -852,7 +944,7 @@ BP
(AD-KEY\(8\))-.35 E/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10
/Courier-Bold@0 SF(zfs-tpm1x-load-key)108 96 Q F0 2.5<8a6c>2.5 G
(oad TPM1.X-encrypted ZFS dataset k)-2.5 E -.15(ey)-.1 G F1(SYNOPSIS)72
112.8 Q F2(zfs-fido2-change-key)108 124.8 Q F0([)2.5 E F2<ad6e>1.666 E
112.8 Q F2(zfs-fido2-add-backup)108 124.8 Q F0([)2.5 E F2<ad6e>1.666 E
F0(])A/F3 10/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 141.6
Q F0 .19(After v)108 153.6 R(erifying)-.15 E F3(dataset)2.69 E F0 -.1
(wa)2.69 G 2.69(se).1 G .19(ncrypted with)-2.69 F F2(tzpfms)2.69 E F0
@ -923,7 +1015,7 @@ F0 83.762(,a)C(rchi)-83.762 E -.15(ve)-.25 G 83.763(da).15 G(t)-83.763 E
(https://lists.sr)108 696 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)-.25
E(tzpfms 0.3.4-10-g6a143b6)72 817.889 Q(December 4, 2022)83.023 E(1)
183.842 E 0 Cg EP
%%Page: 1 11
%%Page: 1 12
%%BeginPageSetup
BP
%%EndPageSetup
@ -932,15 +1024,15 @@ BP
F/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0 SF
(zfs-tpm2-change-key)108 96 Q F0 2.5<8a63>2.5 G(hange ZFS dataset k)-2.5
E .3 -.15(ey t)-.1 H 2.5(oo).15 G(ne stored on the TPM)-2.5 E F1
(SYNOPSIS)72 112.8 Q F2(zfs-fido2-change-key)108 124.8 Q F0([)2.5 E F2
(SYNOPSIS)72 112.8 Q F2(zfs-fido2-add-backup)108 124.8 Q F0([)2.5 E F2
<ad62>1.666 E/F3 10/Courier-Oblique@0 SF(backup-file)6 E F0 2.5(][)C F2
<ad50>-.834 E F3(algorithm)6 E F2(:)A F3(PCR)A F0([)A F2(,)A F3(PCR)A F0
1.666(]...)C([)234 136.8 Q F2(+)A F3(algorithm)A F2(:)A F3(PCR)A F0([)A
F2(,)A F3(PCR)A F0 1.666(]...)C -3.332 1.666(]... [)-1.666 H F2<ad41>A
F0(]])A F3(dataset)2.5 E F1(DESCRIPTION)72 153.6 Q F0 4.32 -.8(To n)108
165.6 T(ormalise).8 E F3(dataset)5.22 E F0(,)A F2(zfs-fido2-change-key)
165.6 T(ormalise).8 E F3(dataset)5.22 E F0(,)A F2(zfs-fido2-add-backup)
5.22 E F0 2.719(will open its encryption root in its stead.)5.22 F F2
(zfs-fido2-change-key)108 177.6 Q F0(will)14.654 E/F4 10/Times-Italic@0
(zfs-fido2-add-backup)108 177.6 Q F0(will)14.654 E/F4 10/Times-Italic@0
SF(ne)14.654 E(ver)-.15 E F0 12.154(create or destro)14.654 F 14.655(ye)
-.1 G 12.155(ncryption roots; use)-14.655 F/F5 10/Courier@0 SF
(zfs-change-key)108 189.6 Q F0(\(8\) for that.)A
@ -1037,7 +1129,7 @@ F0 4.983(", ")B F1(sha3_384)A F0(",)A(")203 751.2 Q F1(sha3-384)A F0
(", ")A F1(sha3_512)A F0(", or ")A F1(sha3-512)A F0
(", and must be supported by the TPM.)A(tzpfms 0.3.4-10-g6a143b6)72
817.889 Q(February 28, 2024)83.018 E(1)183.837 E 0 Cg EP
%%Page: 2 12
%%Page: 2 13
%%BeginPageSetup
BP
%%EndPageSetup
@ -1115,7 +1207,7 @@ E F3 1.666(SEE ALSO)72 616.8 R F4(tpm2_unseal)108 628.8 Q F0(\(1\))A
r_TPM_2p0_Systems_v51.pdf, Section 2.3.4 "PCR Usage", T)108 669.6 Q
(able)-.8 E(1.)108 681.6 Q(tzpfms 0.3.4-10-g6a143b6)72 817.889 Q
(February 28, 2024)83.018 E(2)183.837 E 0 Cg EP
%%Page: 1 13
%%Page: 1 14
%%BeginPageSetup
BP
%%EndPageSetup
@ -1125,7 +1217,7 @@ F/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10/Courier-Bold@0 SF
(zfs-tpm2-clear-key)108 96 Q F0 2.5<8a72>2.5 G -.25(ew)-2.5 G
(rap ZFS dataset k).25 E .3 -.15(ey i)-.1 H 2.5(np).15 G(asssw)-2.5 E
(ord and clear tzpfms TPM2 metadata)-.1 E F1(SYNOPSIS)72 112.8 Q F2
(zfs-fido2-change-key)108 124.8 Q/F3 10/Courier-Oblique@0 SF(dataset)2.5
(zfs-fido2-add-backup)108 124.8 Q/F3 10/Courier-Oblique@0 SF(dataset)2.5
E F1(DESCRIPTION)72 141.6 Q F0(After v)108 153.6 Q(erifying)-.15 E F3
(dataset)2.5 E F0 -.1(wa)2.5 G 2.5(se).1 G(ncrypted with)-2.5 E F2
(tzpfms)2.5 E F0(back)2.5 E(end)-.1 E F1(TPM2)2.5 E F0(:)A 5
@ -1196,7 +1288,7 @@ F0 83.763(,a)C(rchi)-83.763 E -.15(ve)-.25 G 83.762(da).15 G(t)-83.762 E
(https://lists.sr)108 710.4 Q(.ht/\001nabijaczle)-.55 E(weli/tzpfms.)
-.25 E(tzpfms 0.3.4-10-g6a143b6)72 817.889 Q(December 4, 2022)83.023 E
(1)183.842 E 0 Cg EP
%%Page: 1 14
%%Page: 1 15
%%BeginPageSetup
BP
%%EndPageSetup
@ -1205,7 +1297,7 @@ BP
(AD-KEY\(8\))-.35 E/F1 10/Times-Bold@0 SF -.2(NA)72 84 S(ME).2 E/F2 10
/Courier-Bold@0 SF(zfs-tpm2-load-key)108 96 Q F0 2.5<8a6c>2.5 G
(oad TPM2-encrypted ZFS dataset k)-2.5 E -.15(ey)-.1 G F1(SYNOPSIS)72
112.8 Q F2(zfs-fido2-change-key)108 124.8 Q F0([)2.5 E F2<ad6e>1.666 E
112.8 Q F2(zfs-fido2-add-backup)108 124.8 Q F0([)2.5 E F2<ad6e>1.666 E
F0(])A/F3 10/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 141.6
Q F0 .864(After v)108 153.6 R(erifying)-.15 E F3(dataset)3.364 E F0 -.1
(wa)3.364 G 3.364(se).1 G .864(ncrypted with)-3.364 F F2(tzpfms)3.365 E

125
zfs-fido2-add-backup.8 Normal file
View File

@ -0,0 +1,125 @@
.\" SPDX-License-Identifier: MIT
.
.Dd February 29, 2024
.ds doc-volume-operating-system
.Dt ZFS-FIDO2-ADD-BACKUP 8
.Os fzifdso 0
.
.Sh NAME
.Nm zfs-fido2-add-backup
.Nd allow another FIDO2 device to unlock ZFS dataset
.Sh SYNOPSIS
.Nm
.Ar dataset
.
.Sh DESCRIPTION
After
.Xr zfs-fido2-change-key 8
derives the key for a dataset from a FIDO2 device,
.Nm
may be executed to extend this to any number of additional devices.
.Pp
First, the wrapping key is extracted from the "primary" device as normal during
.Xr zfs-fido2-load-key 8 ,
then a credential is made as-if during
.Xr zfs-fido2-change-key 8
(except the "primary" device is excluded from the search);
however, the
.Ql hmac-secret
is instead used as a symmetric AES-256-GCM
.Pq Xr EVP_CIPHER-AES 7ssl
key to encrypt the wrapping key directly with a random IV.
.Pp
This turns the
.Li xyz.nabijaczleweli:tzpfms.key
variable into
.br
.Ar salt Ns Cm :\:\& Ns Ar credential-ID Ns Cm :\:\& Ns Ar credential-public-key Ns Oo Cm \&. Ns Ar backup-salt Ns Cm :\:\& Ns Ar backup-credential-ID Ns Cm :\:\& Ns Ar backup-credential-public-key Ns Cm :\:\& Ns Ar IV Ns Cm :\:\& Ns Ar encrypted-key Oc Ns
.Pp
.Li tzpfms.key
is actually a dot-separated list of device bundles.
The first one is as-described in
.Xr zfs-fido2-change-key 8 .
Subsequent ones also include (identically-encoded) IVs and encrypted blobs.
.Pp
.Xr zfs-fido2-load-key 8
shops assertions around devices in a device-major order \(em
depending on device numbering, a backup may be loaded even if the primary device is present.
.
.\" SPDX-License-Identifier: MIT
.
.Sh ENVIRONMENT VARIABLES
.Bl -tag -compact -width 4n
.It Ev TZPFMS_PASSPHRASE_HELPER
By default, passphrases are prompted for and read in on the standard output and input streams.
If
.Ev TZPFMS_PASSPHRASE_HELPER
is set and nonempty, it will be run via
.Pa /bin/ Ns Nm sh Fl c
to provide each passphrase, instead.
.Pp
The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any.
The arguments are:
.Bl -tag -compact -offset 2n -width ".Li $1"
.It Li $1
Pre-formatted noun phrase with all the information below, for use as a prompt
.\" Passphrase for tarta-zoot
.\" New passphrase for tarta-zoot (again)
.It Li $2
Either the dataset name or the element of the TPM hierarchy being prompted for
.It Li $3
.Qq new
if this is for a new passphrase, otherwise blank
.It Li $4
.Qq again
if it's the second prompt for that passphrase, otherwise blank
.El
.Pp
If the helper doesn't exist
.Pq the shell exits with Sy 127 ,
a diagnostic is issued and the normal prompt is used as fall-back.
If it fails for any other reason, the prompting is aborted.
.
.
.El
.
.\" SPDX-License-Identifier: MIT
.
.Sh FIDO2 back-end configuration
.Ss Environment variables
.Bl -tag -compact -width ".Ev FIDO_DEBUG"
.It Ev FIDO_DEBUG
If set, enables libfido2 debug logging to the standard error stream.
.El
.
.Ss Device selection
When creating, the first device which supports the
.Ql hmac-secret
extension is used.
When loading, the assertion is shopped around to every such device.
.
.Ss See also
The libfido2 documentation at
.Lk https:/\&/developers.yubico.com/libfido2/ .
.
.\" SPDX-License-Identifier: MIT
.
.Sh SPECIAL THANKS
To all who support further development, in particular:
.Bl -bullet -offset 4n -compact -width "@"
.It
ThePhD
.It
Embark Studios
.It
Jasper Bekkers
.It
EvModder
.El
.
.Sh REPORTING BUGS
.Lk https:/\&/todo.sr.ht/\(tinabijaczleweli/fzifdso
.Pp
.Mt \(tinabijaczleweli/tzpfms@lists.sr.ht ,
archived at
.Lk https:/\&/lists.sr.ht/\(tinabijaczleweli/tzpfms .

153
zfs-fido2-add-backup.8.html Normal file
View File

@ -0,0 +1,153 @@
<!DOCTYPE html>
<html>
<!-- This is an automatically generated file. Do not edit.
SPDX-License-Identifier: MIT
-->
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="style.css" type="text/css" media="all"/>
<title>ZFS-FIDO2-ADD-BACKUP(8)</title>
</head>
<body>
<table class="head">
<tr>
<td class="head-ltitle">ZFS-FIDO2-ADD-BACKUP(8)</td>
<td class="head-vol">System Manager's Manual</td>
<td class="head-rtitle">ZFS-FIDO2-ADD-BACKUP(8)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">zfs-fido2-add-backup</code> &#x2014;
<span class="Nd">allow another FIDO2 device to unlock ZFS dataset</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<table class="Nm">
<tr>
<td><code class="Nm">zfs-fido2-add-backup</code></td>
<td><var class="Ar">dataset</var></td>
</tr>
</table>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">After
<a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>
derives the key for a dataset from a FIDO2 device,
<code class="Nm">zfs-fido2-add-backup</code> may be executed to extend this
to any number of additional devices.</p>
<p class="Pp">First, the wrapping key is extracted from the &quot;primary&quot;
device as normal during
<a class="Xr" href="zfs-fido2-load-key.8.html">zfs-fido2-load-key(8)</a>,
then a credential is made as-if during
<a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>
(except the &quot;primary&quot; device is excluded from the search);
however, the &#x2018;<code class="Li">hmac-secret</code>&#x2019; is instead
used as a symmetric AES-256-GCM
(<a class="Xr" href="https://manpages.debian.org/bookworm/EVP_CIPHER-AES.7ssl">EVP_CIPHER-AES(7ssl)</a>)
key to encrypt the wrapping key directly with a random IV.</p>
<p class="Pp">This turns the
<code class="Li">xyz.nabijaczleweli:tzpfms.key</code> variable into
<br/>
<var class="Ar">salt</var><code class="Cm">:</code><var class="Ar">credential-ID</var><code class="Cm">:</code><var class="Ar">credential-public-key</var>[<code class="Cm">.</code><var class="Ar">backup-salt</var><code class="Cm">:</code><var class="Ar">backup-credential-ID</var><code class="Cm">:</code><var class="Ar">backup-credential-public-key</var><code class="Cm">:</code><var class="Ar">IV</var><code class="Cm">:</code><var class="Ar">encrypted-key</var>]&#x2026;</p>
<p class="Pp"><code class="Li">tzpfms.key</code> is actually a dot-separated
list of device bundles. The first one is as-described in
<a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>.
Subsequent ones also include (identically-encoded) IVs and encrypted
blobs.</p>
<p class="Pp"><a class="Xr" href="zfs-fido2-load-key.8.html">zfs-fido2-load-key(8)</a>
shops assertions around devices in a device-major order &#x2014; depending
on device numbering, a backup may be loaded even if the primary device is
present.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="ENVIRONMENT_VARIABLES"><a class="permalink" href="#ENVIRONMENT_VARIABLES">ENVIRONMENT
VARIABLES</a></h1>
<dl class="Bl-tag Bl-compact">
<dt id="TZPFMS_PASSPHRASE_HELPER"><a class="permalink" href="#TZPFMS_PASSPHRASE_HELPER"><code class="Ev">TZPFMS_PASSPHRASE_HELPER</code></a></dt>
<dd>By default, passphrases are prompted for and read in on the standard
output and input streams. If
<code class="Ev">TZPFMS_PASSPHRASE_HELPER</code> is set and nonempty, it
will be run via <span class="Pa">/bin/</span><code class="Nm">sh</code>
<code class="Fl">-c</code> to provide each passphrase, instead.
<p class="Pp">The standard output stream of the helper is tied to an
anonymous file and used in its entirety as the passphrase, except for a
trailing new-line, if any. The arguments are:</p>
<div class="Bd-indent">
<dl class="Bl-tag Bl-compact">
<dt id="$1"><a class="permalink" href="#$1"><code class="Li">$1</code></a></dt>
<dd>Pre-formatted noun phrase with all the information below, for use as a
prompt</dd>
<dt id="$2"><a class="permalink" href="#$2"><code class="Li">$2</code></a></dt>
<dd>Either the dataset name or the element of the TPM hierarchy being
prompted for</dd>
<dt id="$3"><a class="permalink" href="#$3"><code class="Li">$3</code></a></dt>
<dd>&quot;new&quot; if this is for a new passphrase, otherwise blank</dd>
<dt id="$4"><a class="permalink" href="#$4"><code class="Li">$4</code></a></dt>
<dd>&quot;again&quot; if it's the second prompt for that passphrase,
otherwise blank</dd>
</dl>
</div>
<p class="Pp" id="127">If the helper doesn't exist (the shell exits with
<a class="permalink" href="#127"><b class="Sy">127</b></a>), a
diagnostic is issued and the normal prompt is used as fall-back. If it
fails for any other reason, the prompting is aborted.</p>
</dd>
</dl>
</section>
<section class="Sh">
<h1 class="Sh" id="FIDO2_back-end_configuration"><a class="permalink" href="#FIDO2_back-end_configuration">FIDO2
back-end configuration</a></h1>
<section class="Ss">
<h2 class="Ss" id="Environment_variables"><a class="permalink" href="#Environment_variables">Environment
variables</a></h2>
<dl class="Bl-tag Bl-compact">
<dt id="FIDO_DEBUG"><a class="permalink" href="#FIDO_DEBUG"><code class="Ev">FIDO_DEBUG</code></a></dt>
<dd>If set, enables libfido2 debug logging to the standard error stream.</dd>
</dl>
</section>
<section class="Ss">
<h2 class="Ss" id="Device_selection"><a class="permalink" href="#Device_selection">Device
selection</a></h2>
<p class="Pp">When creating, the first device which supports the
&#x2018;<code class="Li">hmac-secret</code>&#x2019; extension is used. When
loading, the assertion is shopped around to every such device.</p>
</section>
<section class="Ss">
<h2 class="Ss" id="See_also"><a class="permalink" href="#See_also">See
also</a></h2>
<p class="Pp">The libfido2 documentation at
<a class="Lk" href="https://developers.yubico.com/libfido2/">https://developers.yubico.com/libfido2/</a>.</p>
</section>
</section>
<section class="Sh">
<h1 class="Sh" id="SPECIAL_THANKS"><a class="permalink" href="#SPECIAL_THANKS">SPECIAL
THANKS</a></h1>
<p class="Pp">To all who support further development, in particular:</p>
<ul class="Bl-bullet Bd-indent Bl-compact">
<li>ThePhD</li>
<li>Embark Studios</li>
<li>Jasper Bekkers</li>
<li>EvModder</li>
</ul>
</section>
<section class="Sh">
<h1 class="Sh" id="REPORTING_BUGS"><a class="permalink" href="#REPORTING_BUGS">REPORTING
BUGS</a></h1>
<p class="Pp"><a class="Lk" href="https://todo.sr.ht/~nabijaczleweli/fzifdso">https://todo.sr.ht/~nabijaczleweli/fzifdso</a></p>
<p class="Pp"><a class="Mt" href="mailto:~nabijaczleweli/tzpfms@lists.sr.ht">~nabijaczleweli/tzpfms@lists.sr.ht</a>,
archived at
<a class="Lk" href="https://lists.sr.ht/~nabijaczleweli/tzpfms">https://lists.sr.ht/~nabijaczleweli/tzpfms</a>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">February 29, 2024</td>
<td class="foot-os">fzifdso 0</td>
</tr>
</table>
</body>
</html>

6
zfs-fido2-change-key.8
View File

@ -1,6 +1,6 @@
.\" SPDX-License-Identifier: MIT
.
.Dd February 28, 2024
.Dd February 29, 2024
.ds doc-volume-operating-system
.Dt ZFS-FIDO2-CHANGE-KEY 8
.Os fzifdso 0
@ -59,7 +59,7 @@ The following properties are set on
.It
.Li xyz.nabijaczleweli:tzpfms.backend Ns = Ns Sy FIDO2
.It
.Li xyz.nabijaczleweli:tzpfms.key Ns = Ns Ar salt Ns Cm \&:\:\& Ns Ar credential-ID Ns Cm \&:\:\& Ns Ar credential-public-key
.Li xyz.nabijaczleweli:tzpfms.key Ns = Ns Ar salt Ns Cm :\:\& Ns Ar credential-ID Ns Cm :\:\& Ns Ar credential-public-key Ns Oo Cm \&. Ns Oc Ns
.El
.Pp
.Li tzpfms.backend
@ -67,7 +67,7 @@ identifies this dataset for work with
.Sy FIDO2 Ns -back-ended
.Nm tzpfms
tools
.Pq i.e. Nm fzifdso Xr zfs-fido2-change-key 8 , Xr zfs-fido2-load-key 8 , and Xr zfs-fido2-clear-key 8 .
.Pq i.e. Nm fzifdso Xr zfs-fido2-change-key 8 , Xr zfs-fido2-load-key 8 , Xr zfs-fido2-add-backup 8 , and Xr zfs-fido2-clear-key 8 .
.Pp
.Li tzpfms.key
is a colon-separated tuple of unpadded URL-safe base64 blobs;

5
zfs-fido2-change-key.8.html
View File

@ -65,13 +65,14 @@
<var class="Ar">dataset</var>:</p>
<ul class="Bl-bullet Bd-indent Bl-compact">
<li id="xyz.nabijaczleweli:tzpfms.backend"><a class="permalink" href="#xyz.nabijaczleweli:tzpfms.backend"><code class="Li">xyz.nabijaczleweli:tzpfms.backend</code></a>=<b class="Sy">FIDO2</b></li>
<li id="xyz.nabijaczleweli:tzpfms.key"><a class="permalink" href="#xyz.nabijaczleweli:tzpfms.key"><code class="Li">xyz.nabijaczleweli:tzpfms.key</code></a>=<var class="Ar">salt</var><code class="Cm">:</code><var class="Ar">credential-ID</var><code class="Cm">:</code><var class="Ar">credential-public-key</var></li>
<li id="xyz.nabijaczleweli:tzpfms.key"><a class="permalink" href="#xyz.nabijaczleweli:tzpfms.key"><code class="Li">xyz.nabijaczleweli:tzpfms.key</code></a>=<var class="Ar">salt</var><code class="Cm">:</code><var class="Ar">credential-ID</var><code class="Cm">:</code><var class="Ar">credential-public-key</var>[<code class="Cm">.</code>&#x2026;]&#x2026;</li>
</ul>
<p class="Pp"><code class="Li">tzpfms.backend</code> identifies this dataset for
work with <b class="Sy">FIDO2</b>-back-ended <code class="Nm">tzpfms</code>
tools (i.e. <code class="Nm">fzifdso</code>
<a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>,
<a class="Xr" href="zfs-fido2-load-key.8.html">zfs-fido2-load-key(8)</a>,
<a class="Xr" href="zfs-fido2-add-backup.8.html">zfs-fido2-add-backup(8)</a>,
and
<a class="Xr" href="zfs-fido2-clear-key.8.html">zfs-fido2-clear-key(8)</a>).</p>
<p class="Pp"><code class="Li">tzpfms.key</code> is a colon-separated tuple of
@ -197,7 +198,7 @@
</div>
<table class="foot">
<tr>
<td class="foot-date">February 28, 2024</td>
<td class="foot-date">February 29, 2024</td>
<td class="foot-os">fzifdso 0</td>
</tr>
</table>