From d0979bb54ce4f1a0ad07d4e0e5e9e87dd75a5d64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Sun, 18 Oct 2020 03:41:32 +0200 Subject: [PATCH] Initial manpage commit --- index.txt | 8 ++ zfs-tpm2-change-key.8 | 62 +++++++++ zfs-tpm2-change-key.8.html | 187 ++++++++++++++++++++++++++++ zfs-tpm2-change-key.8.html_fragment | 106 ++++++++++++++++ zfs-tpm2-change-key.md | 87 +++++++++++++ zfs-tpm2-clear-key.8 | 44 +++++++ zfs-tpm2-clear-key.8.html | 146 ++++++++++++++++++++++ zfs-tpm2-clear-key.8.html_fragment | 66 ++++++++++ zfs-tpm2-clear-key.md | 55 ++++++++ zfs-tpm2-load-key.8 | 41 ++++++ zfs-tpm2-load-key.8.html | 148 ++++++++++++++++++++++ zfs-tpm2-load-key.8.html_fragment | 67 ++++++++++ zfs-tpm2-load-key.md | 56 +++++++++ 13 files changed, 1073 insertions(+) create mode 100644 index.txt create mode 100644 zfs-tpm2-change-key.8 create mode 100644 zfs-tpm2-change-key.8.html create mode 100644 zfs-tpm2-change-key.8.html_fragment create mode 100644 zfs-tpm2-change-key.md create mode 100644 zfs-tpm2-clear-key.8 create mode 100644 zfs-tpm2-clear-key.8.html create mode 100644 zfs-tpm2-clear-key.8.html_fragment create mode 100644 zfs-tpm2-clear-key.md create mode 100644 zfs-tpm2-load-key.8 create mode 100644 zfs-tpm2-load-key.8.html create mode 100644 zfs-tpm2-load-key.8.html_fragment create mode 100644 zfs-tpm2-load-key.md diff --git a/index.txt b/index.txt new file mode 100644 index 0000000..f83ce9f --- /dev/null +++ b/index.txt @@ -0,0 +1,8 @@ +zfs-tpm2-change-key(8) zfs-tpm2-change-key.8.ronn +zfs-tpm2-load-key(8) zfs-tpm2-load-key.8.ronn +zfs-tpm2-clear-key(8) zfs-tpm2-clear-key.8.ronn + +zfs(8) https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html +tpm2_unseal(1) https://manpages.debian.org/bullseye/tpm2-tools/tpm2_unseal.1.en.html + +ESYS_CONTEXT(3) https://www.mankier.com/3/ESYS_CONTEXT diff --git a/zfs-tpm2-change-key.8 b/zfs-tpm2-change-key.8 new file mode 100644 index 0000000..967be45 --- /dev/null +++ b/zfs-tpm2-change-key.8 @@ -0,0 +1,62 @@ +.\" generated with Ronn-NG/v0.9.1 +.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 +.TH "ZFS\-TPM2\-CHANGE\-KEY" "8" "October 2020" "tzpfms developers" +.SH "NAME" +\fBzfs\-tpm2\-change\-key\fR \- change ZFS dataset key to one stored on the TPM +.SH "SYNOPSIS" +\fBzfs\-tpm2\-change\-key\fR [\-b file] \fIdataset\fR +.SH "DESCRIPTION" +To normalise \fBdataset\fR, zfs\-tpm2\-change\-key(8) will open its encryption root in its stead\. zfs\-tpm2\-change\-key(8) will \fInever\fR create or destroy encryption roots; use \fBzfs(8) change\-key\fR for that\. +.P +First, a connection is made to the TPM, which \fImust\fR be TPM\-2\.0\-compatible\. +.P +If \fBdataset\fR was previously encrypted with tzpfms and the \fITPM2\fR back\-end was used, the previous key will be freed from the TPM\. Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream\. +.P +Next, a new wrapping key is be generated on the TPM, optionally backed up (see \fIOPTIONS\fR), and sealed to a persistent object on the TPM under the owner hierarchy\. +.P +The following properties are set on \fBdataset\fR: +.IP "\[ci]" 4 +\fBxyz\.nabijaczleweli:tzpfms\.backend\fR=\fBTPM2\fR +.IP "\[ci]" 4 +\fBxyz\.nabijaczleweli:tzpfms\.key\fR=\fI(ID of persistent object)\fR +.IP "" 0 +.P +\fBtzpfms\.backend\fR identifies this dataset for work with \fITPM2\fR\-back\-ended tzpfms tools (namely zfs\-tpm2\-change\-key(8), zfs\-tpm2\-load\-key(8), and zfs\-tpm2\-clear\-key(8))\. +.P +\fBtzpfms\.key\fR is an integer representing the sealed object; if needed, it can be passed to \fBtpm2_unseal(1) \-c ${tzpfms\.key}\fR or equivalent for back\-up (see \fIOPTIONS\fR)\. If you have a sealed key you can access with that or equivalent tool and set both of these properties, it will funxion seamlessly\. +.P +Finally, the equivalent of \fBzfs(8) change\-key \-o keylocation=prompt \-o keyformat=raw dataset\fR is performed with the new key\. If an error occurred, best effort is made to clean up the persistent object and properties, or to issue a note for manual intervention into the standard error stream\. +.P +A final verification should be made by running \fBzfs\-tpm2\-load\-key(8) \-n dataset\fR\. If that command succeeds, all is well, but otherwise the dataset can be manually rolled back to a password with \fBzfs\-tpm2\-clear\-key(8) dataset\fR (or, if that fails to work, \fBzfs(8) change\-key \-o keyformat=passphrase dataset\fR), and you are hereby asked to report a bug, please\. +.P +\fBzfs\-tpm2\-clear\-key(8) dataset\fR can be used to free the TPM persistent object and go back to using a password\. +.SH "OPTIONS" +.TP +\fB\-b\fR \fIfile\fR +Save a back\-up of the key to \fIfile\fR, which must not exist beforehand\. This back\-up \fBmust\fR be stored securely, off\-site\. In case of a catastrophic event, the key can be loaded by running \fBzfs(8) load\-key dataset < backup\-file\fR\. +.SH "TPM2 back\-end configuration" +.SS "Environment variables" +.TP +\fBTSS2_LOG\fR= +Any of: \fINONE\fR, \fIERROR\fR, \fIWARNING\fR, \fIINFO\fR, \fIDEBUG\fR, \fITRACE\fR\. Default: \fIWARNING\fR\. +.SS "TPM selection" +The library \fBlibtss2\-tcti\-default\.so\fR can be linked to any of the \fBlibtss2\-tcti\-*\.so\fR libraries to select the default, otherwise \fB/dev/tpmrm0\fR, then \fB/dev/tpm0\fR, then \fBlocalhost:2321\fR will be tried, in order (see ESYS_CONTEXT(3))\. +.SS "See also" +The tpm2\-tss git repository at \fIhttps://github\.com/tpm2\-software/tpm2\-tss\fR and the documentation at \fIhttps://tpm2\-tss\.readthedocs\.io\fR\. +.P +The TPM 2\.0 specifications, mainly at <\fIhttps://trustedcomputinggroup\.org/wp\-content/uploads/TPM\-Rev\-2\.0\-Part\-1\-Architecture\-01\.38\.pdf\fR> and related pages\. +.SH "AUTHOR" +Written by наб <\fInabijaczleweli@nabijaczleweli\.xyz\fR> +.SH "SPECIAL THANKS" +To all who support further development, in particular: +.IP "\[ci]" 4 +ThePhD +.IP "\[ci]" 4 +Embark Studios +.IP "" 0 +.SH "REPORTING BUGS" +<\fIhttps://todo\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.P +<\fI~nabijaczleweli/tzpfms@lists\.sr\.ht\fR>, archived at <\fIhttps://lists\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.SH "SEE ALSO" +<\fIhttps://git\.sr\.ht/~nabijaczleweli/tzpfms\fR> diff --git a/zfs-tpm2-change-key.8.html b/zfs-tpm2-change-key.8.html new file mode 100644 index 0000000..93d6345 --- /dev/null +++ b/zfs-tpm2-change-key.8.html @@ -0,0 +1,187 @@ + + + + + + zfs-tpm2-change-key(8) - change ZFS dataset key to one stored on the TPM + + + + +
+ + + +
    +
  1. zfs-tpm2-change-key(8)
    2. +
  2. +
  3. zfs-tpm2-change-key(8)
    4. +
+ + + +

NAME

+

+ zfs-tpm2-change-key - change ZFS dataset key to one stored on the TPM +

+

SYNOPSIS

+ +

zfs-tpm2-change-key [-b file] dataset

+ +

DESCRIPTION

+ +

To normalise dataset, zfs-tpm2-change-key(8) will open its encryption root in its stead. +zfs-tpm2-change-key(8) will never create or destroy encryption roots; use zfs(8) change-key for that.

+ +

First, a connection is made to the TPM, which must be TPM-2.0-compatible.

+ +

If dataset was previously encrypted with tzpfms and the TPM2 back-end was used, the previous key will be freed from the TPM. +Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream.

+ +

Next, a new wrapping key is be generated on the TPM, optionally backed up (see OPTIONS), +and sealed to a persistent object on the TPM under the owner hierarchy.

+ +

The following properties are set on dataset:

+ + + +

tzpfms.backend identifies this dataset for work with TPM2-back-ended tzpfms tools +(namely zfs-tpm2-change-key(8), zfs-tpm2-load-key(8), and zfs-tpm2-clear-key(8)).

+ +

tzpfms.key is an integer representing the sealed object; +if needed, it can be passed to tpm2_unseal(1) -c ${tzpfms.key} or equivalent for back-up (see OPTIONS). +If you have a sealed key you can access with that or equivalent tool and set both of these properties, it will funxion seamlessly.

+ +

Finally, the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset is performed with the new key. +If an error occurred, best effort is made to clean up the persistent object and properties, +or to issue a note for manual intervention into the standard error stream.

+ +

A final verification should be made by running zfs-tpm2-load-key(8) -n dataset. +If that command succeeds, all is well, +but otherwise the dataset can be manually rolled back to a password with zfs-tpm2-clear-key(8) dataset (or, if that fails to work, zfs(8) change-key -o keyformat=passphrase dataset), and you are hereby asked to report a bug, please.

+ +

zfs-tpm2-clear-key(8) dataset can be used to free the TPM persistent object and go back to using a password.

+ +

OPTIONS

+ +
+
+-b file +
+
Save a back-up of the key to file, which must not exist beforehand. +This back-up must be stored securely, off-site. +In case of a catastrophic event, the key can be loaded by running zfs(8) load-key dataset < backup-file.
+
+ +

TPM2 back-end configuration

+ +

Environment variables

+ +
+
+TSS2_LOG=
+
Any of: NONE, ERROR, WARNING, INFO, DEBUG, TRACE. Default: WARNING.
+
+ +

TPM selection

+ +

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, +otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

+ +

See also

+ +

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

+ +

The TPM 2.0 specifications, mainly at <https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf> and related pages.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ + + +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+ +
    +
  1. tzpfms developers
    2. +
  2. October 2020
    3. +
  3. zfs-tpm2-change-key(8)
    4. +
+ +
+ + diff --git a/zfs-tpm2-change-key.8.html_fragment b/zfs-tpm2-change-key.8.html_fragment new file mode 100644 index 0000000..46f4c1a --- /dev/null +++ b/zfs-tpm2-change-key.8.html_fragment @@ -0,0 +1,106 @@ +
+ +

NAME

+

+ zfs-tpm2-change-key - change ZFS dataset key to one stored on the TPM +

+

SYNOPSIS

+ +

zfs-tpm2-change-key [-b file] dataset

+ +

DESCRIPTION

+ +

To normalise dataset, zfs-tpm2-change-key(8) will open its encryption root in its stead. +zfs-tpm2-change-key(8) will never create or destroy encryption roots; use zfs(8) change-key for that.

+ +

First, a connection is made to the TPM, which must be TPM-2.0-compatible.

+ +

If dataset was previously encrypted with tzpfms and the TPM2 back-end was used, the previous key will be freed from the TPM. +Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream.

+ +

Next, a new wrapping key is be generated on the TPM, optionally backed up (see OPTIONS), +and sealed to a persistent object on the TPM under the owner hierarchy.

+ +

The following properties are set on dataset:

+ + + +

tzpfms.backend identifies this dataset for work with TPM2-back-ended tzpfms tools +(namely zfs-tpm2-change-key(8), zfs-tpm2-load-key(8), and zfs-tpm2-clear-key(8)).

+ +

tzpfms.key is an integer representing the sealed object; +if needed, it can be passed to tpm2_unseal(1) -c ${tzpfms.key} or equivalent for back-up (see OPTIONS). +If you have a sealed key you can access with that or equivalent tool and set both of these properties, it will funxion seamlessly.

+ +

Finally, the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset is performed with the new key. +If an error occurred, best effort is made to clean up the persistent object and properties, +or to issue a note for manual intervention into the standard error stream.

+ +

A final verification should be made by running zfs-tpm2-load-key(8) -n dataset. +If that command succeeds, all is well, +but otherwise the dataset can be manually rolled back to a password with zfs-tpm2-clear-key(8) dataset (or, if that fails to work, zfs(8) change-key -o keyformat=passphrase dataset), and you are hereby asked to report a bug, please.

+ +

zfs-tpm2-clear-key(8) dataset can be used to free the TPM persistent object and go back to using a password.

+ +

OPTIONS

+ +
+
+-b file +
+
Save a back-up of the key to file, which must not exist beforehand. +This back-up must be stored securely, off-site. +In case of a catastrophic event, the key can be loaded by running zfs(8) load-key dataset < backup-file.
+
+ +

TPM2 back-end configuration

+ +

Environment variables

+ +
+
+TSS2_LOG=
+
Any of: NONE, ERROR, WARNING, INFO, DEBUG, TRACE. Default: WARNING.
+
+ +

TPM selection

+ +

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, +otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

+ +

See also

+ +

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

+ +

The TPM 2.0 specifications, mainly at <https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf> and related pages.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ + + +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+
diff --git a/zfs-tpm2-change-key.md b/zfs-tpm2-change-key.md new file mode 100644 index 0000000..6ef1992 --- /dev/null +++ b/zfs-tpm2-change-key.md @@ -0,0 +1,87 @@ +zfs-tpm2-change-key(8) -- change ZFS dataset key to one stored on the TPM +========================================================================= + +## SYNOPSIS + +`zfs-tpm2-change-key` [-b file] + +## DESCRIPTION + +To normalise `dataset`, zfs-tpm2-change-key(8) will open its encryption root in its stead. +zfs-tpm2-change-key(8) will *never* create or destroy encryption roots; use **zfs(8) change-key** for that. + +First, a connection is made to the TPM, which *must* be TPM-2.0-compatible. + +If `dataset` was previously encrypted with tzpfms and the *TPM2* back-end was used, the previous key will be freed from the TPM. +Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream. + +Next, a new wrapping key is be generated on the TPM, optionally backed up (see [OPTIONS][]), +and sealed to a persistent object on the TPM under the owner hierarchy. + +The following properties are set on `dataset`: + + * `xyz.nabijaczleweli:tzpfms.backend`=`TPM2` + * `xyz.nabijaczleweli:tzpfms.key`=*(ID of persistent object)* + +`tzpfms.backend` identifies this dataset for work with *TPM2*-back-ended tzpfms tools +(namely zfs-tpm2-change-key(8), zfs-tpm2-load-key(8), and zfs-tpm2-clear-key(8)). + +`tzpfms.key` is an integer representing the sealed object; +if needed, it can be passed to **tpm2_unseal(1) -c ${tzpfms.key}** or equivalent for back-up (see [OPTIONS][]). +If you have a sealed key you can access with that or equivalent tool and set both of these properties, it will funxion seamlessly. + +Finally, the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset** is performed with the new key. +If an error occurred, best effort is made to clean up the persistent object and properties, +or to issue a note for manual intervention into the standard error stream. + +A final verification should be made by running **zfs-tpm2-load-key(8) -n dataset**. +If that command succeeds, all is well, +but otherwise the dataset can be manually rolled back to a password with **zfs-tpm2-clear-key(8) dataset** (or, if that fails to work, **zfs(8) change-key -o keyformat=passphrase dataset**), and you are hereby asked to report a bug, please. + +**zfs-tpm2-clear-key(8) dataset** can be used to free the TPM persistent object and go back to using a password. + +## OPTIONS + + * `-b` *file*: + Save a back-up of the key to *file*, which must not exist beforehand. + This back-up **must** be stored securely, off-site. + In case of a catastrophic event, the key can be loaded by running **zfs(8) load-key dataset < backup-file**. + +## TPM2 back-end configuration + +### Environment variables + + * `TSS2_LOG`=: + Any of: *NONE*, *ERROR*, *WARNING*, *INFO*, *DEBUG*, *TRACE*. Default: *WARNING*. + +### TPM selection + +The library `libtss2-tcti-default.so` can be linked to any of the `libtss2-tcti-*.so` libraries to select the default, +otherwise `/dev/tpmrm0`, then `/dev/tpm0`, then `localhost:2321` will be tried, in order (see ESYS_CONTEXT(3)). + +### See also + +The tpm2-tss git repository at and the documentation at . + +The TPM 2.0 specifications, mainly at <> and related pages. + +## AUTHOR + +Written by наб <> + +## SPECIAL THANKS + +To all who support further development, in particular: + + * ThePhD + * Embark Studios + +## REPORTING BUGS + +<> + +<>, archived at <> + +## SEE ALSO + +<> diff --git a/zfs-tpm2-clear-key.8 b/zfs-tpm2-clear-key.8 new file mode 100644 index 0000000..14cdd1c --- /dev/null +++ b/zfs-tpm2-clear-key.8 @@ -0,0 +1,44 @@ +.\" generated with Ronn-NG/v0.9.1 +.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 +.TH "ZFS\-TPM2\-CLEAR\-KEY" "8" "October 2020" "tzpfms developers" +.SH "NAME" +\fBzfs\-tpm2\-clear\-key\fR \- rewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata +.SH "SYNOPSIS" +\fBzfs\-tpm2\-clear\-key\fR \fIdataset\fR +.SH "DESCRIPTION" +zfs\-tpm2\-clear\-key(8), after verifying that \fBdataset\fR was encrypted with tzpfms backend \fITPM2\fR will: +.IP "1." 4 +perform the equivalent of \fBzfs(8) change\-key \-o keylocation=prompt \-o keyformat=passphrase dataset\fR, +.IP "2." 4 +free the sealed key previously used to encrypt \fBdataset\fR, +.IP "3." 4 +remove the \fBxyz\.nabijaczleweli:tzpfms\.{backend,key}\fR properties from \fBdataset\fR\. +.IP "" 0 +.P +See zfs\-tpm2\-change\-key(8) for a detailed description\. +.SH "TPM2 back\-end configuration" +.SS "Environment variables" +.TP +\fBTSS2_LOG\fR= +Any of: \fINONE\fR, \fIERROR\fR, \fIWARNING\fR, \fIINFO\fR, \fIDEBUG\fR, \fITRACE\fR\. Default: \fIWARNING\fR\. +.SS "TPM selection" +The library \fBlibtss2\-tcti\-default\.so\fR can be linked to any of the \fBlibtss2\-tcti\-*\.so\fR libraries to select the default, otherwise \fB/dev/tpmrm0\fR, then \fB/dev/tpm0\fR, then \fBlocalhost:2321\fR will be tried, in order (see ESYS_CONTEXT(3))\. +.SS "See also" +The tpm2\-tss git repository at \fIhttps://github\.com/tpm2\-software/tpm2\-tss\fR and the documentation at \fIhttps://tpm2\-tss\.readthedocs\.io\fR\. +.P +The TPM 2\.0 specifications, mainly at <\fIhttps://trustedcomputinggroup\.org/wp\-content/uploads/TPM\-Rev\-2\.0\-Part\-1\-Architecture\-01\.38\.pdf\fR> and related pages\. +.SH "AUTHOR" +Written by наб <\fInabijaczleweli@nabijaczleweli\.xyz\fR> +.SH "SPECIAL THANKS" +To all who support further development, in particular: +.IP "\[ci]" 4 +ThePhD +.IP "\[ci]" 4 +Embark Studios +.IP "" 0 +.SH "REPORTING BUGS" +<\fIhttps://todo\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.P +<\fI~nabijaczleweli/tzpfms@lists\.sr\.ht\fR>, archived at <\fIhttps://lists\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.SH "SEE ALSO" +<\fIhttps://git\.sr\.ht/~nabijaczleweli/tzpfms\fR> diff --git a/zfs-tpm2-clear-key.8.html b/zfs-tpm2-clear-key.8.html new file mode 100644 index 0000000..e588fa4 --- /dev/null +++ b/zfs-tpm2-clear-key.8.html @@ -0,0 +1,146 @@ + + + + + + zfs-tpm2-clear-key(8) - rewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata + + + + +
+ + + +
    +
  1. zfs-tpm2-clear-key(8)
    2. +
  2. +
  3. zfs-tpm2-clear-key(8)
    4. +
+ + + +

NAME

+

+ zfs-tpm2-clear-key - rewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata +

+

SYNOPSIS

+ +

zfs-tpm2-clear-key dataset

+ +

DESCRIPTION

+ +

zfs-tpm2-clear-key(8), after verifying that dataset was encrypted with tzpfms backend TPM2 will:

+ +
    +
  1. perform the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=passphrase dataset,
    2. +
  2. free the sealed key previously used to encrypt dataset,
    3. +
  3. remove the xyz.nabijaczleweli:tzpfms.{backend,key} properties from dataset.
    4. +
+ +

See zfs-tpm2-change-key(8) for a detailed description.

+ +

TPM2 back-end configuration

+ +

Environment variables

+ +
+
+TSS2_LOG=
+
Any of: NONE, ERROR, WARNING, INFO, DEBUG, TRACE. Default: WARNING.
+
+ +

TPM selection

+ +

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, +otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

+ +

See also

+ +

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

+ +

The TPM 2.0 specifications, mainly at <https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf> and related pages.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+ +
    +
  1. tzpfms developers
    2. +
  2. October 2020
    3. +
  3. zfs-tpm2-clear-key(8)
    4. +
+ +
+ + diff --git a/zfs-tpm2-clear-key.8.html_fragment b/zfs-tpm2-clear-key.8.html_fragment new file mode 100644 index 0000000..e05f9d7 --- /dev/null +++ b/zfs-tpm2-clear-key.8.html_fragment @@ -0,0 +1,66 @@ +
+ +

NAME

+

+ zfs-tpm2-clear-key - rewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata +

+

SYNOPSIS

+ +

zfs-tpm2-clear-key dataset

+ +

DESCRIPTION

+ +

zfs-tpm2-clear-key(8), after verifying that dataset was encrypted with tzpfms backend TPM2 will:

+ +
    +
  1. perform the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=passphrase dataset,
    2. +
  2. free the sealed key previously used to encrypt dataset,
    3. +
  3. remove the xyz.nabijaczleweli:tzpfms.{backend,key} properties from dataset.
    4. +
+ +

See zfs-tpm2-change-key(8) for a detailed description.

+ +

TPM2 back-end configuration

+ +

Environment variables

+ +
+
+TSS2_LOG=
+
Any of: NONE, ERROR, WARNING, INFO, DEBUG, TRACE. Default: WARNING.
+
+ +

TPM selection

+ +

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, +otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

+ +

See also

+ +

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

+ +

The TPM 2.0 specifications, mainly at <https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf> and related pages.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+
diff --git a/zfs-tpm2-clear-key.md b/zfs-tpm2-clear-key.md new file mode 100644 index 0000000..674364f --- /dev/null +++ b/zfs-tpm2-clear-key.md @@ -0,0 +1,55 @@ +zfs-tpm2-clear-key(8) -- rewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata +=========================================================================================== + +## SYNOPSIS + +`zfs-tpm2-clear-key` + +## DESCRIPTION + +zfs-tpm2-clear-key(8), after verifying that `dataset` was encrypted with tzpfms backend *TPM2* will: + + 1. perform the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=passphrase dataset**, + 2. free the sealed key previously used to encrypt `dataset`, + 3. remove the `xyz.nabijaczleweli:tzpfms.{backend,key}` properties from `dataset`. + +See zfs-tpm2-change-key(8) for a detailed description. + +## TPM2 back-end configuration + +### Environment variables + + * `TSS2_LOG`=: + Any of: *NONE*, *ERROR*, *WARNING*, *INFO*, *DEBUG*, *TRACE*. Default: *WARNING*. + +### TPM selection + +The library `libtss2-tcti-default.so` can be linked to any of the `libtss2-tcti-*.so` libraries to select the default, +otherwise `/dev/tpmrm0`, then `/dev/tpm0`, then `localhost:2321` will be tried, in order (see ESYS_CONTEXT(3)). + +### See also + +The tpm2-tss git repository at and the documentation at . + +The TPM 2.0 specifications, mainly at <> and related pages. + +## AUTHOR + +Written by наб <> + +## SPECIAL THANKS + +To all who support further development, in particular: + + * ThePhD + * Embark Studios + +## REPORTING BUGS + +<> + +<>, archived at <> + +## SEE ALSO + +<> diff --git a/zfs-tpm2-load-key.8 b/zfs-tpm2-load-key.8 new file mode 100644 index 0000000..43a08ea --- /dev/null +++ b/zfs-tpm2-load-key.8 @@ -0,0 +1,41 @@ +.\" generated with Ronn-NG/v0.9.1 +.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 +.TH "ZFS\-TPM2\-LOAD\-KEY" "8" "October 2020" "tzpfms developers" +.SH "NAME" +\fBzfs\-tpm2\-load\-key\fR \- load tzpfms TPM2\-encrypted ZFS dataset key +.SH "SYNOPSIS" +\fBzfs\-tpm2\-load\-key\fR [\-n] \fIdataset\fR +.SH "DESCRIPTION" +zfs\-tpm2\-load\-key(8), after verifying that \fBdataset\fR was encrypted with tzpfms backend \fITPM2\fR will unseal the key and load it into \fBdataset\fR\. +.P +See zfs\-tpm2\-change\-key(8) for a detailed description\. +.SH "OPTIONS" +.TP +\fB\-n\fR +Do a no\-op/dry run, can be used even if the key is already loaded\. Equivalent to \fBzfs(8) load\-key\fR\'s \fB\-n\fR option\. +.SH "TPM2 back\-end configuration" +.SS "Environment variables" +.TP +\fBTSS2_LOG\fR= +Any of: \fINONE\fR, \fIERROR\fR, \fIWARNING\fR, \fIINFO\fR, \fIDEBUG\fR, \fITRACE\fR\. Default: \fIWARNING\fR\. +.SS "TPM selection" +The library \fBlibtss2\-tcti\-default\.so\fR can be linked to any of the \fBlibtss2\-tcti\-*\.so\fR libraries to select the default, otherwise \fB/dev/tpmrm0\fR, then \fB/dev/tpm0\fR, then \fBlocalhost:2321\fR will be tried, in order (see ESYS_CONTEXT(3))\. +.SS "See also" +The tpm2\-tss git repository at \fIhttps://github\.com/tpm2\-software/tpm2\-tss\fR and the documentation at \fIhttps://tpm2\-tss\.readthedocs\.io\fR\. +.P +The TPM 2\.0 specifications, mainly at <\fIhttps://trustedcomputinggroup\.org/wp\-content/uploads/TPM\-Rev\-2\.0\-Part\-1\-Architecture\-01\.38\.pdf\fR> and related pages\. +.SH "AUTHOR" +Written by наб <\fInabijaczleweli@nabijaczleweli\.xyz\fR> +.SH "SPECIAL THANKS" +To all who support further development, in particular: +.IP "\[ci]" 4 +ThePhD +.IP "\[ci]" 4 +Embark Studios +.IP "" 0 +.SH "REPORTING BUGS" +<\fIhttps://todo\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.P +<\fI~nabijaczleweli/tzpfms@lists\.sr\.ht\fR>, archived at <\fIhttps://lists\.sr\.ht/~nabijaczleweli/tzpfms\fR> +.SH "SEE ALSO" +<\fIhttps://git\.sr\.ht/~nabijaczleweli/tzpfms\fR> diff --git a/zfs-tpm2-load-key.8.html b/zfs-tpm2-load-key.8.html new file mode 100644 index 0000000..5f253db --- /dev/null +++ b/zfs-tpm2-load-key.8.html @@ -0,0 +1,148 @@ + + + + + + zfs-tpm2-load-key(8) - load tzpfms TPM2-encrypted ZFS dataset key + + + + +
+ + + +
    +
  1. zfs-tpm2-load-key(8)
    2. +
  2. +
  3. zfs-tpm2-load-key(8)
    4. +
+ + + +

NAME

+

+ zfs-tpm2-load-key - load tzpfms TPM2-encrypted ZFS dataset key +

+

SYNOPSIS

+ +

zfs-tpm2-load-key [-n] dataset

+ +

DESCRIPTION

+ +

zfs-tpm2-load-key(8), after verifying that dataset was encrypted with tzpfms backend TPM2 will unseal the key and load it into dataset.

+ +

See zfs-tpm2-change-key(8) for a detailed description.

+ +

OPTIONS

+ +
+
-n
+
Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to zfs(8) load-key's -n option.
+
+ +

TPM2 back-end configuration

+ +

Environment variables

+ +
+
+TSS2_LOG=
+
Any of: NONE, ERROR, WARNING, INFO, DEBUG, TRACE. Default: WARNING.
+
+ +

TPM selection

+ +

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, +otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

+ +

See also

+ +

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

+ +

The TPM 2.0 specifications, mainly at <https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf> and related pages.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+ +
    +
  1. tzpfms developers
    2. +
  2. October 2020
    3. +
  3. zfs-tpm2-load-key(8)
    4. +
+ +
+ + diff --git a/zfs-tpm2-load-key.8.html_fragment b/zfs-tpm2-load-key.8.html_fragment new file mode 100644 index 0000000..2354034 --- /dev/null +++ b/zfs-tpm2-load-key.8.html_fragment @@ -0,0 +1,67 @@ +
+ +

NAME

+

+ zfs-tpm2-load-key - load tzpfms TPM2-encrypted ZFS dataset key +

+

SYNOPSIS

+ +

zfs-tpm2-load-key [-n] dataset

+ +

DESCRIPTION

+ +

zfs-tpm2-load-key(8), after verifying that dataset was encrypted with tzpfms backend TPM2 will unseal the key and load it into dataset.

+ +

See zfs-tpm2-change-key(8) for a detailed description.

+ +

OPTIONS

+ +
+
-n
+
Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to zfs(8) load-key's -n option.
+
+ +

TPM2 back-end configuration

+ +

Environment variables

+ +
+
+TSS2_LOG=
+
Any of: NONE, ERROR, WARNING, INFO, DEBUG, TRACE. Default: WARNING.
+
+ +

TPM selection

+ +

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, +otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

+ +

See also

+ +

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

+ +

The TPM 2.0 specifications, mainly at <https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf> and related pages.

+ +

AUTHOR

+ +

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

+ +

SPECIAL THANKS

+ +

To all who support further development, in particular:

+ +
    +
  • ThePhD
    • +
  • Embark Studios
    • +
+ +

REPORTING BUGS

+ +

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

+ +

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

+ +

SEE ALSO

+ +

<https://git.sr.ht/~nabijaczleweli/tzpfms>

+
diff --git a/zfs-tpm2-load-key.md b/zfs-tpm2-load-key.md new file mode 100644 index 0000000..c9d44f6 --- /dev/null +++ b/zfs-tpm2-load-key.md @@ -0,0 +1,56 @@ +zfs-tpm2-load-key(8) -- load tzpfms TPM2-encrypted ZFS dataset key +================================================================== + +## SYNOPSIS + +`zfs-tpm2-load-key` [-n] + +## DESCRIPTION + +zfs-tpm2-load-key(8), after verifying that `dataset` was encrypted with tzpfms backend *TPM2* will unseal the key and load it into `dataset`. + +See zfs-tpm2-change-key(8) for a detailed description. + +## OPTIONS + + * `-n`: + Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to **zfs(8) load-key**'s `-n` option. + +## TPM2 back-end configuration + +### Environment variables + + * `TSS2_LOG`=: + Any of: *NONE*, *ERROR*, *WARNING*, *INFO*, *DEBUG*, *TRACE*. Default: *WARNING*. + +### TPM selection + +The library `libtss2-tcti-default.so` can be linked to any of the `libtss2-tcti-*.so` libraries to select the default, +otherwise `/dev/tpmrm0`, then `/dev/tpm0`, then `localhost:2321` will be tried, in order (see ESYS_CONTEXT(3)). + +### See also + +The tpm2-tss git repository at and the documentation at . + +The TPM 2.0 specifications, mainly at <> and related pages. + +## AUTHOR + +Written by наб <> + +## SPECIAL THANKS + +To all who support further development, in particular: + + * ThePhD + * Embark Studios + +## REPORTING BUGS + +<> + +<>, archived at <> + +## SEE ALSO + +<>