NAME

zfs-fido2-clear-key — rewrap ZFS dataset key in passsword and clear tzpfms FIDO2 metadata

SYNOPSIS

DESCRIPTION

After verifying dataset was encrypted with the tzpfms FIDO2 backend:

1. performs the equivalent of zfs change-key -o keylocation=prompt -o keyformat=passphrase dataset,
2. loads the primary and every backup credential, and for each success, if the device containing it supports the ‘credMgmt’ feature and has a PIN set, tries to delete the credential from the device,
3. removes the xyz.nabijaczleweli:tzpfms.{backend, key} properties from dataset.

For every removal failure and missing device or PIN an instruction for manual removal with fido2-token(1) is issued.

See zfs-fido2-change-key(8) for a detailed description.

ENVIRONMENT VARIABLES

TZPFMS_PASSPHRASE_HELPER

By default, passphrases are prompted for and read in on the standard output and input streams. If TZPFMS_PASSPHRASE_HELPER is set and nonempty, it will be run via /bin/sh -c to provide each passphrase, instead.

The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any. The arguments are:

$1

Pre-formatted noun phrase with all the information below, for use as a prompt

$2

Either the dataset name or the device feature being prompted for

$3

"new" if this is for a new passphrase, otherwise blank

$4

"again" if it's the second prompt for that passphrase, otherwise blank

If the helper doesn't exist (the shell exits with 127), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.

FIDO2 back-end configuration

SPECIAL THANKS

To all who support further development, in particular:

• ThePhD
• Embark Studios
• Jasper Bekkers
• EvModder

REPORTING BUGS

https://todo.sr.ht/~nabijaczleweli/fzifdso

~nabijaczleweli/tzpfms@lists.sr.ht, archived at https://lists.sr.ht/~nabijaczleweli/tzpfms.