ZFS-TPM2-CLEAR-KEY(8) System Manager's Manual ZFS-TPM2-CLEAR-KEY(8)

zfs-tpm2-clear-keyrewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata

zfs-tpm2-clear-key dataset

After verifying dataset was encrypted with the tzpfms backend:

  1. performs the equivalent of zfs change-key -o keylocation=prompt -o keyformat=passphrase dataset,
  2. frees the sealed key previously used to encrypt dataset,
  3. removes the xyz.nabijaczleweli:tzpfms.{backend, key} properties from dataset.

See zfs-tpm2-change-key(8) for a detailed description.

By default, passphrases are prompted for and read in on the standard output and input streams. If TZPFMS_PASSPHRASE_HELPER is set and nonempty, it will be run via /bin/sh -c to provide each passphrase, instead.

The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any. The arguments are:

Pre-formatted noun phrase with all the information below, for use as a prompt
Either the dataset name or the element of the TPM hierarchy being prompted for
"new" if this is for a new passphrase, otherwise blank
"again" if it's the second prompt for that passphrase, otherwise blank

If the helper doesn't exist (the shell exits with ), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.

Any of: , , WARNING, , , . Default: WARNING.

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

The TPM 2.0 specifications, mainly at https://trustedcomputinggroup.org/resource/tpm-library-specification/, https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf, and related pages.

To all who support further development, in particular:

https://todo.sr.ht/~nabijaczleweli/tzpfms

~nabijaczleweli/tzpfms@lists.sr.ht, archived at https://lists.sr.ht/~nabijaczleweli/tzpfms.

March 11, 2024 tzpfms 0.4.1-1-gfd16dbb