NAME

zfs-tpm1x-change-key — change ZFS dataset key to one stored on the TPM

SYNOPSIS

zfs-tpm1x-change-key [-b backup-file] [-P PCR[,PCR]…] dataset

DESCRIPTION

To normalise the dataset, zfs-tpm1x-change-key will open its encryption root in its stead. zfs-tpm1x-change-key will never create or destroy encryption roots; use zfs-change-key(8) for that.

First, a connection is made to the TPM, which must be TPM-1.X-compatible.

If dataset was previously encrypted with tzpfms and the TPM1.X back-end was used, the metadata will be silently cleared. Otherwise, or in case of an error, data required for manual intervention will be written to the standard error stream.

Next, a new wrapping key is generated on the TPM, optionally backed up (see OPTIONS), and sealed on the TPM; the user is prompted for an optional passphrase to protect the key with, and for the SRK passphrase, set when taking ownership, if not "well-known" (all zeroes).

The following properties are set on dataset:

xyz.nabijaczleweli:tzpfms.backend=TPM1.X
xyz.nabijaczleweli:tzpfms.key=parent-key-blob:sealed-object-blob

tzpfms.backend identifies this dataset for work with TPM1.X-back-ended tzpfms tools (namely zfs-tpm1x-change-key(8), zfs-tpm1x-load-key(8), and zfs-tpm1x-clear-key(8)).

tzpfms.key is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs; the first one represents the RSA key protecting the blob, and it is protected with either the passphrase, if provided, or the SHA1 constant CE4CF677875B5EB8993591D5A9AF1ED24A3A8736; the second represents the sealed object containing the wrapping key, and is protected with the SHA1 constant B9EE715DBE4B243FAA81EA04306E063710383E35. There exists no other user-land tool for decrypting this; perhaps there should be.

Finally, the equivalent of zfs change-key -o keylocation=prompt -o keyformat=raw dataset is performed with the new key. If an error occurred, best effort is made to clean up the properties, or to issue a note for manual intervention into the standard error stream.

A final verification should be made by running zfs-tpm1x-load-key -n dataset. If that command succeeds, all is well, but otherwise the dataset can be manually rolled back to a passphrase with zfs-tpm1x-clear-key dataset (or, if that fails to work, zfs change-key -o keyformat=passphrase dataset), and you are hereby asked to report a bug, please.

zfs-tpm1x-clear-key dataset can be used to clear the properties and go back to using a passphrase.

OPTIONS

-b backup-file: Save a back-up of the key to backup-file, which must not exist beforehand. This back-up must be stored securely, off-site. In case of a catastrophic event, the key can be loaded by running
zfs load-key dataset < backup-file
-P PCR[,PCR]…: Bind the key to space- or comma-separated PCRs — if they change, the wrapping key will not be able to be unsealed. The minimum number of PCRs for a PC TPM is 24 (numbered [0, 23]). For most, this is also the maximum.

ENVIRONMENT VARIABLES

TZPFMS_PASSPHRASE_HELPER

By default, passphrases are prompted for and read in on the standard output and input streams. If TZPFMS_PASSPHRASE_HELPER is set and nonempty, it will be run via /bin/sh -c to provide each passphrase, instead.

The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any. The arguments are:

$1: Pre-formatted noun phrase with all the information below, for use as a prompt
$2: Either the dataset name or the element of the TPM hierarchy being prompted for
$3: "new" if this is for a new passphrase, otherwise blank
$4: "again" if it's the second prompt for that passphrase, otherwise blank

If the helper doesn't exist (the shell exits with 127), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.

TPM1.X back-end configuration

TPM selection

The tzpfms suite connects to a local tcsd(8) process (at localhost:30003) by default. Use the environment variable TZPFMS_TPM1X to specify a remote TCS hostname.

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.