NAME

zfs-tpm2-load-key — load TPM2-encrypted ZFS dataset key

SYNOPSIS

DESCRIPTION

After verifying dataset was encrypted with tzpfms backend TPM2, unseals the key and loads it into dataset.

The user is prompted for the additional passphrase, set when creating the key, if one was set.

See zfs-tpm2-change-key(8) for a detailed description.

OPTIONS

-n

Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to zfs load-key's -n option.

ENVIRONMENT VARIABLES

TZPFMS_PASSPHRASE_HELPER

By default, passphrases are prompted for and read in on the standard output and input streams. If TZPFMS_PASSPHRASE_HELPER is set and nonempty, it will be run via /bin/sh -c to provide each passphrase, instead.

The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any. The arguments are:

$1

Pre-formatted noun phrase with all the information below, for use as a prompt

$2

Either the dataset name or the element of the TPM hierarchy being prompted for

$3

"new" if this is for a new passphrase, otherwise blank

$4

"again" if it's the second prompt for that passphrase, otherwise blank

If the helper doesn't exist (the shell exits with 127), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.

TPM1.X back-end configuration

SPECIAL THANKS

To all who support further development, in particular:

• ThePhD
• Embark Studios
• Jasper Bekkers

REPORTING BUGS

https://todo.sr.ht/~nabijaczleweli/tzpfms

~nabijaczleweli/tzpfms@lists.sr.ht, archived at https://lists.sr.ht/~nabijaczleweli/tzpfms.