NAME

zfs-tpm2-clear-key - rewrap ZFS dataset key in passsword and clear tzpfms TPM2 metadata

SYNOPSIS

zfs-tpm2-clear-key dataset

DESCRIPTION

zfs-tpm2-clear-key(8), after verifying that dataset was encrypted with tzpfms backend TPM2 will:

1. perform the equivalent of zfs(8) change-key -o keylocation=prompt -o keyformat=passphrase dataset,
2. free the sealed key previously used to encrypt dataset,
3. remove the xyz.nabijaczleweli:tzpfms.{backend,key} properties from dataset.

See zfs-tpm2-change-key(8) for a detailed description.

TPM2 back-end configuration

Environment variables

TSS2_LOG=

Any of: NONE, ERROR, WARNING, INFO, DEBUG, TRACE. Default: WARNING.

TPM selection

The library libtss2-tcti-default.so can be linked to any of the libtss2-tcti-*.so libraries to select the default, otherwise /dev/tpmrm0, then /dev/tpm0, then localhost:2321 will be tried, in order (see ESYS_CONTEXT(3)).

See also

The tpm2-tss git repository at https://github.com/tpm2-software/tpm2-tss and the documentation at https://tpm2-tss.readthedocs.io.

The TPM 2.0 specifications, mainly at <https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf> and related pages.

AUTHOR

Written by наб <nabijaczleweli@nabijaczleweli.xyz>

SPECIAL THANKS

To all who support further development, in particular:

• ThePhD
• Embark Studios

REPORTING BUGS

<https://todo.sr.ht/~nabijaczleweli/tzpfms>

<~nabijaczleweli/tzpfms@lists.sr.ht>, archived at <https://lists.sr.ht/~nabijaczleweli/tzpfms>

SEE ALSO

<https://git.sr.ht/~nabijaczleweli/tzpfms>