NAME

zfs-tpm2-load-key — load TPM2-encrypted ZFS dataset key

SYNOPSIS

zfs-tpm2-load-key [-n] dataset

DESCRIPTION

After verifying dataset was encrypted with tzpfms backend TPM2, unseals the key and loads it into dataset.

The user is prompted for the additional passphrase, set when creating the key, if one was set.

See zfs-tpm2-change-key(8) for a detailed description.

OPTIONS

-n: Do a no-op/dry run, can be used even if the key is already loaded. Equivalent to zfs load-key's -n option.

ENVIRONMENT VARIABLES

TZPFMS_PASSPHRASE_HELPER

If set and nonempty, will be run as

/bin/sh
      -c
      "$TZPFMS_PASSPHRASE_HELPER"
      "$TZPFMS_PASSPHRASE_HELPER"
      "prepared prompt"
      "target"
      "[new]"
      "[again]"

to provide a passphrase, instead of reading from the standard input.

The standard output stream of the helper is tied to an anonymous file and used in its entirety as the passphrase, except for a trailing new-line, if any. The second argument contains either the dataset name or the element of the TPM hierarchy. The third argument is new if this is for a new passphrase, and the fourth is again if it's the second prompt for that passphrase. The first argument already contains all of this information, as a pre-formatted noun phrase.

If the helper doesn't exist (the shell exits with 127), a diagnostic is issued and the normal prompt is used as fall-back. If it fails for any other reason, the prompting is aborted.

An example value would be: 'systemd-ask-password --id="tzpfms:$2" "$1: "'.

TPM1.X back-end configuration

TPM selection

The tzpfms suite connects to a local tcsd(8) process (at localhost:30003) by default. Use the environment variable TZPFMS_TPM1X to specify a remote TCS hostname.

The TrouSerS tcsd(8) daemon will try /dev/tpm0, then /udev/tpm0, then /dev/tpm; by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.