third-party-mirrors/tzpfms
1
0
Fork 0
mirror of https://git.sr.ht/~nabijaczleweli/tzpfms synced 2025-05-13 11:06:32 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity
tzpfms/zfs-tpm1x-change-key.8.html_fragment
наб autouploader c93c10a41f Manpage update by job 329174
2020-10-27 14:41:32 +00:00

107 lines
6.4 KiB
Plaintext
Raw Blame History

<div class='mp'>
<h2 id="NAME">NAME</h2>
<p class="man-name">
<code>zfs-tpm1x-change-key</code> - <span class="man-whatis">change ZFS dataset key to one stored on the TPM</span>
</p>
<h2 id="SYNOPSIS">SYNOPSIS</h2>
<p><code>zfs-tpm1x-change-key</code> [-b file] <var>dataset</var></p>
<h2 id="DESCRIPTION">DESCRIPTION</h2>
<p>To normalise <code>dataset</code>, <span class="man-ref">zfs-tpm1x-change-key<span class="s">(8)</span></span> will open its encryption root in its stead.
<span class="man-ref">zfs-tpm1x-change-key<span class="s">(8)</span></span> will <em>never</em> create or destroy encryption roots; use <strong><a class="man-ref" href="https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html">zfs<span class="s">(8)</span></a> change-key</strong> for that.</p>
<p>First, a connection is made to the TPM, which <em>must</em> be TPM-1.X-compatible.</p>
<p>If <code>dataset</code> was previously encrypted with tzpfms and the <em>TPM1.X</em> back-end was used, the metadata will be silently cleared.
Otherwise, or in case of an error, data required for manual intervention will be printed to the standard error stream.</p>
<p>Next, a new wrapping key is be generated on the TPM, optionally backed up (see <a href="#OPTIONS" title="OPTIONS" data-bare-link="true">OPTIONS</a>),
and sealed on the TPM;
if the SRK passphrase, set when taking ownership, is not "well-known" (all zeroes), the user is prompted for it;
the user is always prompted for an optional passphrase to protect the key with.</p>
<p>The following properties are set on <code>dataset</code>:</p>
<ul>
<li>
<code>xyz.nabijaczleweli:tzpfms.backend</code>=<code>TPM1.X</code>
</li>
<li>
<code>xyz.nabijaczleweli:tzpfms.key</code>=<em>(parent key blob)</em><code>:</code><em>(sealed object blob)</em>
</li>
</ul>
<p><code>tzpfms.backend</code> identifies this dataset for work with <em>TPM1.X</em>-back-ended tzpfms tools
(namely <span class="man-ref">zfs-tpm1x-change-key<span class="s">(8)</span></span>, <span class="man-ref">zfs-tpm1x-load-key<span class="s">(8)</span></span>, and <span class="man-ref">zfs-tpm1x-clear-key<span class="s">(8)</span></span>).</p>
<p><code>tzpfms.key</code> is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs;
the first one represents the RSA key protecting the blob,
and it is protected with either the password, if provided, or the SHA1 constant <em>CE4CF677875B5EB8993591D5A9AF1ED24A3A8736</em>;
the second represents the sealed object containing the wrapping key,
and is protected with the SHA1 constant <em>B9EE715DBE4B243FAA81EA04306E063710383E35</em>.
There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe)</p>
<p>Finally, the equivalent of <strong><a class="man-ref" href="https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html">zfs<span class="s">(8)</span></a> change-key -o keylocation=prompt -o keyformat=raw dataset</strong> is performed with the new key.
If an error occurred, best effort is made to clean up the properties,
or to issue a note for manual intervention into the standard error stream.</p>
<p>A final verification should be made by running <strong><span class="man-ref">zfs-tpm1x-load-key<span class="s">(8)</span></span> -n dataset</strong>.
If that command succeeds, all is well,
but otherwise the dataset can be manually rolled back to a password with <strong><span class="man-ref">zfs-tpm1x-clear-key<span class="s">(8)</span></span> dataset</strong> (or, if that fails to work, <strong><a class="man-ref" href="https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html">zfs<span class="s">(8)</span></a> change-key -o keyformat=passphrase dataset</strong>), and you are hereby asked to report a bug, please.</p>
<p><strong><span class="man-ref">zfs-tpm1x-clear-key<span class="s">(8)</span></span> dataset</strong> can be used to clear the properties and go back to using a password.</p>
<h2 id="OPTIONS">OPTIONS</h2>
<dl>
<dt>
<code>-b</code> <em>file</em>
</dt>
<dd>Save a back-up of the key to <em>file</em>, which must not exist beforehand.
This back-up <strong>must</strong> be stored securely, off-site.
In case of a catastrophic event, the key can be loaded by running <strong><a class="man-ref" href="https://manpages.debian.org/bullseye/zfsutils-linux/zfs.8.en.html">zfs<span class="s">(8)</span></a> load-key dataset &lt; backup-file</strong>.</dd>
</dl>
<h2 id="TPM1-X-back-end-configuration">TPM1.X back-end configuration</h2>
<h3 id="TPM-selection">TPM selection</h3>
<p>The tzpfms suite connects to a local <a class="man-ref" href="https://manpages.debian.org/bullseye/trousers/tcsd.8.en.html">tcsd<span class="s">(8)</span></a> process (at <code>localhost:30003</code>) by default.
Use the environment variable <code>TZPFMS_TPM1X</code> to specify a remote TCS hostname.</p>
<p>The TrouSerS <a class="man-ref" href="https://manpages.debian.org/bullseye/trousers/tcsd.8.en.html">tcsd<span class="s">(8)</span></a> daemon will try <code>/dev/tpm0</code>, then <code>/udev/tpm0</code>, then <code>/dev/tpm</code>;
by occupying one of the earlier ones with, for example, shell redirection, a later one can be selected.</p>
<h3 id="See-also">See also</h3>
<p>The TrouSerS project page at <a href="https://sourceforge.net/projects/trousers" data-bare-link="true">https://sourceforge.net/projects/trousers</a>.</p>
<p>The TPM 1.2 main specification index at &lt;<a href="https://trustedcomputinggroup.org/resource/tpm-main-specification" data-bare-link="true">https://trustedcomputinggroup.org/resource/tpm-main-specification</a>&gt;.</p>
<h2 id="AUTHOR">AUTHOR</h2>
<p>Written by наб &lt;<a href="mailto:nabijaczleweli@nabijaczleweli.xyz" data-bare-link="true">nabijaczleweli@nabijaczleweli.xyz</a>&gt;</p>
<h2 id="SPECIAL-THANKS">SPECIAL THANKS</h2>
<p>To all who support further development, in particular:</p>
<ul>
<li>ThePhD</li>
<li>Embark Studios</li>
</ul>
<h2 id="REPORTING-BUGS">REPORTING BUGS</h2>
<p>&lt;<a href="https://todo.sr.ht/~nabijaczleweli/tzpfms" data-bare-link="true">https://todo.sr.ht/~nabijaczleweli/tzpfms</a>&gt;</p>
<p>&lt;<a href="mailto:~nabijaczleweli/tzpfms@lists.sr.ht" data-bare-link="true">~nabijaczleweli/tzpfms@lists.sr.ht</a>&gt;, archived at &lt;<a href="https://lists.sr.ht/~nabijaczleweli/tzpfms" data-bare-link="true">https://lists.sr.ht/~nabijaczleweli/tzpfms</a>&gt;</p>
<h2 id="SEE-ALSO">SEE ALSO</h2>
<p>&lt;<a href="https://git.sr.ht/~nabijaczleweli/tzpfms" data-bare-link="true">https://git.sr.ht/~nabijaczleweli/tzpfms</a>&gt;</p>
</div>
Reference in New Issue View Git Blame Copy Permalink