third-party-mirrors/tzpfms
1
0
Fork 0
mirror of https://git.sr.ht/~nabijaczleweli/tzpfms synced 2025-05-07 10:41:01 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity
tzpfms/zfs-fido2-add-backup.8.html
наб autouploader fc6c86b6a7 Manpage update by job 1160990
2024-03-03 13:12:03 +00:00

154 lines
7.4 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<!-- This is an automatically generated file. Do not edit.
SPDX-License-Identifier: MIT
-->
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="style.css" type="text/css" media="all"/>
<title>ZFS-FIDO2-ADD-BACKUP(8)</title>
</head>
<body>
<table class="head">
<tr>
<td class="head-ltitle">ZFS-FIDO2-ADD-BACKUP(8)</td>
<td class="head-vol">System Manager's Manual</td>
<td class="head-rtitle">ZFS-FIDO2-ADD-BACKUP(8)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">zfs-fido2-add-backup</code> &#x2014;
<span class="Nd">allow another FIDO2 device to unlock ZFS dataset</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<table class="Nm">
<tr>
<td><code class="Nm">zfs-fido2-add-backup</code></td>
<td><var class="Ar">dataset</var></td>
</tr>
</table>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">After
<a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>
derives the key for a dataset from a FIDO2 device,
<code class="Nm">zfs-fido2-add-backup</code> may be executed to extend this
to any number of additional devices.</p>
<p class="Pp">First, the wrapping key is extracted as normally during
<a class="Xr" href="zfs-fido2-load-key.8.html">zfs-fido2-load-key(8)</a>,
then a credential is made as-if during
<a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>
(except the &quot;primary&quot; device and all the ones holding backups are
excluded from the search); however, the
&#x2018;<code class="Li">hmac-secret</code>&#x2019; is instead used as a
symmetric AES-256-GCM
(<a class="Xr" href="https://manpages.debian.org/bookworm/EVP_CIPHER-AES.7ssl">EVP_CIPHER-AES(7ssl)</a>)
key to encrypt the wrapping key directly with a random IV.</p>
<p class="Pp">This turns the
<code class="Li">xyz.nabijaczleweli:tzpfms.key</code> variable into
<br/>
<var class="Ar">salt</var><code class="Cm">:</code><var class="Ar">credential-ID</var><code class="Cm">:</code><var class="Ar">credential-public-key</var>[<code class="Cm">.</code><var class="Ar">backup-salt</var><code class="Cm">:</code><var class="Ar">backup-credential-ID</var><code class="Cm">:</code><var class="Ar">backup-credential-public-key</var><code class="Cm">:</code><var class="Ar">IV</var><code class="Cm">:</code><var class="Ar">encrypted-key</var>]&#x2026;</p>
<p class="Pp"><code class="Li">tzpfms.key</code> is actually a dot-separated
list of device bundles. The first one is as-described in
<a class="Xr" href="zfs-fido2-change-key.8.html">zfs-fido2-change-key(8)</a>.
Subsequent ones also include (identically-encoded) IVs and encrypted
blobs.</p>
<p class="Pp"><a class="Xr" href="zfs-fido2-load-key.8.html">zfs-fido2-load-key(8)</a>
shops assertions around devices in a device-major order &#x2014; depending
on device numbering, a backup may be loaded even if the primary device is
present.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="ENVIRONMENT_VARIABLES"><a class="permalink" href="#ENVIRONMENT_VARIABLES">ENVIRONMENT
VARIABLES</a></h1>
<dl class="Bl-tag Bl-compact">
<dt id="TZPFMS_PASSPHRASE_HELPER"><a class="permalink" href="#TZPFMS_PASSPHRASE_HELPER"><code class="Ev">TZPFMS_PASSPHRASE_HELPER</code></a></dt>
<dd>By default, passphrases are prompted for and read in on the standard
output and input streams. If
<code class="Ev">TZPFMS_PASSPHRASE_HELPER</code> is set and nonempty, it
will be run via <span class="Pa">/bin/</span><code class="Nm">sh</code>
<code class="Fl">-c</code> to provide each passphrase, instead.
<p class="Pp">The standard output stream of the helper is tied to an
anonymous file and used in its entirety as the passphrase, except for a
trailing new-line, if any. The arguments are:</p>
<div class="Bd-indent">
<dl class="Bl-tag Bl-compact">
<dt id="$1"><a class="permalink" href="#$1"><code class="Li">$1</code></a></dt>
<dd>Pre-formatted noun phrase with all the information below, for use as a
prompt</dd>
<dt id="$2"><a class="permalink" href="#$2"><code class="Li">$2</code></a></dt>
<dd>Either the dataset name or the element of the TPM hierarchy being
prompted for</dd>
<dt id="$3"><a class="permalink" href="#$3"><code class="Li">$3</code></a></dt>
<dd>&quot;new&quot; if this is for a new passphrase, otherwise blank</dd>
<dt id="$4"><a class="permalink" href="#$4"><code class="Li">$4</code></a></dt>
<dd>&quot;again&quot; if it's the second prompt for that passphrase,
otherwise blank</dd>
</dl>
</div>
<p class="Pp" id="127">If the helper doesn't exist (the shell exits with
<a class="permalink" href="#127"><b class="Sy">127</b></a>), a
diagnostic is issued and the normal prompt is used as fall-back. If it
fails for any other reason, the prompting is aborted.</p>
</dd>
</dl>
</section>
<section class="Sh">
<h1 class="Sh" id="FIDO2_back-end_configuration"><a class="permalink" href="#FIDO2_back-end_configuration">FIDO2
back-end configuration</a></h1>
<section class="Ss">
<h2 class="Ss" id="Environment_variables"><a class="permalink" href="#Environment_variables">Environment
variables</a></h2>
<dl class="Bl-tag Bl-compact">
<dt id="FIDO_DEBUG"><a class="permalink" href="#FIDO_DEBUG"><code class="Ev">FIDO_DEBUG</code></a></dt>
<dd>If set, enables libfido2 debug logging to the standard error stream.</dd>
</dl>
</section>
<section class="Ss">
<h2 class="Ss" id="Device_selection"><a class="permalink" href="#Device_selection">Device
selection</a></h2>
<p class="Pp">When creating, the first device which supports the
&#x2018;<code class="Li">hmac-secret</code>&#x2019; extension is used. When
loading, the assertion is shopped around to every such device.</p>
</section>
<section class="Ss">
<h2 class="Ss" id="See_also"><a class="permalink" href="#See_also">See
also</a></h2>
<p class="Pp">The libfido2 documentation at
<a class="Lk" href="https://developers.yubico.com/libfido2/">https://developers.yubico.com/libfido2/</a>.</p>
</section>
</section>
<section class="Sh">
<h1 class="Sh" id="SPECIAL_THANKS"><a class="permalink" href="#SPECIAL_THANKS">SPECIAL
THANKS</a></h1>
<p class="Pp">To all who support further development, in particular:</p>
<ul class="Bl-bullet Bd-indent Bl-compact">
<li>ThePhD</li>
<li>Embark Studios</li>
<li>Jasper Bekkers</li>
<li>EvModder</li>
</ul>
</section>
<section class="Sh">
<h1 class="Sh" id="REPORTING_BUGS"><a class="permalink" href="#REPORTING_BUGS">REPORTING
BUGS</a></h1>
<p class="Pp"><a class="Lk" href="https://todo.sr.ht/~nabijaczleweli/fzifdso">https://todo.sr.ht/~nabijaczleweli/fzifdso</a></p>
<p class="Pp"><a class="Mt" href="mailto:~nabijaczleweli/tzpfms@lists.sr.ht">~nabijaczleweli/tzpfms@lists.sr.ht</a>,
archived at
<a class="Lk" href="https://lists.sr.ht/~nabijaczleweli/tzpfms">https://lists.sr.ht/~nabijaczleweli/tzpfms</a>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">February 29, 2024</td>
<td class="foot-os">fzifdso 0</td>
</tr>
</table>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink