diff --git a/src/zlevis-decrypt b/src/zlevis-decrypt index 1d6ee03..17672bc 100755 --- a/src/zlevis-decrypt +++ b/src/zlevis-decrypt @@ -18,11 +18,10 @@ fi # Display usage information if input is from a terminal if [ -t 0 ]; then exec >&2 + echo "$summary" echo echo "Usage: \"zlevis-decrypt < file.jwe\"" echo "Usage ZFS: \"zfs list -Ho tpm:jwe | zlevis-decrypt\"" - echo - echo "$summary" exit 2 fi @@ -55,9 +54,10 @@ trap 'on_exit' EXIT # Read the JWE protected header read -r -d . hdr +echo "$hdr" > "$tmp"/hdr # Decode the JWE protected header -if ! jhd="$(jose b64 dec -i- < <(echo "$hdr"))"; then +if ! jhd="$(jose b64 dec -i- < "$tmp"/hdr)"; then echo "Error decoding JWE protected header" >&2 exit 1 fi diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt index a171674..1e3b049 100755 --- a/src/zlevis-encrypt +++ b/src/zlevis-encrypt @@ -21,12 +21,6 @@ fi # Display usage information if input is from a terminal if [ -t 0 ]; then exec >&2 - echo - echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\"" - echo - echo "Usage ZFS: \"zfs set tpm:jwe=\$(zlevis-encrypt '{\"property\":\"value\"}' < tank.key) \"" - echo - echo echo "$summary" echo echo "This command uses the following configuration properties:" @@ -35,6 +29,9 @@ if [ -t 0 ]; then echo " pcr_bank: -> PCR algorithm bank to use for policy (default: first supported by TPM)." echo " pcr_ids: -> PCR list used for policy. If not present, no policy is used." echo " pcr_digest: -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up." + echo + echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\"" + echo "Usage ZFS: \"zfs set tpm:jwe=\$(zlevis-encrypt '{\"property\":\"value\"}' < tank.key) \"" exit 2 fi @@ -233,8 +230,8 @@ fi jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" -# Clean up the temporary directory at the end of the script -[ -d "${tmp}" ] && rm -rf "${tmp}" - # Output the final JWE -exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) \ No newline at end of file +(echo "$jwe$jwk"; /bin/cat) | jose jwe enc -i- -k- -I- -c + +# Exit with the status of the last command +exit $? \ No newline at end of file diff --git a/src/zlevis-fetch b/src/zlevis-fetch index fa8e2b6..4faffb2 100755 --- a/src/zlevis-fetch +++ b/src/zlevis-fetch @@ -17,7 +17,7 @@ zfs list -Ho name,encryption,keystatus,encryptionroot,tpm:jwe | while IFS=$'\t' if echo -n "$jwe" | zlevis-decrypt | zfs load-key -L prompt "$ds"; then echo "Unlocked $ds" else - echo "FAILED TO UNLOCK $ds" >&2 + echo "Failed to unlock $ds" >&2 exit 1 fi fi