Compare commits
2 commits
94105c2c49
...
03f5c95b33
| Author | SHA1 | Date | |
|---|---|---|---|
| 03f5c95b33 | |||
| 7ab23985e1 |
3 changed files with 11 additions and 14 deletions
|
|
@ -18,11 +18,10 @@ fi
|
||||||
# Display usage information if input is from a terminal
|
# Display usage information if input is from a terminal
|
||||||
if [ -t 0 ]; then
|
if [ -t 0 ]; then
|
||||||
exec >&2
|
exec >&2
|
||||||
|
echo "$summary"
|
||||||
echo
|
echo
|
||||||
echo "Usage: \"zlevis-decrypt < file.jwe\""
|
echo "Usage: \"zlevis-decrypt < file.jwe\""
|
||||||
echo "Usage ZFS: \"zfs list -Ho tpm:jwe <pool> | zlevis-decrypt\""
|
echo "Usage ZFS: \"zfs list -Ho tpm:jwe <pool> | zlevis-decrypt\""
|
||||||
echo
|
|
||||||
echo "$summary"
|
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -55,9 +54,10 @@ trap 'on_exit' EXIT
|
||||||
|
|
||||||
# Read the JWE protected header
|
# Read the JWE protected header
|
||||||
read -r -d . hdr
|
read -r -d . hdr
|
||||||
|
echo "$hdr" > "$tmp"/hdr
|
||||||
|
|
||||||
# Decode the JWE protected header
|
# Decode the JWE protected header
|
||||||
if ! jhd="$(jose b64 dec -i- < <(echo "$hdr"))"; then
|
if ! jhd="$(jose b64 dec -i- < "$tmp"/hdr)"; then
|
||||||
echo "Error decoding JWE protected header" >&2
|
echo "Error decoding JWE protected header" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -21,12 +21,6 @@ fi
|
||||||
# Display usage information if input is from a terminal
|
# Display usage information if input is from a terminal
|
||||||
if [ -t 0 ]; then
|
if [ -t 0 ]; then
|
||||||
exec >&2
|
exec >&2
|
||||||
echo
|
|
||||||
echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\""
|
|
||||||
echo
|
|
||||||
echo "Usage ZFS: \"zfs set tpm:jwe=\$(zlevis-encrypt '{\"property\":\"value\"}' < tank.key) <pool>\""
|
|
||||||
echo
|
|
||||||
echo
|
|
||||||
echo "$summary"
|
echo "$summary"
|
||||||
echo
|
echo
|
||||||
echo "This command uses the following configuration properties:"
|
echo "This command uses the following configuration properties:"
|
||||||
|
|
@ -35,6 +29,9 @@ if [ -t 0 ]; then
|
||||||
echo " pcr_bank: <string> -> PCR algorithm bank to use for policy (default: first supported by TPM)."
|
echo " pcr_bank: <string> -> PCR algorithm bank to use for policy (default: first supported by TPM)."
|
||||||
echo " pcr_ids: <string> -> PCR list used for policy. If not present, no policy is used."
|
echo " pcr_ids: <string> -> PCR list used for policy. If not present, no policy is used."
|
||||||
echo " pcr_digest: <string> -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up."
|
echo " pcr_digest: <string> -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up."
|
||||||
|
echo
|
||||||
|
echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\""
|
||||||
|
echo "Usage ZFS: \"zfs set tpm:jwe=\$(zlevis-encrypt '{\"property\":\"value\"}' < tank.key) <pool>\""
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -233,8 +230,8 @@ fi
|
||||||
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)"
|
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)"
|
||||||
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)"
|
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)"
|
||||||
|
|
||||||
# Clean up the temporary directory at the end of the script
|
|
||||||
[ -d "${tmp}" ] && rm -rf "${tmp}"
|
|
||||||
|
|
||||||
# Output the final JWE
|
# Output the final JWE
|
||||||
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
|
(echo "$jwe$jwk"; /bin/cat) | jose jwe enc -i- -k- -I- -c
|
||||||
|
|
||||||
|
# Exit with the status of the last command
|
||||||
|
exit $?
|
||||||
|
|
@ -17,7 +17,7 @@ zfs list -Ho name,encryption,keystatus,encryptionroot,tpm:jwe | while IFS=$'\t'
|
||||||
if echo -n "$jwe" | zlevis-decrypt | zfs load-key -L prompt "$ds"; then
|
if echo -n "$jwe" | zlevis-decrypt | zfs load-key -L prompt "$ds"; then
|
||||||
echo "Unlocked $ds"
|
echo "Unlocked $ds"
|
||||||
else
|
else
|
||||||
echo "FAILED TO UNLOCK $ds" >&2
|
echo "Failed to unlock $ds" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue