luc/zlevis
1
1
Fork 0
Code Issues Pull requests Releases 5 Wiki Activity

Compare commits

base: luc:94105c2c4963daa0970c0d8e3c16733da046df66
Branches Tags
luc:master
luc:2.0
luc:1.3
luc:1.2
luc:1.1
luc:1.0
..
compare: luc:03f5c95b33365f04e9e358e452db2f42cbd74c12
Branches Tags
luc:master
luc:2.0
luc:1.3
luc:1.2
luc:1.1
luc:1.0

2 commits
94105c2c49 ... 03f5c95b33

Author SHA1 Message Date
Luc
03f5c95b33 Updated markup of scripts. 2024-12-14 12:41:38 +01:00
Luc
7ab23985e1 Removed direct substitution in encrypt and decrypt scripts. 2024-12-14 12:32:34 +01:00
3 changed files with 11 additions and 14 deletions
Show stats Expand all files Collapse all files

6
src/zlevis-decrypt
View file

@ -18,11 +18,10 @@ fi
# Display usage information if input is from a terminal # Display usage information if input is from a terminal
if [ -t 0 ]; then if [ -t 0 ]; then
exec >&2 exec >&2
echo "$summary"
echo echo
echo "Usage: \"zlevis-decrypt < file.jwe\"" echo "Usage: \"zlevis-decrypt < file.jwe\""
echo "Usage ZFS: \"zfs list -Ho tpm:jwe <pool> | zlevis-decrypt\"" echo "Usage ZFS: \"zfs list -Ho tpm:jwe <pool> | zlevis-decrypt\""
echo
echo "$summary"
exit 2 exit 2
fi fi
@ -55,9 +54,10 @@ trap 'on_exit' EXIT
# Read the JWE protected header # Read the JWE protected header
read -r -d . hdr read -r -d . hdr
echo "$hdr" > "$tmp"/hdr
# Decode the JWE protected header # Decode the JWE protected header
if ! jhd="$(jose b64 dec -i- < <(echo "$hdr"))"; then if ! jhd="$(jose b64 dec -i- < "$tmp"/hdr)"; then
echo "Error decoding JWE protected header" >&2 echo "Error decoding JWE protected header" >&2
exit 1 exit 1
fi fi

17
src/zlevis-encrypt
View file

@ -21,12 +21,6 @@ fi
# Display usage information if input is from a terminal # Display usage information if input is from a terminal
if [ -t 0 ]; then if [ -t 0 ]; then
exec >&2 exec >&2
echo
echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\""
echo
echo "Usage ZFS: \"zfs set tpm:jwe=\$(zlevis-encrypt '{\"property\":\"value\"}' < tank.key) <pool>\""
echo
echo
echo "$summary" echo "$summary"
echo echo
echo "This command uses the following configuration properties:" echo "This command uses the following configuration properties:"
@ -35,6 +29,9 @@ if [ -t 0 ]; then
echo " pcr_bank: <string> -> PCR algorithm bank to use for policy (default: first supported by TPM)." echo " pcr_bank: <string> -> PCR algorithm bank to use for policy (default: first supported by TPM)."
echo " pcr_ids: <string> -> PCR list used for policy. If not present, no policy is used." echo " pcr_ids: <string> -> PCR list used for policy. If not present, no policy is used."
echo " pcr_digest: <string> -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up." echo " pcr_digest: <string> -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up."
echo
echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\""
echo "Usage ZFS: \"zfs set tpm:jwe=\$(zlevis-encrypt '{\"property\":\"value\"}' < tank.key) <pool>\""
exit 2 exit 2
fi fi
@ -233,8 +230,8 @@ fi
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)"
# Clean up the temporary directory at the end of the script
[ -d "${tmp}" ] && rm -rf "${tmp}"
# Output the final JWE # Output the final JWE
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) (echo "$jwe$jwk"; /bin/cat) | jose jwe enc -i- -k- -I- -c
# Exit with the status of the last command
exit $?

2
src/zlevis-fetch
View file

@ -17,7 +17,7 @@ zfs list -Ho name,encryption,keystatus,encryptionroot,tpm:jwe | while IFS=$'\t'
if echo -n "$jwe" | zlevis-decrypt | zfs load-key -L prompt "$ds"; then if echo -n "$jwe" | zlevis-decrypt | zfs load-key -L prompt "$ds"; then
echo "Unlocked $ds" echo "Unlocked $ds"
else else
echo "FAILED TO UNLOCK $ds" >&2 echo "Failed to unlock $ds" >&2
exit 1 exit 1
fi fi
fi fi