Table of Contents
One of the cornerstones of the development of zlevis is simplicity. The zlevis package only contains four commands, two for usage with a ZFS root pool and two for usage without a ZFS root pool.
Usage with ZFS root pool
When considering the decryption of a ZFS root pool with zlevis we have two commands.The first should be performed to write the encryption key to the TPM. Often this encryption key is created in the provisioning phase of the installation of a system, particularly when we are still in the live ISO environment. It is general practice to write the randomly generated key to /tmp/rpool.key on the live ISO. After creation of the pool we may write the encryption key to the TPM by:
# zlevis encrypt rpool '{"propery":"value"}' < /tmp/rpool.key
Under "property" we can set the hash, key, pcr_bank, pcr_ids and pcr_digest. See the configuration properties section for all the options.
This command wrote a JWE (JSON Web Encryption) token to (created) tpm:jwe property of the ZFS root dataset of the root pool. This JWE token can be interpreted as the public key to the key stored in TPM. You can obtain the JWE by performing:
# zfs get tpm:jwe rpool/root/<distro>
In the now installed and configured system the encryption key of the root pool can be obtained by performing:
# zlevis decrypt rpool
This command will fetch the JWE from tpm:jwe ...
Usage without ZFS root pool
Configuration properties
Table of configuration properties.
| Property | Possible values | Explanation |
|---|---|---|
| Hash | SHA256 (Default), SHA512 | Hash algorithm used in the computation of the object name. |
| Key | ECC (default), | Algorithm type for the generated key. |