heads/initrd/bin/unseal-key

35 lines
641 B
Plaintext
Raw Normal View History

#!/bin/sh
# This will unseal and unecncrypt the drive encryption key from the TPM
# It will then need to be bundled into initrd that is booted with Qubes.
TPM_INDEX=3
TPM_SIZE=312
die() { echo >&2 "$@"; exit 1; }
warn() { echo >&2 "$@"; }
key_file="$1"
if [ -z "$key_file" ]; then
key_file=/tmp/secret.key
fi
read -s -p "Encryption password: " tpm_password
echo
nv_readvalue \
-in "$TPM_INDEX" \
-sz "$TPM_SIZE" \
-of /tmp/sealed \
|| die "Unable to read key from TPM NVRAM"
unsealfile \
-if /tmp/sealed \
-of "$key_file" \
-pwdd "$tpm_password" \
-hk 40000000 \
|| die "Unable to unseal disk encryption key"
rm /tmp/sealed