heads/initrd/bin/unseal-key

#!/bin/sh
# This will unseal and unecncrypt the drive encryption key from the TPM
# It will then need to be bundled into initrd that is booted with Qubes.

TPM_INDEX=3
TPM_SIZE=312

die() { echo >&2 "$@"; exit 1; }
warn() { echo >&2 "$@"; }

read -s -p "Encryption password: " tpm_password
echo

nv_readvalue \
	-in "$TPM_INDEX" \
	-sz "$TPM_SIZE" \
	-of /tmp/sealed \
|| die "Unable to read key from TPM NVRAM"

unsealfile \
	-if /tmp/sealed \
	-of /tmp/secret.key \
	-pwdd "$tpm_password" \
	-hk 40000000 \
|| die "Unable to unseal disk encryption key"

rm /tmp/sealed
wrappers to seal/unseal drive encryption keys from the TPM 2016-10-28 08:59:51 +00:00			`#!/bin/sh`
			`# This will unseal and unecncrypt the drive encryption key from the TPM`
			`# It will then need to be bundled into initrd that is booted with Qubes.`

			`TPM_INDEX=3`
			`TPM_SIZE=312`

			`die() { echo >&2 "$@"; exit 1; }`
			`warn() { echo >&2 "$@"; }`

			`read -s -p "Encryption password: " tpm_password`
			`echo`

			`nv_readvalue \`
			`-in "$TPM_INDEX" \`
			`-sz "$TPM_SIZE" \`
			`-of /tmp/sealed \`
			`\|\| die "Unable to read key from TPM NVRAM"`

			`unsealfile \`
			`-if /tmp/sealed \`
			`-of /tmp/secret.key \`
			`-pwdd "$tpm_password" \`
			`-hk 40000000 \`
			`\|\| die "Unable to unseal disk encryption key"`

			`rm /tmp/sealed`