#!/bin/sh
# This will unseal and unecncrypt the drive encryption key from the TPM
# It will then need to be bundled into initrd that is booted with Qubes.

TPM_INDEX=3
TPM_SIZE=312

die() { echo >&2 "$@"; exit 1; }
warn() { echo >&2 "$@"; }

key_file="$1"
if [ -z "$key_file" ]; then
	key_file=/tmp/secret.key
fi

read -s -p "Encryption password: " tpm_password
echo

nv_readvalue \
	-in "$TPM_INDEX" \
	-sz "$TPM_SIZE" \
	-of /tmp/sealed \
|| die "Unable to read key from TPM NVRAM"

unsealfile \
	-if /tmp/sealed \
	-of "$key_file" \
	-pwdd "$tpm_password" \
	-hk 40000000 \
|| die "Unable to unseal disk encryption key"

rm /tmp/sealed