#!/bin/bash # This will unseal and unecncrypt the drive encryption key from the TPM # The TOTP secret will be shown to the user on each encryption attempt. # It will then need to be bundled into initrd that is booted with Qubes. set -e -o pipefail . /etc/functions TPM_INDEX=3 TPM_SIZE=312 . /etc/functions TRACE "Under kexec-unseal-key" mkdir -p /tmp/secret key_file="$1" if [ -z "$key_file" ]; then key_file="/tmp/secret/secret.key" fi DEBUG "CONFIG_TPM: $CONFIG_TPM" DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS" DEBUG "Show PCRs" DEBUG "$(pcrs)" for tries in 1 2 3; do read -s -p "Enter LUKS Disk Unlock Key passphrase (blank to abort): " tpm_password echo if [ -z "$tpm_password" ]; then die "Aborting unseal disk encryption key" fi DO_WITH_DEBUG --mask-position 6 \ tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \ "$key_file" "$tpm_password" if [ "$?" -eq 0 ]; then exit 0 fi pcrs warn "Unable to unseal disk encryption key" done die "Retry count exceeded..."