1. Manuals
  2. Tumbleweed
  3. fde-tools
  4. fdectl(8)

Scroll to navigation

FDECTL(8) System Administration Utilities FDECTL(8)

NAME

fdectl - Tool for controlling Full Disk Encryption

SYNOPSIS

fdectl [global-options] command [cmd-options]

DESCRIPTION

The primary objective of this tool is to streamline the TPM seal/unseal process for system administrators and installers. To achieve this, it heavily depends on pcr-oracle to forecast the relevant TPM Platform Configuration Registers (PCRs) values at the point when the boot loader needs to unseal the key. The primary configuration file for this tool is located at /etc/sysconfig/fde-tools.

Global options:

--help

Display this message

--version

Print program version

--device

Specify the partition to operate on. Can be a device name or a mount point. Defaults to the current root device.

--bootloader

Specify the boot loader being used [grub2].

--uefi-boot-dir

Specify the location of the UEFI ESP [/boot/efi].

--use-dialog

Use the dialog(1) utility to interact with the user.

--keyfile

Specify the path to a LUKS key for use with tpm-enable.

--password

Specify the LUKS recovery password. Should be used by the installer only.

--passfile

Specify the path to a LUKS recovery password file.

Commands:

display this message
change the password protecting the partition
protect partition with a passphrase and use that to unlock on next boot
remove passphrase installed by add-secondary-password
regenerate the random key to replace the old key and seal the new key
check whether a TPM2 chip is present and working
enable TPM protection
disable TPM protection
wipe out the keyslot for the sealed key
update the authorized pcr policy in the sealed key

EXAMPLES

Testing for the presence of a TPM

fdectl tpm-present


This will return an exit status of 0 (success) or 1 (absent).


If the users asks for the LUKS partition to be protected by the
    TPM, the installer needs to create a secondary key and pass this to the
    installed system, like this:




fdectl add-secondary-key --keyfile /root/.root.key




This will prompt for the recovery password that is able to unlock
    the LUKS partition. Alternatively, you can pass the password on the command
    like using the --password option.


After booting into the installed system, TPM protection needs to
    be enabled using this command:




fdectl tpm-enable --keyfile /root/.root.keyfile




This will create a _new_ LUKS key, which is then sealed against
    the predicted TPM state, and installed in the UEFI System Partition. The old
    key, which was created by the installer, is removed.


Note, when using fdectl add-secondary-password as described
    above, tpm-enable will also have to remove this well-known password
    from the LUKS header.


Usually, the tpm-enable command is invoked automatically on
    first boot via the fde-tools.service unit file.






SEE ALSO


pcr-oracle(8), cryptsetup(8)







  

    May 2024
    fde.sh 0.7.2