NAME¶

grub-protect - protect a disk key with a key protector

SYNOPSIS¶

grub-protect [OPTION...]

grub-protect helps to pretect a disk encryption key with a specified key protector.

Protect a cleartext key using a GRUB key protector that can retrieve the key during boot to unlock fully-encrypted disks automatically.

-a, --action=add|remove: Add or remove a key protector to or from a key.
-p, --protector=tpm2: Key protector to use (only tpm2 is currently supported).
--tpm2-asymmetric=TYPE The type of SRK: RSA (RSA2048), RSA3072, RSA4096,: and ECC (ECC_NIST_P256). (default: ECC)
--tpm2-bank=ALG: Bank of PCRs used to authorize key release: SHA1, SHA256, SHA384, or SHA512. (default: SHA256)
--tpm2-device=FILE: Path to the TPM2 device. (default: /dev/tpm0)
--tpm2-evict: Evict a previously persisted SRK from the TPM, if any.
--tpm2-keyfile=FILE: Path to a file that contains the cleartext key to protect.
--tpm2-outfile=FILE: Path to the file that will contain the key after sealing (must be accessible to GRUB during boot).
--tpm2-pcrs=0[,1]...: Comma-separated list of PCRs used to authorize key release e.g., '7,11'. Please be aware that PCR 0~7 are used by the firmware and the measurement result may change after a firmware update (for baremetal systems) or a package (OVMF/SeaBIOS/SLOF) update in the VM host. This may lead tothe failure of key unsealing. (default: 7)
--tpm2-srk=NUM: The SRK handle if the SRK is to be made persistent.
--tpm2key: Use TPM 2.0 Key File format instead of the raw format.
-?, --help: give this help list
--usage: give a short usage message
-V, --version: print program version

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.

Report bugs to <bug-grub@gnu.org>.