From 382bfd90c316dfdd39066e42ead12e47522738fe Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Fri, 21 Jul 2023 15:49:16 -0400 Subject: cryptenroll: allow specifying handle index of key to use for sealing This defaults to the SRK index. --- man/systemd-cryptenroll.xml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'man') diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index cd01791acf..836538be4c 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -411,6 +411,28 @@ + + HANDLE + + Configures which parent key to use for sealing, using the TPM handle (index) of the + key. This is used to "seal" (encrypt) a secret and must be used later to "unseal" (decrypt) the + secret. Expects a hexadecimal 32bit integer, optionally prefixed with + 0x. Allowable values are any handle index in the persistent + (0x81000000-0x81ffffff) or transient + (0x80000000-0x80ffffff) ranges. Since transient handles are + lost after a TPM reset, and may be flushed during TPM context switching, they should not be used + except for very specific use cases, e.g. testing. + + The default is the Storage Root Key (SRK) handle index 0x81000001. A value + of 0 will use the default. For the SRK handle, a new key will be created and stored in the TPM if one + does not already exist; for any other handle, the key must already exist in the TPM at the specified + handle index. + + This should not be changed unless you know what you are doing. + + + + PCR -- cgit v1.2.3