summarylogtreecommitdiffstats
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md67
1 files changed, 0 insertions, 67 deletions
diff --git a/README.md b/README.md
deleted file mode 100644
index 76d2ec8cfcc9..000000000000
--- a/README.md
+++ /dev/null
@@ -1,67 +0,0 @@
-LUKS TPM
-========
-
-A small utility script to manage LUKS keyfiles sealed by a TPM.
-
-This script assumes you will be using a TPM-sealed keyfile during boot to unlock
-the root file system. It is intended to be used as part of your kernel update
-process to generate a keyfile sealed against the new kernel's PCR values.
-
-Update Process
---------------
-
-The script facilitates the following kernel update process:
-
- 1. Kernel is updated
- 2. `luks-tpm` is called, either manually or via pacman hook, and sets a
- temporary LUKS passphrase
- 3. The system is rebooted into the new kernel
- 4. Because the TPM PCRs have changed, the old keyfile cannot be unsealed
- 5. User enters the temporary passphrase to unlock the disk
- 6. `luks-tpm` is called, generating a new keyfile sealed by the TPM and
- removing the temporary passphrase
-
-### LUKS Key Slots
-
-The script requires two LUKS key slots to function: one for the sealed keyfile
-and one for the temporary passphrase. You are also *strongly* encouraged to
-dedicate an additional slot for a recovery passphrase not managed by `luks-tpm`.
-
-The default key slot layout is:
-
- * Slot 0: Recovery passphrase (optional)
- * Slot 1: TPM keyfile
- * Slot 2: Temporary passphrase
-
-### Replace Key
-
-The `replace` action allows a TPM-sealed LUKS keyfile to be replaced
-(overwritten) by a new, randomly generated key. By default, LUKS slot 1 will be
-replaced. This action will not prompt for a passphrase, so the current keyfile
-must "unsealable" by the TPM and a valid LUKS key.
-
-Usage
------
-
- luks-tpm [OPTION]... DEVICE ACTION
-
-### Actions
-
- * `temp`: Set a temporary LUKS passphrase
- * `reset`: Regenerate the LUKS TPM key and remove the temporary passphrase
- * `replace`: Replace (overwrite) a LUKS TPM key
-
-### Options
-
- -h Print help
- -m PATH Mount point for the tmpfs file system used to store TPM keyfiles
- Default: /root/keyfs
- -k PATH Sealed TPM keyfile path
- Default: /boot/keyfile.enc
- -t NUMBER LUKS slot number for the TPM keyfile
- Default: 1
- -r NUMBER LUKS slot number for temporary reset passphrase
- Default: 2
- -p NUMBER PCRs used to seal LUKS keyfile. May be specified more than once
- Default: 0-7
- -z Use the TPM SRK well-known password