# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-06-01 06:26+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "SYSTEMD-CRYPTENROLL" msgstr "" #. type: TH #: archlinux fedora-40 mageia-cauldron #, no-wrap msgid "systemd 255" msgstr "" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "systemd-cryptenroll" msgstr "" #. ----------------------------------------------------------------- #. * MAIN CONTENT STARTS HERE * #. ----------------------------------------------------------------- #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "systemd-cryptenroll - Enroll PKCS#11, FIDO2, TPM2 token/devices to LUKS2 " "encrypted volumes" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "B [OPTIONS...] [DEVICE]" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "B is a tool for enrolling hardware security tokens and " "devices into a LUKS2 encrypted volume, which may then be used to unlock the " "volume during boot\\&. Specifically, it supports tokens and credentials of " "the following kind to be enrolled:" msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "" "PKCS#11 security tokens and smartcards that may carry an RSA key pair (e\\&." "g\\&. various YubiKeys)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "FIDO2 security tokens that implement the \"hmac-secret\" extension (most " "FIDO2 keys, including YubiKeys)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "TPM2 security devices" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "Regular passphrases" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Recovery keys\\&. These are similar to regular passphrases, however are " "randomly generated on the computer and thus generally have higher entropy " "than user-chosen passphrases\\&. Their character set has been designed to " "ensure they are easy to type in, while having high entropy\\&. They may also " "be scanned off screen using QR codes\\&. Recovery keys may be used for " "unlocking LUKS2 volumes wherever passphrases are accepted\\&. They are " "intended to be used in combination with an enrolled hardware security token, " "as a recovery option when the token is lost\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "In addition, the tool may be used to enumerate currently enrolled security " "tokens and wipe a subset of them\\&. The latter may be combined with the " "enrollment operation of a new security token, in order to update or replace " "enrollments\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "The tool supports only LUKS2 volumes, as it stores token meta-information in " "the LUKS2 JSON token area, which is not available in other encryption " "formats\\&." msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "TPM2 PCRs and policies" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "PCRs allow binding of the encryption of secrets to specific software " "versions and system state, so that the enrolled key is only accessible (may " "be \"unsealed\") if specific trusted software and/or configuration is " "used\\&. Such bindings may be created with the option B<--tpm2-pcrs=> " "described below\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Secrets may also be bound indirectly: a signed policy for a state of some " "combination of PCR values is provided, and the secret is bound to the public " "part of the key used to sign this policy\\&. This means that the owner of a " "key can generate a sequence of signed policies, for specific software " "versions and system states, and the secret can be decrypted as long as the " "machine state matches one of those policies\\&. For example, a vendor may " "provide such a policy for each kernel+initrd update, allowing users to " "encrypt secrets so that they can be decrypted when running any kernel+initrd " "signed by the vendor\\&. Such bindings may be created with the options B<--" "tpm2-public-key=>, B<--tpm2-public-key-pcrs=>, B<--tpm2-signature=> " "described below\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "See \\m[blue]B\\m[]\\&\\s-2\\u[1]\\d\\s+2 for an " "authoritative list of PCRs and how they are updated\\&. The table below " "contains a quick reference, describing in particular the PCRs modified by " "systemd\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "PCR" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "name" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Explanation" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid ".T&" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "l l l" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "l l l." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "0" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "platform-code" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Core system firmware executable code; changes on firmware updates" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "1" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "platform-config" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Core system firmware data/host platform configuration; typically contains serial and model numbers, changes on basic hardware/CPU/RAM replacements" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "2" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "external-code" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Extended or pluggable executable code; includes option ROMs on pluggable hardware" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "3" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "external-config" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Extended or pluggable firmware data; includes information about pluggable hardware" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "4" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "boot-loader-code" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Boot loader and additional drivers, PE binaries invoked by the boot loader; changes on boot loader updates\\&. B(7) measures system extension images read from the ESP here too (see B(8))\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "5" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "boot-loader-config" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "GPT/Partition table; changes when the partitions are added, modified, or removed" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "7" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "secure-boot-policy" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Secure Boot state; changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, \\&...) changes\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "9" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "kernel-initrd" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "The Linux kernel measures all initrds it receives into this PCR\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "10" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "ima" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "The IMA project measures its runtime state into this PCR\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "11" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "kernel-boot" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "B(7) measures the ELF kernel image, embedded initrd and other payload of the PE image it is placed in into this PCR\\&. B(8) measures boot phase strings into this PCR at various milestones of the boot process\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "12" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "kernel-config" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "B(7) measures the kernel command line into this PCR\\&. B(7) measures any manually specified kernel command line (i\\&.e\\&. a kernel command line that overrides the one embedded in the unified PE image) and loaded credentials into this PCR\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "13" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "sysexts" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "B(7) measures any B(8) images it passes to the booted kernel into this PCR\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "14" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "shim-policy" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "The shim project measures its \"MOK\" certificates and hashes into this PCR\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "15" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "system-identity" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "B(8) optionally measures the volume key of activated LUKS volumes into this PCR\\&. B(8) measures the B(5) into this PCR\\&. B(8) measures mount points, file system UUIDs, labels, partition UUIDs of the root and /var/ filesystems into this PCR\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "16" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "debug" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Debug" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "23" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "application-support" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "Application Support" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "In general, encrypted volumes would be bound to some combination of PCRs 7, " "11, and 14 (if shim/MOK is used)\\&. In order to allow firmware and OS " "version updates, it is typically not advisable to use PCRs such as 0 and 2, " "since the program code they cover should already be covered indirectly " "through the certificates measured into PCR 7\\&. Validation through " "certificates hashes is typically preferable over validation through direct " "measurements as it is less brittle in context of OS/firmware updates: the " "measurements will change on every update, but signatures should remain " "unchanged\\&. See the \\m[blue]B\\m[]\\&\\s-2\\u[1]\\d\\s+2 for more discussion\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "LIMITATIONS" msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "" "Note that currently when enrolling a new key of one of the five supported " "types listed above, it is required to first provide a passphrase, a recovery " "key or a FIDO2 token\\&. It\\*(Aqs currently not supported to unlock a " "device with a TPM2/PKCS#11 key in order to enroll a new TPM2/PKCS#11 key\\&. " "Thus, if in future key roll-over is desired it\\*(Aqs generally recommended " "to ensure a passphrase, a recovery key or a FIDO2 token is always " "enrolled\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "" "Also note that support for enrolling multiple FIDO2 tokens is currently " "limited\\&. When multiple FIDO2 tokens are enrolled, B " "will perform pre-flight requests to attempt to identify which of the " "enrolled tokens are currently plugged in\\&. However, this is not possible " "for FIDO2 tokens with user verification (UV, usually via biometrics), in " "which case it will fall back to attempting each enrolled token one by " "one\\&. This will result in multiple prompts for PIN and user " "verification\\&. This limitation does not apply to PKCS#11 tokens\\&." msgstr "" #. type: SH #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "COMPATIBILITY" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Security technology both in systemd and in the general industry constantly " "evolves\\&. In order to provide best security guarantees, the way TPM2, " "FIDO2, PKCS#11 devices are enrolled is regularly updated in newer versions " "of systemd\\&. Whenever this happens the following compatibility guarantees " "are given:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Old enrollments continue to be supported and may be unlocked with newer " "versions of B(8)\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "The opposite is not guaranteed however: it might not be possible to unlock " "volumes with enrollments done with a newer version of B " "with an older version of B\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "That said, it is generally recommended to use matching versions of B and B, since this is best tested and " "supported\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "It might be advisable to re-enroll existing enrollments to take benefit of " "newer security features, as they are added to systemd\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "OPTIONS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "The following options are understood:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--password>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Enroll a regular password/passphrase\\&. This command is mostly equivalent " "to B, however may be combined with B<--wipe-slot=> in " "one call, see below\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 248\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--recovery-key>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Enroll a recovery key\\&. Recovery keys are mostly identical to passphrases, " "but are computer-generated instead of being chosen by a human, and thus have " "a guaranteed high entropy\\&. The key uses a character set that is easy to " "type in, and may be scanned off screen via a QR code\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--unlock-key-file=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Use a file instead of a password/passphrase read from stdin to unlock the " "volume\\&. Expects the PATH to the file containing your key to unlock the " "volume\\&. Currently there is nothing like B<--key-file-offset=> or B<--key-" "file-size=> so this file has to only contain the full key\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 252\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--unlock-fido2-device=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Use a FIDO2 device instead of a password/passphrase read from stdin to " "unlock the volume\\&. Expects a hidraw device referring to the FIDO2 device " "(e\\&.g\\&. /dev/hidraw1)\\&. Alternatively the special value \"auto\" may " "be specified, in order to automatically determine the device node of a " "currently plugged in security token (of which there must be exactly one)\\&. " "This automatic discovery is unsupported if B<--fido2-device=> option is also " "specified\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 253\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--pkcs11-token-uri=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "" "Enroll a PKCS#11 security token or smartcard (e\\&.g\\&. a YubiKey)\\&. " "Expects a PKCS#11 smartcard URI referring to the token\\&. Alternatively the " "special value \"auto\" may be specified, in order to automatically determine " "the URI of a currently plugged in security token (of which there must be " "exactly one)\\&. The special value \"list\" may be used to enumerate all " "suitable PKCS#11 tokens currently plugged in\\&. The security token must " "contain an RSA key pair which is used to encrypt the randomly generated key " "that is used to unlock the LUKS2 volume\\&. The encrypted key is then stored " "in the LUKS2 JSON token header area\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "In order to unlock a LUKS2 volume with an enrolled PKCS#11 security token, " "specify the B option in the respective /etc/crypttab line:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "myvolume /dev/sda1 - pkcs11-uri=auto\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "See B(5) for a more comprehensive example of a B invocation and its matching /etc/crypttab line\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--fido2-credential-algorithm=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Specify COSE algorithm used in credential generation\\&. The default value " "is \"es256\"\\&. Supported values are \"es256\", \"rs256\" and \"eddsa\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "\"es256\" denotes ECDSA over NIST P-256 with SHA-256\\&. \"rs256\" denotes " "2048-bit RSA with PKCS#1\\&.5 padding and SHA-256\\&. \"eddsa\" denotes " "EDDSA over Curve25519 with SHA-512\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "Note that your authenticator may not support some algorithms\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 251\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--fido2-device=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Enroll a FIDO2 security token that implements the \"hmac-secret\" extension " "(e\\&.g\\&. a YubiKey)\\&. Expects a hidraw device referring to the FIDO2 " "device (e\\&.g\\&. /dev/hidraw1)\\&. Alternatively the special value " "\"auto\" may be specified, in order to automatically determine the device " "node of a currently plugged in security token (of which there must be " "exactly one)\\&. This automatic discovery is unsupported if B<--unlock-fido2-" "device=> option is also specified\\&. The special value \"list\" may be used " "to enumerate all suitable FIDO2 tokens currently plugged in\\&. Note that " "many hardware security tokens that implement FIDO2 also implement the older " "PKCS#11 standard\\&. Typically FIDO2 is preferable, given it\\*(Aqs simpler " "to use and more modern\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "In order to unlock a LUKS2 volume with an enrolled FIDO2 security token, " "specify the B option in the respective /etc/crypttab line:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "myvolume /dev/sda1 - fido2-device=auto\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--fido2-with-client-pin=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "When enrolling a FIDO2 security token, controls whether to require the user " "to enter a PIN when unlocking the volume (the FIDO2 \"clientPin\" " "feature)\\&. Defaults to \"yes\"\\&. (Note: this setting is without effect " "if the security token does not support the \"clientPin\" feature at all, or " "does not allow enabling or disabling it\\&.)" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 249\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--fido2-with-user-presence=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "When enrolling a FIDO2 security token, controls whether to require the user " "to verify presence (tap the token, the FIDO2 \"up\" feature) when unlocking " "the volume\\&. Defaults to \"yes\"\\&. (Note: this setting is without effect " "if the security token does not support the \"up\" feature at all, or does " "not allow enabling or disabling it\\&.)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--fido2-with-user-verification=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "When enrolling a FIDO2 security token, controls whether to require user " "verification when unlocking the volume (the FIDO2 \"uv\" feature)\\&. " "Defaults to \"no\"\\&. (Note: this setting is without effect if the security " "token does not support the \"uv\" feature at all, or does not allow enabling " "or disabling it\\&.)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--tpm2-device=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Enroll a TPM2 security chip\\&. Expects a device node path referring to the " "TPM2 chip (e\\&.g\\&. /dev/tpmrm0)\\&. Alternatively the special value " "\"auto\" may be specified, in order to automatically determine the device " "node of a currently discovered TPM2 device (of which there must be exactly " "one)\\&. The special value \"list\" may be used to enumerate all suitable " "TPM2 devices currently discovered\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "In order to unlock a LUKS2 volume with an enrolled TPM2 security chip, " "specify the B option in the respective /etc/crypttab line:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "myvolume /dev/sda1 - tpm2-device=auto\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Use B<--tpm2-pcrs=> (see below) to configure which TPM2 PCR indexes to bind " "the enrollment to\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "B<--tpm2-device-key=>I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Enroll a TPM2 security chip using its public key\\&. Expects a path " "referring to the TPM2 public key in TPM2B_PUBLIC format\\&. This cannot be " "used with B<--tpm2-device=>, as it performs the same operation, but without " "connecting to the TPM2 security chip; instead the enrollment is calculated " "using the provided TPM2 key\\&. This is useful in situations where the TPM2 " "security chip is not available at the time of enrollment\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "The key, in most cases, should be the Storage Root Key (SRK) from a local " "TPM2 security chip\\&. If a key from a different handle (not the SRK) is " "used, you must specify its handle index using B<--tpm2-seal-key-handle=>\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "The B(8) service writes the SRK to /run/systemd/" "tpm2-srk-public-key\\&.tpm2b_public automatically during boot, in the " "correct format\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Alternatively, you may use B to retrieve the SRK from " "the TPM2 security chip explicitly\\&. See B(1) for " "details\\&. Example:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "systemd-analyze srk E srk\\&.tpm2b_public\n" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "Added in version 255\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "B<--tpm2-seal-key-handle=>I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Configures which parent key to use for sealing, using the TPM handle (index) " "of the key\\&. This is used to \"seal\" (encrypt) a secret and must be used " "later to \"unseal\" (decrypt) the secret\\&. Expects a hexadecimal 32bit " "integer, optionally prefixed with \"0x\"\\&. Allowable values are any handle " "index in the persistent (\"0x81000000\"-\"0x81ffffff\") or transient " "(\"0x80000000\"-\"0x80ffffff\") ranges\\&. Since transient handles are lost " "after a TPM reset, and may be flushed during TPM context switching, they " "should not be used except for very specific use cases, e\\&.g\\&. testing\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "The default is the Storage Root Key (SRK) handle index \"0x81000001\"\\&. A " "value of 0 will use the default\\&. For the SRK handle, a new key will be " "created and stored in the TPM if one does not already exist; for any other " "handle, the key must already exist in the TPM at the specified handle " "index\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "This should not be changed unless you know what you are doing\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "B<--tpm2-pcrs=> [PCR...]" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Configures the TPM2 PCRs (Platform Configuration Registers) to bind to when " "enrollment is requested via B<--tpm2-device=>\\&. Takes a list of PCR " "entries, where each entry starts with a name or numeric index in the range " "0\\&...23, optionally followed by \":\" and a hash algorithm name " "(specifying the PCR bank), optionally followed by \"=\" and a hash digest " "value\\&. Multiple PCR entries are separated by \"+\"\\&. If not specified, " "the default is to use PCR 7 only\\&. If an empty string is specified, binds " "the enrollment to no PCRs at all\\&. See the table above for a list of " "available PCRs\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Example: B<--tpm2-pcrs=boot-loader-code+platform-config+boot-loader-config> " "specifies that PCR registers 4, 1, and 5 should be used\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Example: B<--tpm2-pcrs=7:sha256> specifies that PCR register 7 from the " "SHA256 bank should be used\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Example: B<--tpm2-pcrs=4:sha1=3a3f780f11a4b49969fcaa80cd6e3957c33b2275> " "specifies that PCR register 4 from the SHA1 bank should be used, and a hash " "digest value of 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 will be used " "instead of reading the current PCR value\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--tpm2-with-pin=>I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "When enrolling a TPM2 device, controls whether to require the user to enter " "a PIN when unlocking the volume in addition to PCR binding, based on TPM2 " "policy authentication\\&. Defaults to \"no\"\\&. Despite being called PIN, " "any character can be used, not just numbers\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Note that incorrect PIN entry when unlocking increments the TPM dictionary " "attack lockout mechanism, and may lock out users for a prolonged time, " "depending on its configuration\\&. The lockout mechanism is a global " "property of the TPM, B does not control or configure " "the lockout mechanism\\&. You may use tpm2-tss tools to inspect or configure " "the dictionary attack lockout, with B(1) and " "B(1) commands, respectively\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "" "B<--tpm2-public-key=> [PATH], B<--tpm2-public-key-pcrs=> [PCR...], B<--tpm2-" "signature=> [PATH]" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Configures a TPM2 signed PCR policy to bind encryption to\\&. The B<--tpm2-" "public-key=> option accepts a path to a PEM encoded RSA public key, to bind " "the encryption to\\&. If this is not specified explicitly, but a file tpm2-" "pcr-public-key\\&.pem exists in one of the directories /etc/systemd/, /run/" "systemd/, /usr/lib/systemd/ (searched in this order), it is automatically " "used\\&. The B<--tpm2-public-key-pcrs=> option takes a list of TPM2 PCR " "indexes to bind to (same syntax as B<--tpm2-pcrs=> described above)\\&. If " "not specified defaults to 11 (i\\&.e\\&. this binds the policy to any " "unified kernel image for which a PCR signature can be provided)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Note the difference between B<--tpm2-pcrs=> and B<--tpm2-public-key-pcrs=>: " "the former binds decryption to the current, specific PCR values; the latter " "binds decryption to any set of PCR values for which a signature by the " "specified public key can be provided\\&. The latter is hence more useful in " "scenarios where software updates shell be possible without losing access to " "all previously encrypted LUKS2 volumes\\&. Like with B<--tpm2-pcrs=>, names " "defined in the table above can also be used to specify the registers, for " "instance B<--tpm2-public-key-pcrs=boot-loader-code+system-identity>\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "The B<--tpm2-signature=> option takes a path to a TPM2 PCR signature file as " "generated by the B(1) tool\\&. If this is not specified " "explicitly, a suitable signature file tpm2-pcr-signature\\&.json is searched " "for in /etc/systemd/, /run/systemd/, /usr/lib/systemd/ (in this order) and " "used\\&. If a signature file is specified or found it is used to verify if " "the volume can be unlocked with it given the current PCR state, before the " "new slot is written to disk\\&. This is intended as safety net to ensure " "that access to a volume is not lost if a public key is enrolled for which no " "valid signature for the current PCR state is available\\&. If the supplied " "signature does not unlock the current PCR state and public key combination, " "no slot is enrolled and the operation will fail\\&. If no signature file is " "specified or found no such safety verification is done\\&." msgstr "" #. type: Plain text #: archlinux fedora-40 mageia-cauldron msgid "B<--tpm2-pcrlock=> [PATH]" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "Configures a TPM2 pcrlock policy to bind encryption to\\&. Expects a path to " "a pcrlock policy file as generated by the B(1) tool\\&. If " "a TPM2 device is enrolled and this option is not used but a file pcrlock\\&." "json is found in /run/systemd/ or /var/lib/systemd/ it is automatically " "used\\&. Assign an empty string to turn this behaviour off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron msgid "B<--wipe-slot=> [SLOT...]" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "Wipes one or more LUKS2 key slots\\&. Takes a comma separated list of " "numeric slot indexes, or the special strings \"all\" (for wiping all key " "slots), \"empty\" (for wiping all key slots that are unlocked by an empty " "passphrase), \"password\" (for wiping all key slots that are unlocked by a " "traditional passphrase), \"recovery\" (for wiping all key slots that are " "unlocked by a recovery key), \"pkcs11\" (for wiping all key slots that are " "unlocked by a PKCS#11 token), \"fido2\" (for wiping all key slots that are " "unlocked by a FIDO2 token), \"tpm2\" (for wiping all key slots that are " "unlocked by a TPM2 chip), or any combination of these strings or numeric " "indexes, in which case all slots matching either are wiped\\&. As safety " "precaution an operation that wipes all slots without exception (so that the " "volume cannot be unlocked at all anymore, unless the volume key is known) is " "refused\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "This switch may be used alone, in which case only the requested wipe " "operation is executed\\&. It may also be used in combination with any of the " "enrollment options listed above, in which case the enrollment is completed " "first, and only when successful the wipe operation executed \\(em and the " "newly added slot is always excluded from the wiping\\&. Combining enrollment " "and slot wiping may thus be used to update existing enrollments:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "systemd-cryptenroll /dev/sda1 --wipe-slot=tpm2 --tpm2-device=auto\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "The above command will enroll the TPM2 chip, and then wipe all previously " "created TPM2 enrollments on the LUKS2 volume, leaving only the newly created " "one\\&. Combining wiping and enrollment may also be used to replace " "enrollments of different types, for example for changing from a PKCS#11 " "enrollment to a FIDO2 one:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "systemd-cryptenroll /dev/sda1 --wipe-slot=pkcs11 --fido2-device=auto\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "Or for replacing an enrolled empty password by TPM2:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "systemd-cryptenroll /dev/sda1 --wipe-slot=empty --tpm2-device=auto\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<-h>, B<--help>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "Print a short help text and exit\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "B<--version>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "Print a short version string and exit\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "EXIT STATUS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "On success, 0 is returned, a non-zero failure code otherwise\\&." msgstr "" #. type: SH #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "EXAMPLES" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron msgid "" "B(5) and B(1) contain various examples " "employing B\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "" "B(1), B(8), B(5), " "B(8), B(1)" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid "NOTES" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron #, no-wrap msgid " 1." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "Linux TPM PCR Registry" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron msgid "\\%https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/" msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "systemd 254" msgstr "" #. type: Plain text #: debian-bookworm msgid "BB<[OPTIONS...]>B< >B<[DEVICE]>" msgstr "" #. type: Plain text #: debian-bookworm msgid "" "Configures the TPM2 PCRs (Platform Configuration Registers) to bind to when " "enrollment is requested via B<--tpm2-device=>\\&. Takes a list of PCR names " "or numeric indices in the range 0\\&...23\\&. Multiple PCR indexes are " "separated by \"+\"\\&. If not specified, the default is to use PCR 7 " "only\\&. If an empty string is specified, binds the enrollment to no PCRs at " "all\\&. See the table above for a list of available PCRs\\&." msgstr "" #. type: TH #: debian-unstable fedora-rawhide #, no-wrap msgid "systemd 256~rc3" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "PKCS#11 security tokens and smartcards that may carry an RSA or EC key pair " "(e\\&.g\\&. various YubiKeys)" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "B operates on the device backing /var/ if no device is " "specified explicitly, and no wipe operation is requested\\&. (Note that in " "the typical case where /var/ is on the same file system as the root file " "system, this hence enrolls a key into the backing device of the root file " "system\\&.)" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Note that currently when enrolling a new key of one of the five supported " "types listed above, it is required to first provide a passphrase, a recovery " "key, a FIDO2 token, or a TPM2 key\\&. It\\*(Aqs currently not supported to " "unlock a device with a PKCS#11 key in order to enroll a new PKCS#11 key\\&. " "Thus, if in future key roll-over is desired it\\*(Aqs generally recommended " "to ensure a passphrase, a recovery key, a FIDO2 token, or a TPM2 key is " "always enrolled\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Also note that support for enrolling multiple FIDO2 tokens is currently " "limited\\&. When multiple FIDO2 tokens are enrolled, B " "will perform pre-flight requests to attempt to identify which of the " "enrolled tokens are currently plugged in\\&. However, this is not possible " "for FIDO2 tokens with user verification (UV, usually via biometrics), in " "which case it will fall back to attempting each enrolled token one by " "one\\&. This will result in multiple prompts for PIN and user " "verification\\&. This limitation does not apply to PKCS#11 tokens\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "B<--unlock-tpm2-device=>I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Use a TPM2 device instead of a password/passhprase read from stdin to unlock " "the volume\\&. Expects a device node path referring to the TPM2 chip (e\\&." "g\\&. /dev/tpmrm0)\\&. Alternatively the special value \"auto\" may be " "specified, in order to automatically determine the device node of a " "currently discovered TPM2 device (of which there must be exactly one)\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "Added in version 256\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Enroll a PKCS#11 security token or smartcard (e\\&.g\\&. a YubiKey)\\&. " "Expects a PKCS#11 URI that allows finding an X\\&.509 certificate or a " "public key on the token\\&. The URI must also be suitable to find a related " "private key after changing the type of object in it\\&. Alternatively the " "special value \"auto\" may be specified, in order to automatically determine " "the suitable URI if a single security token containing a single key pair is " "plugged in\\&. The special value \"list\" may be used to enumerate all " "suitable PKCS#11 tokens currently plugged in\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "The PKCS#11 token must contain an RSA or EC key pair which will be used to " "unlock a LUKS2 volume\\&. For RSA, a randomly generated volume key is " "encrypted with a public key in the token, and stored in the LUKS2 JSON token " "header area\\&. To unlock a volume, the stored encrypted volume key will be " "decrypted with a private key in the token\\&. For ECC, ECDH algorithm is " "used: we generate a pair of EC keys in the same EC group, then derive a " "shared secret using the generated private key and the public key in the " "token\\&. The derived shared secret is used as a volume key\\&. The " "generated public key is stored in the LUKS2 JSON token header area\\&. The " "generated private key is erased\\&. To unlock a volume, we derive the shared " "secret with the stored public key and a private key in the token\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "Note that your authenticator may choose not to support some algorithms\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "B<--tpm2-pcrs=>II<[+PCR\\&.\\&.\\&.]>" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "B<--tpm2-public-key=>I, B<--tpm2-public-key-pcrs=>II<[+PCR\\&.\\&." "\\&.]>, B<--tpm2-signature=>I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "B<--tpm2-pcrlock=>I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "B<--wipe-slot=>II<[,SLOT\\&.\\&.\\&.]>" msgstr "" #. type: SH #: debian-unstable fedora-rawhide #, no-wrap msgid "CREDENTIALS" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "B supports the service credentials logic as implemented " "by I/I/I (see B(5) for details)\\&. The following credentials are used when passed in:" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "I, I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "May contain the passphrase to unlock the volume with/to newly enroll\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "I, I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "May contain the TPM2 PIN to unlock the volume with/to newly enroll\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "If a FIDO2 token is enrolled this may contain the PIN of the token\\&." msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "I" msgstr "" #. type: Plain text #: debian-unstable fedora-rawhide msgid "" "If a PKCS#11 token is enrolled this may contain the PIN of the token\\&." msgstr ""