.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.49.3. .TH GRUB-PROTECT "1" "May 2024" "GRUB2 2.12" "User Commands" .SH NAME grub-protect \- protect a disk key with a key protector .SH SYNOPSIS .B grub-protect [\fI\,OPTION\/\fR...] .SH DESCRIPTION grub-protect helps to pretect a disk encryption key with a specified key protector. .PP Protect a cleartext key using a GRUB key protector that can retrieve the key during boot to unlock fully\-encrypted disks automatically. .TP \fB\-a\fR, \fB\-\-action\fR=\fI\,add\/\fR|remove Add or remove a key protector to or from a key. .TP \fB\-p\fR, \fB\-\-protector\fR=\fI\,tpm2\/\fR Key protector to use (only tpm2 is currently supported). .TP \fB\-\-tpm2\-asymmetric\fR=\fI\,TYPE\/\fR The type of SRK: RSA (RSA2048), RSA3072, RSA4096, and ECC (ECC_NIST_P256). (default: ECC) .TP \fB\-\-tpm2\-bank\fR=\fI\,ALG\/\fR Bank of PCRs used to authorize key release: SHA1, SHA256, SHA384, or SHA512. (default: SHA256) .TP \fB\-\-tpm2\-device\fR=\fI\,FILE\/\fR Path to the TPM2 device. (default: \fI\,/dev/tpm0\/\fP) .TP \fB\-\-tpm2\-evict\fR Evict a previously persisted SRK from the TPM, if any. .TP \fB\-\-tpm2\-keyfile\fR=\fI\,FILE\/\fR Path to a file that contains the cleartext key to protect. .TP \fB\-\-tpm2\-outfile\fR=\fI\,FILE\/\fR Path to the file that will contain the key after sealing (must be accessible to GRUB during boot). .TP \fB\-\-tpm2\-pcrs\fR=\fI\,0[\/\fR,1]... Comma\-separated list of PCRs used to authorize key release e.g., '7,11'. Please be aware that PCR 0~7 are used by the firmware and the measurement result may change after a firmware update (for baremetal systems) or a package (OVMF/SeaBIOS/SLOF) update in the VM host. This may lead tothe failure of key unsealing. (default: 7) .TP \fB\-\-tpm2\-srk\fR=\fI\,NUM\/\fR The SRK handle if the SRK is to be made persistent. .TP \fB\-\-tpm2key\fR Use TPM 2.0 Key File format instead of the raw format. .TP \-?, \fB\-\-help\fR give this help list .TP \fB\-\-usage\fR give a short usage message .TP \fB\-V\fR, \fB\-\-version\fR print program version .PP Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. .SH "REPORTING BUGS" Report bugs to . .SH "SEE ALSO" The full documentation for .B grub-protect is maintained as a Texinfo manual. If the .B info and .B grub-protect programs are properly installed at your site, the command .IP .B info grub-protect .PP should give you access to the complete manual.