Documentation
¶
Index ¶
- func AddRecoveryKey(key EncryptionKey, rkey RecoveryKey, node string) error
- func CheckKeySealingSupported() error
- func FormatEncryptedDevice(key EncryptionKey, label, node string) error
- func MeasureSnapModelWhenPossible(findModel func() (*asserts.Model, error)) error
- func MeasureSnapSystemEpochWhenPossible() error
- func SealKey(key EncryptionKey, params *SealKeyParams) error
- func UnlockVolumeIfEncrypted(disk disks.Disk, name string, encryptionKeyDir string, lockKeysOnFinish bool) (string, bool, error)
- type EncryptionKey
- type LoadChain
- type RecoveryKey
- type SealKeyModelParams
- type SealKeyParams
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddRecoveryKey ¶
func AddRecoveryKey(key EncryptionKey, rkey RecoveryKey, node string) error
AddRecoveryKey adds a fallback recovery key rkey to the existing encrypted volume created with FormatEncryptedDevice on the block device given by node. The existing key to the encrypted volume is provided in the key argument.
func CheckKeySealingSupported ¶
func CheckKeySealingSupported() error
func FormatEncryptedDevice ¶
func FormatEncryptedDevice(key EncryptionKey, label, node string) error
FormatEncryptedDevice initializes an encrypted volume on the block device given by node, setting the specified label. The key used to unlock the volume is provided using the key argument.
func MeasureSnapModelWhenPossible ¶
MeasureSnapModelWhenPossible measures the snap model only if the TPM device is available. If there's no TPM device success is returned.
func MeasureSnapSystemEpochWhenPossible ¶
func MeasureSnapSystemEpochWhenPossible() error
MeasureSnapSystemEpochWhenPossible measures the snap system epoch only if the TPM device is available. If there's no TPM device success is returned.
func SealKey ¶
func SealKey(key EncryptionKey, params *SealKeyParams) error
SealKey provisions the TPM and seals a partition encryption key according to the specified parameters. If the TPM is already provisioned, or a sealed key already exists, SealKey will fail and return an error.
func UnlockVolumeIfEncrypted ¶
func UnlockVolumeIfEncrypted(disk disks.Disk, name string, encryptionKeyDir string, lockKeysOnFinish bool) (string, bool, error)
UnlockVolumeIfEncrypted verifies whether an encrypted volume with the specified name exists and unlocks it. With lockKeysOnFinish set, access to the sealed keys will be locked when this function completes. The path to the device node is returned as well as whether the device node is an decrypted device node ( in the encrypted case). If no encrypted volume was found, then the returned device node is an unencrypted normal volume.
Types ¶
type EncryptionKey ¶
type EncryptionKey [encryptionKeySize]byte
func NewEncryptionKey ¶
func NewEncryptionKey() (EncryptionKey, error)
type LoadChain ¶
type LoadChain struct {
*bootloader.BootFile
// Next is a list of alternative chains that can be loaded
// following the boot file.
Next []*LoadChain
}
func NewLoadChain ¶
func NewLoadChain(bf bootloader.BootFile, next ...*LoadChain) *LoadChain
NewLoadChain returns a LoadChain corresponding to loading the given BootFile before any of the given next chains.
type RecoveryKey ¶
type RecoveryKey [recoveryKeySize]byte
func NewRecoveryKey ¶
func NewRecoveryKey() (RecoveryKey, error)
func (RecoveryKey) Save ¶
func (key RecoveryKey) Save(filename string) error
Save writes the recovery key in the location specified by filename.
type SealKeyModelParams ¶
type SealKeyParams ¶
type SealKeyParams struct {
// The parameters we're sealing the key to
ModelParams []*SealKeyModelParams
// The path to store the sealed key file
KeyFile string
// The path to authorization policy update data file (only relevant for TPM)
TPMPolicyUpdateDataFile string
// The path to the lockout authorization file (only relevant for TPM)
TPMLockoutAuthFile string
}
Source Files