ActivateVolumeWithKey is a wrapper for secboot.ActivateVolumeWithKey.

AddBootstrapKeyOnExistingDisk will add a new bootstrap key to on an existing encrypted disk.

AddRecoveryKey adds a fallback recovery key rkey to the existing encrypted volume created with FormatEncryptedDevice on the block device given by node.

BuildPCRProtectionProfile builds and serializes a PCR profile from a list of SealKeyModelParams.

DeactivateVolume is a wrapper for secboot.DeactivateVolume.

DeleteKeys delete key slots on a LUKS2 container.

DeleteOldKeys removes key slots from an old installation that had names created by TemporaryNameOldKeys.

EncryptedPartitionName returns the name/label used by an encrypted partition corresponding to a given name.

EnsureRecoveryKey makes sure the encrypted block devices have a recovery key.

FindFreeHandle finds and unused handle on the TPM.

FormatEncryptedDevice initializes an encrypted volume on the block device given by node, setting the specified label.

GetPCRHandle returns the handle used by a key.

GetPrimaryKeyDigest retrieve the primary key for a disk from the keyring and returns its digest.

HijackAndRunArgon2OutOfProcessHandlerOnArg is supposed to be called from the main() of binaries involved with sealing/unsealing of keys (i.e.

LockSealedKeys manually locks access to the sealed keys.

MarkSuccessful marks the secure boot parts of the boot as successful.

MeasureSnapModelWhenPossible measures the snap model only if the TPM device is available.

MeasureSnapSystemEpochWhenPossible measures the snap system epoch only if the TPM device is available.

NewLoadChain returns a LoadChain corresponding to loading the given BootFile before any of the given next chains.

ProvisionForCVM provisions the default TPM using a custom SRK template that is created by the encrypt tool prior to first boot of Azure CVM instances.

ProvisionTPM provisions the default TPM and saves the lockout authorization key to the specified file.

RemoveOldCounterHandles releases TPM2 handles used by some keys.

RemoveRecoveryKeys removes any recovery key from all encrypted block devices.

Rename key slots on LUKS2 container.

ResealKeys updates the PCR protection policy for the sealed encryption keys according to the specified parameters.

ResealKeysWithFDESetupHook updates hook based keydatas for given files with a specific list of models.

SealKeys seals the encryption keys according to the specified parameters.

StageEncryptionKeyChange stages a new encryption key for a given encrypted device.

TemporaryNameOldKeys takes a disk using legacy keyslots 0, 1, 2 and adds names to those keyslots.

TransitionEncryptionKeyChange transitions the encryption key on an encrypted device corresponding to the given mount point.

UnlockEncryptedVolumeUsingProtectorKey unlocks the provided device with a given plain key.

UnlockVolumeUsingSealedKeyIfEncrypted verifies whether an encrypted volume with the specified name exists and unlocks it using a sealed key in a file with a corresponding name.

VerifyPrimaryKeyDigest retrieve the primary key for a disk from the keyring and verifies its digest.

NotUnlocked indicates that the device was either not unlocked or is not an encrypted device.

The range 0x01880005-0x0188000F TODO:FDEM: we should apply for a subrange from UAPI group once they got a range assigned by TCG.

These handles are legacy, do not use them in new code.

TPMPartialReprovision indicates a partial reprovisioning of the TPM which was previously already provisioned by secboot.

TPMProvisionFull indicates a full provisioning of the TPM.

TPMProvisionFullWithoutLockout indicates full provisioning without using lockout authorization data, as currently used by Azure CVM.

UnlockedWithKey indicates that the device was unlocked with the provided key, which is not sealed.

UnlockedWithRecoveryKey indicates that the device was unlocked by the user providing the recovery key at the prompt.

UnlockedWithSealedKey indicates that the device was unlocked with the provided sealed key object.

UnlockStatusUnknown indicates that the unlock status of the device is not clear.

WithSecbootSupport is true if this package was built with githbu.com/snapcore/secboot.

KeyDataLocation represents the possible places where key data might be saved.

TODO:FDEM: rename and drop Model from the name?.

UnlockResult is the result of trying to unlock a volume.

UnlockVolumeUsingSealedKeyOptions contains options for unlocking encrypted volumes using keys sealed to the TPM.

BootstrappedContainer is an abstraction for an encrypted container along with a key that is able to enroll other keys.

KeyDataWriter is an interface used by KeyData to write the data to persistent storage in an atomic way.

ModelForSealing provides information about the model for use in the context of (re)sealing the encryption keys.

SerializedPCRProfile wraps a serialized PCR profile which is treated as an opaque binary blob outside of secboot package.

UnlockMethod is the method that was used to unlock a volume.