.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
.TH GRUB-PROTECT "1" "February 2025" "GRUB 2:2.12.r226.g56ccc5ed-1" "User Commands"
.SH NAME
grub-protect \- protect a disk key with a key protector
.SH SYNOPSIS
.B grub-protect
[\fI\,OPTION\/\fR...]
.SH DESCRIPTION
grub-protect helps to protect a disk encryption key with a specified key protector.
.PP
Protect a cleartext key using a GRUB key protector that can retrieve the key
during boot to unlock fully\-encrypted disks automatically.
.TP
\fB\-a\fR, \fB\-\-action\fR=\fI\,add\/\fR|remove
Add or remove a key protector to or from a key.
.TP
\fB\-p\fR, \fB\-\-protector\fR=\fI\,tpm2\/\fR
Set key protector to use (only tpm2 is currently
supported).
.TP
\fB\-\-tpm2\-asymmetric\fR=\fI\,TYPE\/\fR Set the type of SRK: RSA (RSA2048) and ECC
(ECC_NIST_P256).(default: ECC)
.TP
\fB\-\-tpm2\-bank\fR=\fI\,ALG\/\fR
Set the bank of PCRs used to authorize key
release: SHA1, SHA256, SHA384, or SHA512.
(default: SHA256)
.TP
\fB\-\-tpm2\-device\fR=\fI\,FILE\/\fR
Set the path to the TPM2 device. (default:
\fI\,/dev/tpm0\/\fP)
.TP
\fB\-\-tpm2\-evict\fR
Evict a previously persisted SRK from the TPM, if
any.
.TP
\fB\-\-tpm2\-keyfile\fR=\fI\,FILE\/\fR
Set the path to a file that contains the
cleartext key to protect.
.TP
\fB\-\-tpm2\-outfile\fR=\fI\,FILE\/\fR
Set the path to the file that will contain the
key after sealing (must be accessible to GRUB
during boot).
.TP
\fB\-\-tpm2\-pcrs\fR=\fI\,0[\/\fR,1]...
Set a comma\-separated list of PCRs used to
authorize key release e.g., '7,11'. Please be
aware that PCR 0~7 are used by the firmware and
the measurement result may change after a
firmware update (for baremetal systems) or a
package (OVMF/SLOF) update in the VM host. This
may lead to the failure of key unsealing.
(default: 7)
.TP
\fB\-\-tpm2\-srk\fR=\fI\,NUM\/\fR
Set the SRK handle if the SRK is to be made
persistent.
.TP
\fB\-\-tpm2key\fR
Use TPM 2.0 Key File format.
.TP
\-?, \fB\-\-help\fR
give this help list
.TP
\fB\-\-usage\fR
give a short usage message
.TP
\fB\-V\fR, \fB\-\-version\fR
print program version
.PP
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
.SH "REPORTING BUGS"
Report bugs to <bug\-grub@gnu.org>.
.SH "SEE ALSO"
The full documentation for
.B grub-protect
is maintained as a Texinfo manual.  If the
.B info
and
.B grub-protect
programs are properly installed at your site, the command
.IP
.B info grub-protect
.PP
should give you access to the complete manual.