Brussels / 3 & 4 February 2024


Using your Laptop TPM as a Secure Key Store: Are we there yet?

The idea of using the comparatively new TPM2.0 as an infinite keystore was first proposed in 2016. Since then the base enabling work has been done inside the Linux Kernel and at the engine and provider layer of openssl and separately in gnupg (from 2.3). The main stumbling block in openssl, that of engine key enabling, has finally been mitigated by the openssl 3 move to providers. The big outlier is still openssh, which won't embrace either engines or providers, but the gpg-agent can be used to provide a TPM key based ssh-agent emulation. In this session, we'll review where we are and how to use a laptop TPM as a keystore (including a demonstration of ssh, gpg openssl and kernel based TPM keys), and where we're going including using TPM sealed keys with policy in the Linux Kernel to unlock disks under particular circumstances; the addition of localities to give keys which cannot be unsealed outside the kernel and the use of signed policies to try to counter the brittleness of PCR locking for measured boot (a signed policy key is a key that has a base policy, like locality, but which can have a set of signed policies that specify things like PCR values, which may be added to after the key was created).


Photo of James Bottomley James Bottomley