README ¶
Encrypt with an RSA key generated by the TPM
- First create a primary key
# optionally seed the "unique" bit
# https://github.com/tpm2-software/tpm2-tools/issues/2378
printf '\x00\x01' > ud.1
dd if=/dev/random bs=256 count=1 of=ud.2
cat ud.1 ud.2 > unique.dat
tpm2_createprimary -C o -c primary.ctx -u unique.dat
We are using the e
ndorsement hierarchy.
- Create a child key enabled for decryption.
Export the pub, priv portions as key.pub
, key.priv
tpm2_create -G rsa -u key.pub -r key.priv -C primary.ctx
- Load the key context
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
tpm2_evictcontrol -C o -c key.ctx 0x81008000
Key context is key.ctx
and also as persistent handle 0x81008000
- Create a secret file
echo "meet me at..." > secret.txt
- Encrypt
secret.txt
with the key context
tpm2_rsaencrypt -c key.ctx -o secret.txt.enc secret.txt
At this point secret.txt.enc
is encrypted.
- Decrypt the encrypted file
tpm2_rsadecrypt -c key.ctx -o secret.txt.dec secret.txt.enc
more secret.txt.dec
meet me at...
Convert the TPM loaded public key to PEM and encrypt with public key using openssl
- Export the public key in PEM format
$ tpm2_readpublic -c key.ctx -f PEM -o key.pem
$ more key.pem
-----BEGIN PUBLIC KEY-----
MIIBI....
-----END PUBLIC KEY-----
- Encrypt some file with the public portion
$ echo "foo" > rsa_external.txt
$ openssl rsautl -encrypt -inkey key.pem -pubin -in rsa_external.txt -out rsa_external.txt.enc
- Decrypt it w/ the tpm
$ tpm2_rsadecrypt -c key.ctx -o rsa_external.txt.ptext rsa_external.txt.enc
$ more rsa_external.txt.ptext
foo
// # go run main.go -handle=0x81010002 --logtostderr=1 -v 5
// I1028 23:25:07.038792 9297 main.go:33] ======= Init ========
// I1028 23:25:07.052022 9297 main.go:60] 0 handles flushed
// I1028 23:25:07.054913 9297 main.go:75] Encrypted Data BYuDlnZ+oU...
// I1028 23:25:07.060076 9297 main.go:81] Decrypted Data meet me at...
with policy
echo "foo" > secret.dat
openssl rand -out iv.bin 16
tpm2_startauthsession -S session.dat
tpm2_pcrread sha256:23 -o pcr23_val.bin
tpm2_policypcr -S session.dat -l sha256:23 -L policy.dat -f pcr23_val.bin
tpm2_policypassword -S session.dat -L policy.dat
tpm2_flushcontext session.dat
tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx
tpm2_create -g sha256 -G aes -u key.pub -r key.priv -C primary.ctx -L policy.dat -p testpswd
tpm2_load -C primary.ctx -u key.pub -r key.priv -n key.name -c aes.ctx
tpm2_startauthsession --policy-session -S session.dat
tpm2_pcrread sha256:23 -o pcr23_val.bin
tpm2_policypcr -S session.dat -l sha256:23 -f pcr23_val.bin
tpm2_policypassword -S session.dat -L policy.dat
tpm2_encryptdecrypt -Q --iv iv.bin -c aes.ctx -o cipher.out secret.dat -p"session:session.dat+testpswd"
tpm2_flushcontext session.dat
tpm2_startauthsession --policy-session -S session.dat
tpm2_policypcr -S session.dat -l sha256:23
tpm2_policypassword -S session.dat -L policy.dat
tpm2_encryptdecrypt -Q --iv iv.bin -c aes.ctx -d -o plain.out cipher.out -p"session:session.dat+testpswd"
tpm2_flushcontext session.dat
$ tpm2_pcrextend 23:sha256=0x0000000000000000000000000000000000000000000000000000000000000000
$ tpm2_pcrread sha256:23
sha256:
23: 0xF5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B
Documentation ¶
There is no documentation for this package.
Click to show internal directories.
Click to hide internal directories.