encrypt_with_tpm_rsa

command
v0.0.0-...-074a82d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 18, 2023 License: Apache-2.0 Imports: 6 Imported by: 0

README

Encrypt with an RSA key generated by the TPM

  1. First create a primary key
# optionally seed the "unique" bit
# https://github.com/tpm2-software/tpm2-tools/issues/2378
printf '\x00\x01' > ud.1
dd if=/dev/random bs=256 count=1 of=ud.2
cat ud.1 ud.2 > unique.dat

tpm2_createprimary -C o -c primary.ctx -u unique.dat

We are using the endorsement hierarchy.

  1. Create a child key enabled for decryption.

Export the pub, priv portions as key.pub, key.priv

tpm2_create -G rsa -u key.pub -r key.priv -C primary.ctx
  1. Load the key context
tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx
tpm2_evictcontrol -C o -c key.ctx 0x81008000

Key context is key.ctx and also as persistent handle 0x81008000

see https://trustedcomputinggroup.org/wp-content/uploads/RegistryOfReservedTPM2HandlesAndLocalities_v1p1_pub.pdf

  1. Create a secret file
echo "meet me at..." > secret.txt
  1. Encrypt secret.txt with the key context
tpm2_rsaencrypt -c key.ctx   -o secret.txt.enc secret.txt

At this point secret.txt.enc is encrypted.

  1. Decrypt the encrypted file
tpm2_rsadecrypt -c key.ctx -o secret.txt.dec  secret.txt.enc

more secret.txt.dec
 meet me at...

Convert the TPM loaded public key to PEM and encrypt with public key using openssl

  1. Export the public key in PEM format
$ tpm2_readpublic -c key.ctx -f PEM -o key.pem

$ more key.pem 
-----BEGIN PUBLIC KEY-----
MIIBI....
-----END PUBLIC KEY-----
  1. Encrypt some file with the public portion
$ echo "foo" > rsa_external.txt
$ openssl rsautl -encrypt -inkey key.pem -pubin -in rsa_external.txt -out rsa_external.txt.enc
  1. Decrypt it w/ the tpm
$ tpm2_rsadecrypt -c key.ctx -o rsa_external.txt.ptext rsa_external.txt.enc

$ more rsa_external.txt.ptext
  foo

// # go run main.go -handle=0x81010002  --logtostderr=1 -v 5
// I1028 23:25:07.038792    9297 main.go:33] ======= Init  ========
// I1028 23:25:07.052022    9297 main.go:60] 0 handles flushed
// I1028 23:25:07.054913    9297 main.go:75] Encrypted Data BYuDlnZ+oU...
// I1028 23:25:07.060076    9297 main.go:81] Decrypted Data meet me at...

with policy

echo "foo" > secret.dat
openssl rand  -out iv.bin 16

tpm2_startauthsession -S session.dat
tpm2_pcrread sha256:23 -o pcr23_val.bin
tpm2_policypcr -S session.dat -l sha256:23  -L policy.dat -f pcr23_val.bin
tpm2_policypassword -S session.dat -L policy.dat
tpm2_flushcontext session.dat

tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx
tpm2_create -g sha256 -G aes -u key.pub -r key.priv -C primary.ctx  -L policy.dat -p testpswd
tpm2_load -C primary.ctx -u key.pub -r key.priv -n key.name -c aes.ctx  


tpm2_startauthsession --policy-session -S session.dat
tpm2_pcrread sha256:23 -o pcr23_val.bin
tpm2_policypcr -S session.dat -l sha256:23 -f pcr23_val.bin
tpm2_policypassword -S session.dat -L policy.dat 
tpm2_encryptdecrypt -Q --iv iv.bin  -c aes.ctx -o cipher.out   secret.dat  -p"session:session.dat+testpswd"
tpm2_flushcontext session.dat

tpm2_startauthsession --policy-session -S session.dat
tpm2_policypcr -S session.dat -l sha256:23
tpm2_policypassword -S session.dat -L policy.dat 
tpm2_encryptdecrypt -Q --iv iv.bin  -c aes.ctx -d -o plain.out cipher.out  -p"session:session.dat+testpswd"
tpm2_flushcontext session.dat

$ tpm2_pcrextend 23:sha256=0x0000000000000000000000000000000000000000000000000000000000000000
$ tpm2_pcrread sha256:23
    sha256:
      23: 0xF5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.