16

Is it possible to use TPM for storage of some private key? It's not a full-disk encryption , I want it to be compatible with existing LUKS, just add another key, and store it in the TPM.

D.W.
  • 98,420
  • 30
  • 267
  • 572
daisy
  • 1,735
  • 3
  • 25
  • 39

3 Answers3

13

Try tpm-luks [1], which is a script that will assist in storing a new secret both in the TPM's NVRAM and a LUKS key slot.

This should do the trick:

$ tpm-luks -c -d <device>

You can find your LUKS device with:

# blkid -t TYPE=crypto_LUKS

I released tpm-luks very recently, so its only available in git ATM.

[1] https://github.com/shpedoikal/tpm-luks

shpedoikal
  • 198
  • 1
  • 4
4

From what I know, nothing prevent this in practice, but the code was not written yet. You can take a look however on http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fecrypts%2Fliaaiecryptfs.htm

The idea is use tpm_sealdata to encrypt a file, and then this can be unlocked only if the boot was not fiddled with.

You may need to use a patched version of grub, called trusted grub. I do not think this was integrated into grub2.

Once the file is unlocked, you can feed it as a key to cryptsetup and if it fail, run the regular "ask the password" dialog, thus permitting to boot if the hardware was fiddled. But of course, that would mean the system would boot without password by default.

Misc
  • 379
  • 1
  • 5
1

FYI, with minor changes to tpm-luks, I got it working with our application to secure the root partition's LUK key in TPM NVRAM. The scripts work like a charm. It's easy if it's not a root partition but maybe some other partition or file. I tied the key into NVRAM based on PCRs 0 through 9 and also 12 and 13. Be aware your BIOS should comply with NIST SP800-147 - some MITRE researchers discovered a hole.

Bill
  • 11
  • 1