I am interested in 'adding' preexisting keys to a TPM's storage hierarchy.
An example of a desired key hierarchy can be shown as:
(SRK)----->(User Storage Key)-------> User Working Key 1
|
|------> User Working Key 2
|
|------> User Working Key 3
Where:
- SRK is the storage root key created and managed by TPM administrator
- User Storage Key is created as a (public, private) key pair outside TPM. For example by using the OpenSSL command line tools.
- User Working Keys are also created outside TPM using OpenSSL.
How can I insert "User Storage Key" and "User Working Keys" in the above hierarchy?
The TPM allows me to create (public, private) key pairs internally inside TPM (and to export public key along with a (wrapped form of) private key thereof). But it is not clear to me if TPM commands like TPM_CreateWrapKey
and TPM_LoadKey2
allow this option.
This is warranted by situations where user's signing/encryption keys are already created elsewhere and we are interested in using the TPM as a secure repository of keys on the operating platform. (Binding/sealing to create opaque data inside TPM is not useful here, since bound/sealed data is incapable of extending the key hierarchy).