* [tpm2] Re: How can I use a persisted object without it’s primary key?
@ 2021-05-06 14:08 Fuchs, Andreas
0 siblings, 0 replies; 5+ messages in thread
From: Fuchs, Andreas @ 2021-05-06 14:08 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2949 bytes --]
There is no TPM functionality to export keys that were previously made persistent.
You need to store the private key blob from the create / createloaded command.
The primary key serves the bootstraping of the key encryption chains. But for persistent keys it serves not purpose after they were made persistent.
________________________________________
Von: Rowan Moul <lists(a)rowan.moul.ca>
Gesendet: Donnerstag, 6. Mai 2021 15:00
An: Fuchs, Andreas
Cc: tpm2(a)lists.01.org
Betreff: Re: [tpm2] How can I use a persisted object without it’s primary key?
That makes sense.
What if I want to extract the key from the tpm later? Assuming I did not retain the private portion of the signing key when I created it (perhaps I used the createLoaded command and it never left the tpm). I was looking through all the tools and I did not see one that would let me export the private part of the key even if I re-loaded the primary key (which I assume would he required so that it could be used to encrypt the private area before it leaves the tpm).
Also, if I wanted to move the signing key to another tpm (or even an alternative key management solution) is there a way to export the key in the clear?
It seems to me that if I don’t need this key to ever leave the tpm then the primary key has no purpose beyond being required in the initial creation command. I’m sure this is not entirely the case though.
Thank you,
Rowan
> On May 6, 2021, at 02:06, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>
> Persistent keys inside the TPM are not encrypted with their parent anymore.
> Only with a TPM-internal flash-encryption that you do not have to care about.
>
> ________________________________________
> Von: Rowan Moul <lists(a)rowan.moul.ca>
> Gesendet: Donnerstag, 6. Mai 2021 07:17
> An: tpm2(a)lists.01.org
> Betreff: [tpm2] How can I use a persisted object without it’s primary key?
>
> Hello,
> I’m just trying to get a better sense of how the TPM storage hierarchy works.
>
> Say I create a primary key under the owner hierarchy, and then I create a signing key under that. I persist the signing key with tpm2_evictcontrol but I do NOT persist the primary key.
> How am I able to use the signing key on subsequent boots without the primary key existing in the TPM memory? Isn’t it needed to decrypt the signing key? Or is the persisted signing key not encrypted by the primary key when it resides inside the TPM hardware?
>
> Thanks,
>
> Rowan
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: How can I use a persisted object without it’s primary key?
@ 2021-05-12 18:25 Roberts, William C
0 siblings, 0 replies; 5+ messages in thread
From: Roberts, William C @ 2021-05-12 18:25 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3199 bytes --]
Given an object with appropriate object attributes, you could tpm2_duplicate the object to move it to a different TPM or the same spot in the TPM. More details in man tpm2_duplicate.
I don't think you can use this to get the plain text key, because a public key to the new parent is required, but I'm not 100% sure.
________________________________
From: Rowan Moul <lists(a)rowan.moul.ca>
Sent: Thursday, May 6, 2021 8:00 AM
To: Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de>
Cc: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Re: How can I use a persisted object without it’s primary key?
That makes sense.
What if I want to extract the key from the tpm later? Assuming I did not retain the private portion of the signing key when I created it (perhaps I used the createLoaded command and it never left the tpm). I was looking through all the tools and I did not see one that would let me export the private part of the key even if I re-loaded the primary key (which I assume would he required so that it could be used to encrypt the private area before it leaves the tpm).
Also, if I wanted to move the signing key to another tpm (or even an alternative key management solution) is there a way to export the key in the clear?
It seems to me that if I don’t need this key to ever leave the tpm then the primary key has no purpose beyond being required in the initial creation command. I’m sure this is not entirely the case though.
Thank you,
Rowan
> On May 6, 2021, at 02:06, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>
> Persistent keys inside the TPM are not encrypted with their parent anymore.
> Only with a TPM-internal flash-encryption that you do not have to care about.
>
> ________________________________________
> Von: Rowan Moul <lists(a)rowan.moul.ca>
> Gesendet: Donnerstag, 6. Mai 2021 07:17
> An: tpm2(a)lists.01.org
> Betreff: [tpm2] How can I use a persisted object without it’s primary key?
>
> Hello,
> I’m just trying to get a better sense of how the TPM storage hierarchy works.
>
> Say I create a primary key under the owner hierarchy, and then I create a signing key under that. I persist the signing key with tpm2_evictcontrol but I do NOT persist the primary key.
> How am I able to use the signing key on subsequent boots without the primary key existing in the TPM memory? Isn’t it needed to decrypt the signing key? Or is the persisted signing key not encrypted by the primary key when it resides inside the TPM hardware?
>
> Thanks,
>
> Rowan
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4274 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: How can I use a persisted object without it’s primary key?
@ 2021-05-06 14:28 Rowan Moul
0 siblings, 0 replies; 5+ messages in thread
From: Rowan Moul @ 2021-05-06 14:28 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3393 bytes --]
That is good to know. Thanks for the help!
Rowan
> On May 6, 2021, at 08:08, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>
> There is no TPM functionality to export keys that were previously made persistent.
> You need to store the private key blob from the create / createloaded command.
>
> The primary key serves the bootstraping of the key encryption chains. But for persistent keys it serves not purpose after they were made persistent.
>
> ________________________________________
> Von: Rowan Moul <lists(a)rowan.moul.ca>
> Gesendet: Donnerstag, 6. Mai 2021 15:00
> An: Fuchs, Andreas
> Cc: tpm2(a)lists.01.org
> Betreff: Re: [tpm2] How can I use a persisted object without it’s primary key?
>
> That makes sense.
>
> What if I want to extract the key from the tpm later? Assuming I did not retain the private portion of the signing key when I created it (perhaps I used the createLoaded command and it never left the tpm). I was looking through all the tools and I did not see one that would let me export the private part of the key even if I re-loaded the primary key (which I assume would he required so that it could be used to encrypt the private area before it leaves the tpm).
> Also, if I wanted to move the signing key to another tpm (or even an alternative key management solution) is there a way to export the key in the clear?
>
> It seems to me that if I don’t need this key to ever leave the tpm then the primary key has no purpose beyond being required in the initial creation command. I’m sure this is not entirely the case though.
>
> Thank you,
>
> Rowan
>
>> On May 6, 2021, at 02:06, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>>
>> Persistent keys inside the TPM are not encrypted with their parent anymore.
>> Only with a TPM-internal flash-encryption that you do not have to care about.
>>
>> ________________________________________
>> Von: Rowan Moul <lists(a)rowan.moul.ca>
>> Gesendet: Donnerstag, 6. Mai 2021 07:17
>> An: tpm2(a)lists.01.org
>> Betreff: [tpm2] How can I use a persisted object without it’s primary key?
>>
>> Hello,
>> I’m just trying to get a better sense of how the TPM storage hierarchy works.
>>
>> Say I create a primary key under the owner hierarchy, and then I create a signing key under that. I persist the signing key with tpm2_evictcontrol but I do NOT persist the primary key.
>> How am I able to use the signing key on subsequent boots without the primary key existing in the TPM memory? Isn’t it needed to decrypt the signing key? Or is the persisted signing key not encrypted by the primary key when it resides inside the TPM hardware?
>>
>> Thanks,
>>
>> Rowan
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org
>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org
>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: How can I use a persisted object without it’s primary key?
@ 2021-05-06 13:00 Rowan Moul
0 siblings, 0 replies; 5+ messages in thread
From: Rowan Moul @ 2021-05-06 13:00 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 2382 bytes --]
That makes sense.
What if I want to extract the key from the tpm later? Assuming I did not retain the private portion of the signing key when I created it (perhaps I used the createLoaded command and it never left the tpm). I was looking through all the tools and I did not see one that would let me export the private part of the key even if I re-loaded the primary key (which I assume would he required so that it could be used to encrypt the private area before it leaves the tpm).
Also, if I wanted to move the signing key to another tpm (or even an alternative key management solution) is there a way to export the key in the clear?
It seems to me that if I don’t need this key to ever leave the tpm then the primary key has no purpose beyond being required in the initial creation command. I’m sure this is not entirely the case though.
Thank you,
Rowan
> On May 6, 2021, at 02:06, Fuchs, Andreas <andreas.fuchs(a)sit.fraunhofer.de> wrote:
>
> Persistent keys inside the TPM are not encrypted with their parent anymore.
> Only with a TPM-internal flash-encryption that you do not have to care about.
>
> ________________________________________
> Von: Rowan Moul <lists(a)rowan.moul.ca>
> Gesendet: Donnerstag, 6. Mai 2021 07:17
> An: tpm2(a)lists.01.org
> Betreff: [tpm2] How can I use a persisted object without it’s primary key?
>
> Hello,
> I’m just trying to get a better sense of how the TPM storage hierarchy works.
>
> Say I create a primary key under the owner hierarchy, and then I create a signing key under that. I persist the signing key with tpm2_evictcontrol but I do NOT persist the primary key.
> How am I able to use the signing key on subsequent boots without the primary key existing in the TPM memory? Isn’t it needed to decrypt the signing key? Or is the persisted signing key not encrypted by the primary key when it resides inside the TPM hardware?
>
> Thanks,
>
> Rowan
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tpm2] Re: How can I use a persisted object without it’s primary key?
@ 2021-05-06 8:06 Fuchs, Andreas
0 siblings, 0 replies; 5+ messages in thread
From: Fuchs, Andreas @ 2021-05-06 8:06 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 1149 bytes --]
Persistent keys inside the TPM are not encrypted with their parent anymore.
Only with a TPM-internal flash-encryption that you do not have to care about.
________________________________________
Von: Rowan Moul <lists(a)rowan.moul.ca>
Gesendet: Donnerstag, 6. Mai 2021 07:17
An: tpm2(a)lists.01.org
Betreff: [tpm2] How can I use a persisted object without it’s primary key?
Hello,
I’m just trying to get a better sense of how the TPM storage hierarchy works.
Say I create a primary key under the owner hierarchy, and then I create a signing key under that. I persist the signing key with tpm2_evictcontrol but I do NOT persist the primary key.
How am I able to use the signing key on subsequent boots without the primary key existing in the TPM memory? Isn’t it needed to decrypt the signing key? Or is the persisted signing key not encrypted by the primary key when it resides inside the TPM hardware?
Thanks,
Rowan
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-05-12 18:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-06 14:08 [tpm2] Re: How can I use a persisted object without it’s primary key? Fuchs, Andreas
-- strict thread matches above, loose matches on Subject: below --
2021-05-12 18:25 Roberts, William C
2021-05-06 14:28 Rowan Moul
2021-05-06 13:00 Rowan Moul
2021-05-06 8:06 Fuchs, Andreas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.