All of lore.kernel.org
 help / color / mirror / Atom feed
* [tpm2] Re: Ecrypting and decrypting a file using a TPM2
@ 2022-06-15  0:27 Steven Clark
  0 siblings, 0 replies; 4+ messages in thread
From: Steven Clark @ 2022-06-15  0:27 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]

Generally bulk symmetric encryption is a feature real TPMs don't
implement.  What you do is generate a random transmission key for AES
encryption with something like OpenSSLs libcrypto and encrypt that
ephemeral key with the TPM.

On Tue, Jun 14, 2022, 5:06 PM <dawn.howe(a)alten.com> wrote:

> I am writing a c++ application on ubuntu 22.04 server that needs to
> encrypt and decrypt files and am using the FAPI api. The files need to be
> secured until the application uses them at a later time, so I am receiving
> plain files and encrypting them using Fapi_Encrypt().
>
> I tried following the pattern in the integration tests found in the
> tpm2-tools. (tpm2-tools/test/integration/fapi/fapi-encrypt-decrypt.sh)
>
> It basically does the following:
> Fapi_Initialize(&global_fapi_context, NULL);
> Fapi_Provision (global_fapi_context, NULL, NULL, NULL);
>
> const char * key_type = "noDa, decrypt, system";
> char * auth_value = NULL; // no password
> char * policy_path = NULL;
> Fapi_CreateKey (global_fapi_context, key_path, key_type, policy_path,
> auth_value);
>
> Fapi_Encrypt (global_fapi_context, key_path, (const uint8_t*)data, size,
> &cipherText, &cipherTextSize);
>
> The files (data buffer) I need to encrypt are about 3k bytes big.
>
> The encryption fails because the file is too big. The error comes from
> .../tpm2-tss/src/tss2-fapi/api/Fapi_Encrypt.c line 309:
>
> if (encKeyObject->misc.key.public.publicArea.type == TPM2_ALG_RSA) {
>                 TPM2B_DATA null_data = { .size = 0, .buffer = {} };
>                 TPM2B_PUBLIC_KEY_RSA *rsa_message = (TPM2B_PUBLIC_KEY_RSA
> *)&context->aux_data;
>                 size_t key_size =
>
> encKeyObject->misc.key.public.publicArea.parameters.rsaDetail.keyBits / 8;
>                 if (context->cmd.Data_EncryptDecrypt.in_dataSize >
> key_size) {
>                     goto_error_reset_state(r, TSS2_FAPI_RC_BAD_VALUE,
>                                            "Size to big for RSA
> encryption.", error_cleanup);
>
>
> Is my strategy completely wrong? What's the proper way to do this?  Is my
> strategy ok, but need to generate a different type of key?
>
> I'm new to this technology and am curious how it ought to be done.
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3060 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [tpm2] Re: Ecrypting and decrypting a file using a TPM2
@ 2022-06-16 15:42 Petr Gotthard
  0 siblings, 0 replies; 4+ messages in thread
From: Petr Gotthard @ 2022-06-16 15:42 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 1850 bytes --]

Hi Dawn,
there are code samples in the OpenSSL documentation.
 
First, you need OSSL_PROVIDER_load as shown here
https://github.com/tpm2-software/tpm2-openssl/blob/master/test/selftest.c
 
 
Then, to load EVP_PKEY from the TPM you need the OSSL_STORE* functions and the shipplet from here
https://github.com/tpm2-software/tpm2-openssl/issues/26#issuecomment-1057929799
 
 
Finally, I believe the OpenSSL routines to use for file encrypting are EVP_Seal* and EVP_Open*
https://wiki.openssl.org/index.php/EVP_Asymmetric_Encryption_and_Decryption_of_an_Envelope
these work exactly like Steven suggested.
 
I you face any troubles, just let me know.
 
 
Petr
 
______________________________________________________________
> Od: dawn.howe(a)alten.com
> Komu: tpm2(a)lists.01.org
> Datum: 15.06.2022 21:29
> Předmět: [tpm2] Re: Ecrypting and decrypting a file using a TPM2
>
Petr:
 Thanks so much for the suggestion.  I was able to encrypt and decrypt my files based on the pattern in https://github.com/tpm2-software/tpm2-openssl/blob/master/test/cipher_aes128_cbc.sh <https://github.com/tpm2-software/tpm2-openssl/blob/master/test/cipher_aes128_cbc.sh>.  I think I can accomplish what I want with some system calls to openssl.
 
 The code I'm writing is in C++. Is there a way to replace the system call to openssl with a c++ library call (perhaps that takes a provider parameter)?
 
 i.e. Replace the following with a C++ library call 
 openssl enc -provider tpm2 -aes128 -e -K $KEY -iv $IV -in testdata -out testdata.enc
 
 I'd love to see a code sample if you have one.
 
 thanks,
 Dawn
 _______________________________________________
 tpm2 mailing list -- tpm2(a)lists.01.org
 To unsubscribe send an email to tpm2-leave(a)lists.01.org
 %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3025 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [tpm2] Re: Ecrypting and decrypting a file using a TPM2
@ 2022-06-15 19:29 dawn.howe
  0 siblings, 0 replies; 4+ messages in thread
From: dawn.howe @ 2022-06-15 19:29 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 630 bytes --]

Petr:
Thanks so much for the suggestion.  I was able to encrypt and decrypt my files based on the pattern in https://github.com/tpm2-software/tpm2-openssl/blob/master/test/cipher_aes128_cbc.sh.  I think I can accomplish what I want with some system calls to openssl.

The code I'm writing is in C++. Is there a way to replace the system call to openssl with a c++ library call (perhaps that takes a provider parameter)?

i.e. Replace the following with a C++ library call 
openssl enc -provider tpm2 -aes128 -e -K $KEY -iv $IV -in testdata -out testdata.enc

I'd love to see a code sample if you have one.

thanks,
Dawn

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [tpm2] Re: Ecrypting and decrypting a file using a TPM2
@ 2022-06-15 13:21 Petr Gotthard
  0 siblings, 0 replies; 4+ messages in thread
From: Petr Gotthard @ 2022-06-15 13:21 UTC (permalink / raw)
  To: tpm2

[-- Attachment #1: Type: text/plain, Size: 3031 bytes --]

I believe it may be easier to use openssl and its tpm2-openssl provider. OpenSSL can encrypt/decrypt files and the tpm2-openssl provider enables the use of TPM-based keys.
 
Petr
______________________________________________________________
> Od: "Steven Clark" <davolfman(a)gmail.com>
> Komu: dawn.howe(a)alten.com
> Datum: 15.06.2022 02:27
> Předmět: [tpm2] Re: Ecrypting and decrypting a file using a TPM2
>
> CC: <tpm2(a)lists.01.org>
Generally bulk symmetric encryption is a feature real TPMs don't implement.  What you do is generate a random transmission key for AES encryption with something like OpenSSLs libcrypto and encrypt that ephemeral key with the TPM.

On Tue, Jun 14, 2022, 5:06 PM <dawn.howe(a)alten.com <dawn.howe(a)alten.com>> wrote:I am writing a c++ application on ubuntu 22.04 server that needs to encrypt and decrypt files and am using the FAPI api. The files need to be secured until the application uses them at a later time, so I am receiving plain files and encrypting them using Fapi_Encrypt(). 
 
 I tried following the pattern in the integration tests found in the tpm2-tools. (tpm2-tools/test/integration/fapi/fapi-encrypt-decrypt.sh)
 
 It basically does the following:
 Fapi_Initialize(&global_fapi_context, NULL);
 Fapi_Provision (global_fapi_context, NULL, NULL, NULL);
 
 const char * key_type = "noDa, decrypt, system";
 char * auth_value = NULL; // no password
 char * policy_path = NULL;
 Fapi_CreateKey (global_fapi_context, key_path, key_type, policy_path, auth_value);
 
 Fapi_Encrypt (global_fapi_context, key_path, (const uint8_t*)data, size, &cipherText, &cipherTextSize);
 
 The files (data buffer) I need to encrypt are about 3k bytes big. 
 
 The encryption fails because the file is too big. The error comes from 
 .../tpm2-tss/src/tss2-fapi/api/Fapi_Encrypt.c line 309:
 
 if (encKeyObject->misc.key.public.publicArea.type == TPM2_ALG_RSA) {
                 TPM2B_DATA null_data = { .size = 0, .buffer = {} };
                 TPM2B_PUBLIC_KEY_RSA *rsa_message = (TPM2B_PUBLIC_KEY_RSA *)&context->aux_data;
                 size_t key_size =
                     encKeyObject->misc.key.public.publicArea.parameters.rsaDetail.keyBits / 8;
                 if (context->cmd.Data_EncryptDecrypt.in_dataSize > key_size) {
                     goto_error_reset_state(r, TSS2_FAPI_RC_BAD_VALUE,
                                            "Size to big for RSA encryption.", error_cleanup);
 
 
 Is my strategy completely wrong? What's the proper way to do this?  Is my strategy ok, but need to generate a different type of key?
 
 I'm new to this technology and am curious how it ought to be done.
 _______________________________________________
 tpm2 mailing list -- tpm2(a)lists.01.org <tpm2(a)lists.01.org>
 To unsubscribe send an email to tpm2-leave(a)lists.01.org <tpm2-leave(a)lists.01.org>
 %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4137 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-16 15:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-15  0:27 [tpm2] Re: Ecrypting and decrypting a file using a TPM2 Steven Clark
2022-06-15 13:21 Petr Gotthard
2022-06-15 19:29 dawn.howe
2022-06-16 15:42 Petr Gotthard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.