search

Foxboron / age-plugin-tpm

:key: TPM 2.0 plugin for age
MIT License
82 stars 8 forks source link

Program fails when encrypting when there is no permission to the TPM #22

Closed lf- closed 9 months ago

lf- commented 9 months ago

On a completely unrelated machine to the one with the actual keys on it; a machine which does not have the TPM configured to be accessible to the user, this happens when I encrypt a file. I don't expect this to happen when I try to encrypt a file, since I only should need the public key and not the actual tpm. Indeed, when I gave myself permission to the tpm, it encrypted fine.

/tmp/recipients.txt:

age1tpm1qgfe8w2vrkrerx9eyc8yjsluelas9l62nm0g72cuzcspxlu8t70a5znvftj
[jade@snowflake:~/.dotfiles/configs/nix]$ AGEDEBUG=plugin rage -R /tmp/recipients.txt -e flake.nix > /tmp/nya
-> add-recipient age1tpm1qgfe8w2vrkrerx9eyc8yjsluelas9l62nm0g72cuzcspxlu8t70a5znvftj

-> wrap-file-key
JfGaksEZOwWERXUhkDd2kw
-> done

Error: open /dev/tpmrm0: permission denied
Usage:
  age-plugin-tpm [flags]

Examples:

  $ age-plugin-tpm --generate -o age-identity.txt
  # Created: 2023-07-10 22:13:57.864450969 +0200 CEST m=+0.475252114
  # Recipient: age1tpm1qt92lcdxj75rjz9e4t9nud7fv6t2cfn8rhzdfnc0z2rnfgv3cqwrqgme4dq

  AGE-PLUGIN-TPM-1QYQQQKQQYVQQKQQZQPEQQQQQZQQPJQQTQQPSQYQQYR92LCDXJ75RJZ9E4T9NUD7[...]

  $ echo "Hello World" | age -r "age1tpm1syqqqpqrtxsnkkqlmu505zzrq439hetls4qwwmyhsv8dgjhks
vtewvx29lxs7s68qy" > secret.age

  $ age --decrypt -i age-identity.txt -o - secret.age
  Hello World

Flags:
  -y, --convert           Convert identities to recipients.
  -o, --output string     Write the result to the file.
  -g, --generate          Generate a identity.
  -p, --pin               Include a pin with the key. Alternatively export AGE_TPM_PIN.
      --log-file string   Logging file for debug output
      --swtpm             Use a software TPM for key storage (Testing only and requires sw
tpm installed)
  -h, --help              help for age-plugin-tpm

2024/02/15 16:56:18 open /dev/tpmrm0: permission denied
Error: 'age-plugin-tpm' unexpectedly died.
If you are developing a plugin, run with AGEDEBUG=plugin for more information.
Warning: this prints private encryption key material to standard error.

[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report                            ]

Version: 0.2.0 from nixpkgs.

Foxboron commented 9 months ago

I find it a bit annoying that we have to have age-plugin-tpm installed to encrypt things, hopefully https://github.com/C2SP/C2SP/pull/31 should solve it. But yes, I should implement the encryption without the TPM on the remote side.

Foxboron commented 9 months ago

Should be fixed with https://github.com/Foxboron/age-plugin-tpm/commit/70f006fc38ca059d49614fc17de238c4c3f57a13