A simple library for using the TPM chip to secure SSH keys.
Copyright 2013-2016 Google Inc. All Rights Reserved. Apache 2.0 license.
This is NOT a Google product.
Contact: thomas@habets.se / habets@google.com https://github.com/ThomasHabets/
apt install tpm-tools libtspi-dev libopencryptoki-dev libssl-dev
tpm-tools
opencryptoki-devel
trousers-devel
openssl-devel
pkg install tpm-tools trousers-tddl opencryptoki openssl
If there is no configure
script (e.g. because the release comes directly
from the git repo where generated files are not committed), then run:
apt install autotools libtool # Or equivalent for your OS.
./bootstrap.sh
When configure
does exist, configure and build:
./configure && make && sudo make install
If you have not taken ownership, do so.
tpm_takeownership -z
Enter owner password: [enter something secret here]
Confirm password: [enter something secret here]
SRK password is usually the Well Known Secret (all nulls). You can specify a password but it's easier it you don't. The SRK password is only used to allow crypto operations. You still need blobs and key passwords to use other peoples keys.
The "SRK password" is needed to be able to do operations with the "SRK", which is the actual cryptographic key. The user has no access to the SRK directly. The same goes for other keys protected by the TPM chip.
tpm_changeownerauth -s -r
If you get any error messages, see read TPM-TROUBLESHOOTING.
mkdir ~/.simple-tpm-pk11/
stpm-keygen -o ~/.simple-tpm-pk11/my.key
(use -p
if you want to set a password on the key)
Try out the key:
dd if=/dev/urandom of=to-sign bs=1 count=35
stpm-sign -k ~/.simple-tpm-pk11/my.key -f to-sign
stpm-sign -k ~/.simple-tpm-pk11/my.key -f to-sign -r > to-sign.sig
stpm-verify -f to-sign -k ~/.simple-tpm-pk11/my.key -s to-sign.sig
echo "key my.key" > ~/.simple-tpm-pk11/config
log foo.log
key_pin my-pin-here
srk_pin my-pin-here
debug
ssh-keygen -D libsimple-tpm-pk11.so
Install it where you want to log in, in the usual authorized_keys way.
Try logging in using your new fancy key:
ssh -I libsimple-tpm-pk11.so shell.example.com
Add this to ~/.ssh/config
:
Host *
PKCS11Provider libsimple-tpm-pk11.so
then try:
ssh shell.example.com
ssh-agent
This has to be the OpenSSH ssh-agent
, since gnome-keyring doesn't support
PKCS#11. A sign that you run gnome-keyring (or your OpenSSH is compiled
without PKCS#11 support) is that you see this error message when you try:
$ ssh-add -s /…/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Could not add card "/…/libsimple-tpm-pk11.so": agent refused operation
openssl genrsa -out rsa-key 2048
openssl rsa -in rsa-key -modulus
exponent is always 65537.
ssh-keygen -f rsa-key -y > rsa-key.pub