Suppport TPM based operations

[salrashid123]

FR to support encryption/decryption using TPM based keys.

WIth this, you can encrypt and decrypt data only with the same TPM.

for example, this is encryption/decryption using tpm2_tools (cpp), and go-tpm: https://github.com/salrashid123/tpm2/tree/master/encrypt_decrypt_aes

---

I'd imagine the proto for the Key would save the public/sealedprivate portion of the key that was generated, eg in "type.googleapis.com/google.crypto.tink.TpmKey"

message TpmKey {
  bytes key_pub = 1;
  bytes key_priv = 2;   
}

---

At the moment, this is only feasible for one or two languages that support tpm-based libraries so filing this as a longer term FR.

[fernandolobato]

We've internally added support for TPMs in C++ but this will probably be part of a different repo as an add-on to Tink to avoid bloat.

[kerneis-anssi]

@fernandolobato when you mention an add-on to Tink, do you have C++ or Go in mind? Has any code being published? I'd be interested in a TPM-backed go implementation, and might try and write one from scratch but I wouldn't want to duplicate efforts. (Also, getting inspiration from a C++ version if it's been made public may be useful.)

[fernandolobato]

Hey @kerneis-anssi, we have an implementation of a TPM backed AEAD. This isn't public yet, since it'll require a bit of work to open source and will live as a separate repo to avoiding adding a dependency on the TPM TSS for every day Tink users. I also have a Go implementation in mind, but it's not currently in the roadmap for the next couple of quarters.