Using a TPM

A TPM is designed to hold private keys and do operations on them. This means that you can avoid the private key ever being unencrypted in memory on your machine which makes stealing the private key, even with access to the machine hopefully impossible. Hopefully, even with physical access to the machine the worst the attacker can do is destroy the key material, unless they go to rather extreme lengths.

The downside of this is that it's complicated (hence the long list of things to do below), and the TPM is also quite slow.


Before we begin:

General principals

The general principal here is to use trousers as an API to the TPM. Then use opencryptoki's support for trousters to make that available as a pkcs11 module. Once we have a pkcs11 module, we can configure the machine to use it (using p11-kit) and/or individually configure programs to use pkcs11 directly. In theory a TPM is just another kind of Hardware Security Module (HSM), like a smart card. So we just use the same APIs.

Setting up the TPM

trousers is the tpm management daemon. You'll need that.

Setting up your user.

Setting up p11-kit

Freedesktop have a reasonably sensible api for registering pkcs11 modules called p11-kit. Create a file in /etc/pkcs11/modules/opencryptoki.module with the contents (if it doesn't already exist):

module: /usr/lib/opencryptoki/
critical: no

There are other things you might want to specify in this file, see If you don't have root, you can instead use the filename ~/data/.pkcs11/modules/opencryptoki.module

By default, I believe gnutls will use pkcs11 modules that are registered with p11-kit.

Setting up Gnome Keyring

From what I've seen Gnome Keyring doesn't yet (2013) support using an external pkcs11 implementation to seal it's key database. It will however export it's database via pkcs11 for other applications to use.

Setting up SSH

By telling ssh-agent how to use the TPM, when you want to authenticate to other machines, ssh-agent will get the TPM to do the crypto operations on it's behalf. Thus the even the ssh-agent doesn't have direct access to the secret material of your private key.

Unfortunately the TPM is very slow, so doing this may add a second or two to your login process.

Setting up Chrome

Chrome doesn't have any UI that lets you configure PCKS11, but does support it. New versions of chrome may use p11-kit automatically (untested).

Firefox is similar, just substitue sql:$HOME/.pki/nssdb/ with ~/.mozilla/firefox/*.default/

Setting up dnssec-signzone

TODO: Try and figure out how on earth dnssec-signzone works. dnssec-signzone appears to take a -E argument that can probably deal with this. These notes are not yet complete.

Setting up OpenVPN

TODO: OpenVPN appears to support PKCS11 so this should work fine, but I've not experimented yet. Cribbed from Open's PCKS#11 Token Config Docs