Seal info w EK pub or cert on systems without TPM #343
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
akutz
force-pushed
the
feature/enc-to-ek-sans-tpm
branch
3 times, most recently
from
973b36f
to
1d12d24
Compare
akutz
added a commit
to akutz/govmomi
that referenced
this pull request
Sep 4, 2023
This patch introduces support for encrypting plain-text information for VMs with TPM2 devices without the system on which the command is run needing a TPM. Please refer to google/go-tpm#343 for more information.
12 tasks
akutz
added a commit
to akutz/govmomi
that referenced
this pull request
Sep 4, 2023
This patch introduces support for encrypting plain-text information for VMs with TPM2 devices without the system on which the command is run needing a TPM. Please refer to google/go-tpm#343 for more information.
akutz
added a commit
to akutz/govmomi
that referenced
this pull request
Sep 5, 2023
This patch introduces support for encrypting plain-text information for VMs with TPM2 devices without the system on which the command is run needing a TPM. Please refer to google/go-tpm#343 for more information.
akutz
added a commit
to akutz/govmomi
that referenced
this pull request
Sep 5, 2023
This patch introduces support for encrypting plain-text information for VMs with TPM2 devices without the system on which the command is run needing a TPM. Please refer to google/go-tpm#343 for more information.
akutz
force-pushed
the
feature/enc-to-ek-sans-tpm
branch
from
1d12d24
to
154640f
Compare
akutz
added a commit
to akutz/govmomi
that referenced
this pull request
Sep 5, 2023
This patch introduces support for encrypting plain-text information for VMs with TPM2 devices without the system on which the command is run needing a TPM. Please refer to google/go-tpm#343 for more information.
This patch introduces support for sealing information to an endorsement key without needing to be on a system with a TPM. This feature enables support for clients that want to encrypt small amounts of data in order to bootstrap a virtual machine that may only have an endorsement key prior to first boot.
akutz
force-pushed
the
feature/enc-to-ek-sans-tpm
branch
from
154640f
to
05ab0eb
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch introduces support for sealing information to an endorsement key without needing to be on a system with a TPM. This feature enables support for clients that want to encrypt small amounts of data in order to bootstrap a virtual machine that may only have an endorsement key prior to first boot.
For example, the following command, when executed from the root of this project, produces output that can only be unsealed on the system with a TPM that has the specified endorsement key:
For example, on a system without a TPM, the following command seals the specified plain-text data to the provided endorsement key RSA certificate:
The use of the
-f 0tells the program to emit the encrypted, duplicated object as base64-encoded data, its parts delimited by@@NULL@@:On the system with the TPM and matching endorsement key, the file
./examples/tpm2-ekseal/tpm2-unseal.shmay be used with its-0flag to unseal the data:The above command will emit the original, sealed text:
The above, end-to-end example used RSA, but ECC is possible as well:
On a system without the TPM, seal the data while specifying the ECC public certificate:
Echo the emitted data on the system with the TPM, this time using the
-G eccflag to specify the algorithm:The above command will emit the original, sealed text:
Special kudos/shout-out to my colleague @jessepool for helping with this. I would have been lost without him!