Protecting keys using a TPM

Ross McIlroy rmcilroy at
Fri Mar 8 06:03:19 PST 2013

> Like installing things on Mac OS X: You get a "system prompt" telling
> you that something somewhere is asking for your password/PIN. Or when
> installing some wrapped MSI on Windows and UAC steps in.
> In practice, the command line tool (if used interactively) can be
> helpful and say "you get prompted now to make change X to the system".

I was meaning more how this might work in a headless environment.  I'm
guessing we wouldd have to fall back to the app providing the pin itself in
if there was no GUI available?

> For PKCS#11 (the API) it is still a "simple" implementation detail:
> take HSM-s, which store their key blobs the same way and work (almost)
> flawlessly. PKCS#11, by the nature of it, will anyway require a "fixed
> location" somewhere in the filesystem with a fixed module to be loaded
> by the application, which needs installation (and possible a question
> or two answered to configure it).

I'm not sure what you mean by PKCS#11 requiring a fixed location on the
filesystem.  Sure, it requires the app to load the correct module (which I
hope p11-kit can help), but once you have the slots, you access them based
on their attributes, not any fixed location AFAICT.  Am I misunderstanding
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the p11-glue mailing list