Protecting keys using a TPM

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Fri Mar 8 07:31:42 PST 2013

On 03/08/2013 03:16 PM, Stef Walter wrote:

>  * Have the TPM PKCS#11 module support a C_Unwrap mechanism which
>    allows bringing in a key from a blob of data (whether in PEM or DER)
>    format. This becomes a session key, which the app can then use.
>    This solves David's use case, and requires a bit more involvement
>    from the application. David has a thing for keys at specific paths :P

How could that work, I mean as simply as loading a PKCS #11 URL? Would
the user specify the file, and the application should load the
tpm-pkcs11 module, unwrap the key, and then use operations on the PKCS
#11 key? That is a big deviation from the simplicity of pkcs11 urls, and
files in TPM are not a corner case, but rather the main use case.

Maybe extending the URLs to specify a wrapped key like tpmkey urls
support stored keys?


More information about the p11-glue mailing list