Protecting keys using a TPM
n.mavrogiannopoulos at gmail.com
Fri Mar 8 07:31:42 PST 2013
On 03/08/2013 03:16 PM, Stef Walter wrote:
> * Have the TPM PKCS#11 module support a C_Unwrap mechanism which
> allows bringing in a key from a blob of data (whether in PEM or DER)
> format. This becomes a session key, which the app can then use.
> This solves David's use case, and requires a bit more involvement
> from the application. David has a thing for keys at specific paths :P
How could that work, I mean as simply as loading a PKCS #11 URL? Would
the user specify the file, and the application should load the
tpm-pkcs11 module, unwrap the key, and then use operations on the PKCS
#11 key? That is a big deviation from the simplicity of pkcs11 urls, and
files in TPM are not a corner case, but rather the main use case.
Maybe extending the URLs to specify a wrapped key like tpmkey urls
support stored keys?
More information about the p11-glue