Protecting keys using a TPM

David Woodhouse dwmw2 at
Fri Mar 8 08:51:35 PST 2013

On Fri, 2013-03-08 at 16:25 +0000, Ben Laurie wrote:
> On 8 March 2013 16:22, Ben Laurie <benl at> wrote:
> >> Or is merging PKCS#11 support something we can pull off in
> >> OpenSSL if done right?
> >
> > I think we can pull it off in OpenSSL.
> BTW, I would also be OK with directly supporting the TPM. Or both.

Unlike libtspi, I think the openssl-tpm-engine code *does* have a sane
licence. Well, it has the OpenSSL licence, which perhaps is sufficiently
insane for IBM to have approved it? Whatever, at least it's compatible
for this purpose.

So perhaps we should start by looking at merging the TPM engine into
openssl, and then see what needs doing to better integrate it so that it
doesn't need to be invoked manually by applications? Automatically
recognising its PEM header, etc.

Yes, that would add libtspi as an optional dependency. But I think we
can live with adding libtspi and p11-kit as optional dependencies.

Optional in the sense that any sane distribution should bloody well be
turning them on and building with them so that everything works out of
the box.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list