4

Am working on GPG mechanism to code sign my debian packages. I have generated both Master Key pair and Subordinate Key pairs to sign my packages. Now i want to store my key-pair in TPM hardware instead of Key ring. Later i want to delete my key ring and i want to retrieve keys from TPM.

Can anybody explain what is the mechanism to store and retrieve the code signing key securely in TPM, for secure code signing.

Improve this question
4
  • 1
    Usually the whole point of storing keys on a hardware token is that they are not retrievable... Are you using TPM 1.2 or TPM 2.0? They need completely different software.
    – grawity_u1686
    Commented Nov 13, 2019 at 6:28
  • 1
    Am using TPM2.0. I want to retrieve also whenever is needed
    – Karma Yogi
    Commented Nov 13, 2019 at 6:37
  • 1
    Then what's the point of using a TPM?
    – grawity_u1686
    Commented Nov 13, 2019 at 6:55
  • 1
    ok, lets forget about retrieving keys from TPM. Can you please explain me about how to store these keys in TPM?
    – Karma Yogi
    Commented Nov 13, 2019 at 9:06

2 Answers 2

Reset to default
2

GPG, as of version 2.3, has native support for TPMs, see

Using a TPM with GnuPG 2.3

This is handled in gpg-agent via an external program called tpm2daemon. On OpenSuse, the package to install is called gpg2-tpm. Ubuntu, as of Noble, ships with GPG 2.4.4

Improve this answer
1

For GnuPG 2.x, you would need:

  1. Either native TPM2 support in gpg's scdaemon program (the smartcard handler component),
  2. or a replacement scdaemon program which uses TPM2,
  3. or a replacement scdaemon program which uses PKCS#11 modules, and in turn a PKCS#11 module which uses TPM2.

Right now, options #1 and #2 aren't possible (the needed scdaemon replacement simply does not exist yet). Option #3 should be possible, using gnupg-pkcs11-scd and tpm2-pkcs11.

However, the latter project is still under heavy development and its usage might literally change in the coming weeks, so I can't really start writing instructions for it right now... I will probably return to this thread sometime later when tpm2-pkcs11 has settled down.

Improve this answer
7
  • Using "GPG" and "tpm-tools" on TPM1.2 machine i created public keys, private keys. ALso i tried sealing and unsealing my private keys. I referred to below link "tonytruong.net/…". Now can u tell me how to store my privatekey or keyblob in to tpm?
    – Karma Yogi
    Commented Nov 18, 2019 at 5:33
  • Sealing/unsealing isn't very useful – if you can simply unseal the private key, then the TPM doesn't give you very much at all. Normally keys would be either imported or directly generated on the TPM, so that they would be non-exportable and all operations would happen within the TPM itself...
    – grawity_u1686
    Commented Nov 18, 2019 at 5:47
  • Because of that, there isn't really any good way to integrate sealing/unstealing via PKCS#11 or any similar method – nobody bothered to write such integration. It's entirely up to you to write e.g. a pam_exec script that unseals the files upon login.
    – grawity_u1686
    Commented Nov 18, 2019 at 5:49
  • (And unfortunately, even for the PKCS#11 method I described, you won't have much luck if you use TPMv1.2 – it needs a daemon called 'pkcsslotd' from OpenCryptoki, which seems to be a buggy mess. The tpm2-pkcs11 project for TPMv2.0 is a bit more stable already.)
    – grawity_u1686
    Commented Nov 18, 2019 at 5:52
  • Actually i tried on TPM2.0 first, but i didn't get much tpm2-tool options so switched back TPM1.2
    – Karma Yogi
    Commented Nov 18, 2019 at 12:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .