Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Implement TPM wrapped keys #35
TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.
So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.
I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with
Note that this is for transparent TPM mode. I'm not sure how the wrapping works for e.g. TPM+PIN mode, or TPM+PIN+externalkey mode; I don't have any systems using those modes yet. I'm guessing it's pretty obvious though (just nesting decryptions probably), what to do should be evident by looking at the metadata of such a system.