Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement TPM wrapped keys #35

marcan opened this Issue Jan 3, 2019 · 2 comments


None yet
2 participants
Copy link

marcan commented Jan 3, 2019

TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.

So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.

I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with -k. Thoughts?


This comment has been minimized.

Copy link

joachimmetz commented Jan 4, 2019

@marcan interesting, thx for the update. Let me give this some thought, IMHO adding an option to pass the VMK or extending the '-k' option are both possible options.


This comment has been minimized.

Copy link

marcan commented Jan 4, 2019

Note that this is for transparent TPM mode. I'm not sure how the wrapping works for e.g. TPM+PIN mode, or TPM+PIN+externalkey mode; I don't have any systems using those modes yet. I'm guessing it's pretty obvious though (just nesting decryptions probably), what to do should be evident by looking at the metadata of such a system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.