Skip to content
A PKCS#11 interface for TPM2 hardware
C Python Shell C++ M4 Makefile Objective-C
Branch: master
Clone or download
idesai Architectural overview of the objec…
…t auth model

An overview of the proposed tpm2-pkcs11 object auth model.
This design proposal addresses some issues with the existing
object auth model in the project:
1. Separation of USER and SO roles and respective access controls.
2. Accomodating existing TPM2 objects into the pkcs11.
3. Protection of USER and SO pin is delegated to TPM2 objects instead
   of the PBKDF method which is relatively easier to brute force since
   the model of authorization uses TPM2 dictionary lockout protected
   objects, it severely limits the rate of the brute force attack.

Signed-off-by: Imran Desai <>
Latest commit 0b7ceff Sep 5, 2019


Build Status Coverage Status Language grade: C/C++ Language grade: Python

This is currently being developed and is not production ready, patches welcome Please hold your patches for the moment. We're dropping a massive internals change and I'd hate to waste your time. We expect the drop to arrive middle of September.

PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token.


Example Usages

  • SSH - How to configure and use it with SSH.
  • P11 - How to configure and use it with various P11 components.
  • PKCS11-TOOL - How to configure and use it with OpenSC's pkcs11-tool.
You can’t perform that action at this time.