Skip to content

Implement TPM wrapped keys #35

Description

@marcan

TPM wrapped keys turn out to be rather trivial: the TPM encoded key contains the wrapped key to be passed to the TPM (exact structure depends on the TPM, and also there may be a header I haven't looked at in detail). If the PCR values are correct, the TPM unwraps the key and directly returns the 256-bit VMK.

So, for example, with physical access to a machine using TPM mode BitLocker, you can simply sniff the TPM bus and see the wrapped key being sent and the VMK being returned.

I think the best way to handle this would be to add a way for the user to specify a VMK directly, similar to how the user can currently specify a FVEK with -k. Thoughts?

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions