Hi, I've put together some scripts and utilities [1] to allow storing a LUKS secret in TPM NVRAM. This is different than securing your secret by encrypting it with a TPM key in that there's no separate key blob to manage. The key data is written directly into TPM NVRAM, r/w protected by your password (and optionally TPM PCR state). Note that there's a limit to the space you'll have in NVRAM depending on your TPM's vendor.
You can use the tpm-luks package to: - create a new secret, insert it into the TPM and add it to a LUKS key slot - open a LUKS device using a TPM secret for auth - kill a LUKS key slot using a TPM secret for auth - unlock your rootfs at boot using a TPM secret for auth (tested on RHEL6 and Fedora 17) - bind the secret to a trusted grub-based root of trust - migrate the secret from one root of trust to a new one (tested on RHEL6) - support for a custom root of trust including migration Please give it a try, I'm interested in general user feedback, bug reports, code reviews, design reviews, flames, etc. Also if you're a developer and willing to contribute, I'm particularly interested in code to support non-redhat distros' initramfs formats and migrate secrets to new roots of trust. Thanks, Kent [1] git://github.com/shpedoikal/tpm-luks.git ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
