I generated some keys with:
pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 \
--login --keypairgen -d 01 \
-a "$(whoami)@$(hostname --fqdn) key" \
--key-type rsa:2048
But they are migratable. I can delete the on-disk key "backups" to try
to prevent migration, but they have been stored on disk, so the TPM
chip is no longer the sole keeper of secrets (or can be convinced to
give up the keys). Deleting files on disk is hard. Especially with
SSDs because of wear levelling.
I'm hoping the answer isn't "you should have generated they keys differently"
(by adding a flag, http://marc.info/?l=trousers-users&m=120326565102441),
but if there is a cmdline similar to the one above, or one that does
tpmtoken_init differently (if that's what's needed), then that'd be
good too.
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "[email protected]" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt"; };
char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
