Thomas, Let me understand better your concern: you don't want TrouSerS to write keys on disk, because they can be retrieved by someone?
If yes, then you don't need to worry about it, since the keys are ciphered by strong criptography before they're written on disk. Em 14-11-2013 14:13, Thomas Habets escreveu: > I generated some keys with: > > pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 \ > --login --keypairgen -d 01 \ > -a "$(whoami)@$(hostname --fqdn) key" \ > --key-type rsa:2048 > > But they are migratable. I can delete the on-disk key "backups" to try > to prevent migration, but they have been stored on disk, so the TPM > chip is no longer the sole keeper of secrets (or can be convinced to > give up the keys). Deleting files on disk is hard. Especially with > SSDs because of wear levelling. > > I'm hoping the answer isn't "you should have generated they keys differently" > (by adding a flag, http://marc.info/?l=trousers-users&m=120326565102441), > but if there is a cmdline similar to the one above, or one that does > tpmtoken_init differently (if that's what's needed), then that'd be > good too. > ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
