TPM Key Hierarchy Encryption

TL;DR

This guide shows how to encrypt keys within a Trusted Platform Module (TPM) key hierarchy using both symmetric and asymmetric encryption. We’ll cover creating the hierarchy, generating keys, sealing them for specific contexts, and unsealing them when needed.

1. Understanding TPM Key Hierarchies

A TPM organises keys in a hierarchy to improve security. The main hierarchies are:

• Platform Hierarchy (P): Typically used for platform-specific operations like Secure Boot.
• Storage Hierarchy (S): Used for general storage and encryption of data.
• Endorsement Hierarchy (E): Contains keys provided by the TPM manufacturer, used for attestation.

Each hierarchy has a root key. Keys created under a hierarchy are protected by that root key.

2. Creating the Key Hierarchy

You’ll need to use a TPM management tool like tpm2-tools (available on most Linux distributions). The following assumes you have it installed and configured.

1. Check TPM Status: Verify your TPM is working.

   sudo tpm2_getcap properties-fixed

2. Create a Storage Root Key (if needed): If you don’t have one, create an SRK. This protects keys in the storage hierarchy.

   sudo tpm2_create -g RSA -o 0x81010001 -s 'SRK' --auth-policy owner

3. Generating a Symmetric Key

Symmetric keys are faster for encryption/decryption but require secure key exchange.

1. Create the symmetric key: This example creates an AES-128 key under the Storage Hierarchy.

   sudo tpm2_create -g AES -o 0x81010002 -s 'MySymmetricKey' --auth-policy owner -A 'SRK'

2. Note the handle: The output will show a handle (e.g., 0x81010002). You’ll need this for later operations.

4. Encrypting Data with the Symmetric Key

This step assumes you have data to encrypt and want to protect it using the symmetric key created above.

1. Use a tool like OpenSSL: You’ll need to export the key first.

   sudo tpm2_key_export -o my_symmetric_key.pem 0x81010002

2. Encrypt with OpenSSL:

   openssl enc -aes-128-cbc -salt -in plaintext.txt -out ciphertext.enc -k "your_password"

5. Generating an Asymmetric Key

Asymmetric keys are slower but allow for key exchange without pre-shared secrets.

1. Create the asymmetric key: This example creates an RSA key under the Storage Hierarchy.

   sudo tpm2_create -g RSA -o 0x81010003 -s 'MyAsymmetricKey' --auth-policy owner -A 'SRK'

2. Note the handle: Again, note the outputted handle (e.g., 0x81010003).

6. Sealing a Key to a Specific Context

Sealing binds a key to specific platform measurements (PCRs) or other conditions. This means the key can only be unsealed in that context.

1. Get PCR values: Determine the current PCR values.

   sudo tpm2_pcrread

2. Seal the key: This seals the asymmetric key to the current PCR state.

   sudo tpm2_seal -o sealed_key.bin 0x81010003 --auth-policy owner

7. Unsealing a Key

Unsealing retrieves the key if the current platform state matches the sealing context.

1. Ensure correct PCR values: The PCR values must match those used during sealing.

   sudo tpm2_pcrread

2. Unseal the key:

   sudo tpm2_unseal -i sealed_key.bin -o unsealed_key.pem --auth-policy owner

8. Important Considerations

• Auth Policy: The --auth-policy owner flag requires the owner authorization to perform operations.
• Key Storage: Securely store exported keys.
• PCRs: Understand how PCRs work and their impact on key availability. Changes to the system can invalidate sealed keys.
• cyber security: Always follow best practices for cyber security when handling sensitive keys.