<div dir="ltr">Hi Tobias/Hi all,<br>After some reading I have a conclusion that TPM 2.0 can only be used with strongswan 5.5.2 or newer.<br>The example that the strongswan wiki provides shows storing the keys inside the tpm (as far as I understand the example correctly). But all the tpm sources I've read states that the keys can also be stored externally but in encrypted form by the tpm. Is this a general rule that can also be used with strongswan? <br>Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be also used?<br><br>What about TPM 1.2? I've found that it is mentioned in TNC. But can I use TPM 1.2 only for key storage in strongswan? If yes, which version of strongswan is the oldest that can be used for this?<br><br>Best regards,<br>John<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-07-18 12:46 GMT+02:00 John Brown <span dir="ltr"><<a href="mailto:jb20141125@gmail.com" target="_blank">jb20141125@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi Tobias, <br></div>Thank you for your answer. I'm on
the first stage of learning TPM but as far as I understand the general
rule the private key should not be accessible and that was a reason that
aforementioned log message drew my attention. This wiki page I've read
is the only way I can learn TPM and strongswan cooperation or there are
some more detailed explanations somewhere how the process is going?<br><br></div>Best regards,<br></div>John<div><div class="h5"><br><div class="gmail_extra"><br><div class="gmail_quote">2017-07-18 12:05 GMT+02:00 Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi John,<br>
<span><br>
> and I conclude from this example, that private key stored in TPM is<br>
> loaded to program memory the same way as if it was stored in a file (log<br>
> message: "...charon-systemd[21165]: loaded RSA private key from token").<br>
> Am I correct?<br>
<br>
</span>No, that's only the generic log message that you'll see for any private<br>
key loaded by the configuration backend, whether that private key is<br>
actually loaded into memory or it's just a reference to a key (as is the<br>
case here). Private keys on PKCS#11 tokens or in a TPM can't be<br>
accessed directly, so they never end up in memory.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>