[strongSwan] Strongswan and TPM

John Brown jb20141125 at gmail.com
Thu Aug 31 10:46:08 CEST 2017


Hi Tobias/Hi all,
After some reading I have a conclusion that TPM 2.0 can only be used with
strongswan 5.5.2 or newer.
The example that the strongswan wiki provides shows storing the keys inside
the tpm (as far as I understand the example correctly). But all the tpm
sources I've read states that the keys can also be stored externally but in
encrypted form by the tpm. Is this a general rule that can also be used
with strongswan?
Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be
also used?

What about TPM 1.2? I've found that it is mentioned in TNC. But can I use
TPM 1.2 only for key storage in strongswan? If yes, which version of
strongswan is the oldest that can be used for this?

Best regards,
John


2017-07-18 12:46 GMT+02:00 John Brown <jb20141125 at gmail.com>:

> Hi Tobias,
> Thank you for your answer. I'm on the first stage of learning TPM but as
> far as I understand the general rule the private key should not be
> accessible and that was a reason that aforementioned log message drew my
> attention. This wiki page I've read is the only way I can learn TPM and
> strongswan cooperation or there are some more detailed explanations
> somewhere how the process is going?
>
> Best regards,
> John
>
>
> 2017-07-18 12:05 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
>
>> Hi John,
>>
>> > and I conclude from this example, that private key stored in TPM is
>> > loaded to program memory the same way as if it was stored in a file (log
>> > message: "...charon-systemd[21165]: loaded RSA private key from token").
>> > Am I correct?
>>
>> No, that's only the generic log message that you'll see for any private
>> key loaded by the configuration backend, whether that private key is
>> actually loaded into memory or it's just a reference to a key (as is the
>> case here).  Private keys on PKCS#11 tokens or in a TPM can't be
>> accessed directly, so they never end up in memory.
>>
>> Regards,
>> Tobias
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170831/1ce20795/attachment.html>


More information about the Users mailing list