[strongSwan] Strongswan and TPM

John Brown jb20141125 at gmail.com
Thu Sep 7 16:26:01 CEST 2017 

Hi Andreas,

Sorry for the delay.
Yes, these are very useful information! Now I know I have to try with
TPM2.0 only. Thank you very much.

Can you also confirm that for use with keys stored in TPM i have to use
swanctl.conf instead of ipsec.conf?

Best regards,
John

2017-08-31 12:46 GMT+02:00 Andreas Steffen <andreas.steffen at strongswan.org>:

> Hi John,
>
> currently strongSwan supports signature keys residing in the NVRAM
> of the TPM 2.0, only. These can be accessed using the object handle
> range 0x8101xxxx. Private keys stored in the NVRAM of the TPM 2.0
> have the big advantage that you can wipe the hard disk or SSD
> without irretrievably losing the keys.
>
> But as you correctly mention in principle an unlimited number of
> keys can be stored in encrypted form outside the TPM. With the TPM 2.0
> you have to load them into NVRAM first, before you can do any
> signature operations. strongSwan does not support external keys, though.
>
> strongSwan does not offer any signature key support for the TPM 1.2.
> The TPM 1.2 can be used for attestation, only (implemented by the
> Attestion IMC dynamic library) where the TPM 1.2 loads an external
> attestation key blob and generates a Quote signature over a certain
> number of PCR registers.
>
> Hope this helps.
>
> Andreas
>
> On 31.08.2017 10:46, John Brown wrote:
> > Hi Tobias/Hi all,
> > After some reading I have a conclusion that TPM 2.0 can only be used
> > with strongswan 5.5.2 or newer.
> > The example that the strongswan wiki provides shows storing the keys
> > inside the tpm (as far as I understand the example correctly). But all
> > the tpm sources I've read states that the keys can also be stored
> > externally but in encrypted form by the tpm. Is this a general rule that
> > can also be used with strongswan?
> > Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be
> > also used?
> >
> > What about TPM 1.2? I've found that it is mentioned in TNC. But can I
> > use TPM 1.2 only for key storage in strongswan? If yes, which version of
> > strongswan is the oldest that can be used for this?
> >
> > Best regards,
> > John
> >
> >
> > 2017-07-18 12:46 GMT+02:00 John Brown <jb20141125 at gmail.com
> > <mailto:jb20141125 at gmail.com>>:
> >
> >     Hi Tobias,
> >     Thank you for your answer. I'm on the first stage of learning TPM
> >     but as far as I understand the general rule the private key should
> >     not be accessible and that was a reason that aforementioned log
> >     message drew my attention. This wiki page I've read is the only way
> >     I can learn TPM and strongswan cooperation or there are some more
> >     detailed explanations somewhere how the process is going?
> >
> >     Best regards,
> >     John
> >
> >
> >     2017-07-18 12:05 GMT+02:00 Tobias Brunner <tobias at strongswan.org
> >     <mailto:tobias at strongswan.org>>:
> >
> >         Hi John,
> >
> >         > and I conclude from this example, that private key stored in
> TPM is
> >         > loaded to program memory the same way as if it was stored in a
> file (log
> >         > message: "...charon-systemd[21165]: loaded RSA private key
> from token").
> >         > Am I correct?
> >
> >         No, that's only the generic log message that you'll see for any
> >         private
> >         key loaded by the configuration backend, whether that private
> key is
> >         actually loaded into memory or it's just a reference to a key
> >         (as is the
> >         case here).  Private keys on PKCS#11 tokens or in a TPM can't be
> >         accessed directly, so they never end up in memory.
> >
> >         Regards,
> >         Tobias
> >
> >
> >
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170907/289c0d16/attachment.html>

More information about the Users mailing list