[strongSwan] Strongswan and TPM
jb20141125 at gmail.com
Thu Sep 7 16:26:01 CEST 2017
Sorry for the delay.
Yes, these are very useful information! Now I know I have to try with
TPM2.0 only. Thank you very much.
Can you also confirm that for use with keys stored in TPM i have to use
swanctl.conf instead of ipsec.conf?
2017-08-31 12:46 GMT+02:00 Andreas Steffen <andreas.steffen at strongswan.org>:
> Hi John,
> currently strongSwan supports signature keys residing in the NVRAM
> of the TPM 2.0, only. These can be accessed using the object handle
> range 0x8101xxxx. Private keys stored in the NVRAM of the TPM 2.0
> have the big advantage that you can wipe the hard disk or SSD
> without irretrievably losing the keys.
> But as you correctly mention in principle an unlimited number of
> keys can be stored in encrypted form outside the TPM. With the TPM 2.0
> you have to load them into NVRAM first, before you can do any
> signature operations. strongSwan does not support external keys, though.
> strongSwan does not offer any signature key support for the TPM 1.2.
> The TPM 1.2 can be used for attestation, only (implemented by the
> Attestion IMC dynamic library) where the TPM 1.2 loads an external
> attestation key blob and generates a Quote signature over a certain
> number of PCR registers.
> Hope this helps.
> On 31.08.2017 10:46, John Brown wrote:
> > Hi Tobias/Hi all,
> > After some reading I have a conclusion that TPM 2.0 can only be used
> > with strongswan 5.5.2 or newer.
> > The example that the strongswan wiki provides shows storing the keys
> > inside the tpm (as far as I understand the example correctly). But all
> > the tpm sources I've read states that the keys can also be stored
> > externally but in encrypted form by the tpm. Is this a general rule that
> > can also be used with strongswan?
> > Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be
> > also used?
> > What about TPM 1.2? I've found that it is mentioned in TNC. But can I
> > use TPM 1.2 only for key storage in strongswan? If yes, which version of
> > strongswan is the oldest that can be used for this?
> > Best regards,
> > John
> > 2017-07-18 12:46 GMT+02:00 John Brown <jb20141125 at gmail.com
> > <mailto:jb20141125 at gmail.com>>:
> > Hi Tobias,
> > Thank you for your answer. I'm on the first stage of learning TPM
> > but as far as I understand the general rule the private key should
> > not be accessible and that was a reason that aforementioned log
> > message drew my attention. This wiki page I've read is the only way
> > I can learn TPM and strongswan cooperation or there are some more
> > detailed explanations somewhere how the process is going?
> > Best regards,
> > John
> > 2017-07-18 12:05 GMT+02:00 Tobias Brunner <tobias at strongswan.org
> > <mailto:tobias at strongswan.org>>:
> > Hi John,
> > > and I conclude from this example, that private key stored in
> TPM is
> > > loaded to program memory the same way as if it was stored in a
> file (log
> > > message: "...charon-systemd: loaded RSA private key
> from token").
> > > Am I correct?
> > No, that's only the generic log message that you'll see for any
> > private
> > key loaded by the configuration backend, whether that private
> key is
> > actually loaded into memory or it's just a reference to a key
> > (as is the
> > case here). Private keys on PKCS#11 tokens or in a TPM can't be
> > accessed directly, so they never end up in memory.
> > Regards,
> > Tobias
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users