'Re: [TrouSerS-users] TPM support for LUKS partitions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       trousers-users
Subject:    Re: [TrouSerS-users] TPM support for LUKS partitions
From:       Olga Chen <olgagel () gmail ! com>
Date:       2013-01-05 15:02:01
Message-ID: CAB3D1DD-06FE-4D0D-885E-35A2103DCFCC () gmail ! com
[Download RAW message or body]

Very excited to see this! Since I've been working on something similar for cryptsetup, I am looking forward to trying this out. It is also great to hear that this works with TrustedGrub. Since TrustedGrub is based on Grub 0.97 (and is not compatible with Grub 2), I've  been installing Fedora 15 and then upgrading to Fedora 16 and then 17. It's tedious but it worked for me. I would be interested if someone has a better way of doing this. 
Again - thanks for tpm-luks!

On Nov 27, 2012, at 20:45, Kent Yoder <shpedoikal@gmail.com> wrote:

> Hi,
> 
>  I've put together some scripts and utilities [1] to allow storing a
> LUKS secret in TPM NVRAM.  This is different than securing your secret
> by encrypting it with a TPM key in that there's no separate key blob
> to manage. The key data is written directly into TPM NVRAM, r/w
> protected by your password (and optionally TPM PCR state).  Note that
> there's a limit to the space you'll have in NVRAM depending on your
> TPM's vendor.
> 
> You can use the tpm-luks package to:
> - create a new secret, insert it into the TPM and add it to a LUKS key slot
> - open a LUKS device using a TPM secret for auth
> - kill a LUKS key slot using a TPM secret for auth
> - unlock your rootfs at boot using a TPM secret for auth (tested on
> RHEL6 and Fedora 17)
> - bind the secret to a trusted grub-based root of trust
> - migrate the secret from one root of trust to a new one (tested on RHEL6)
> - support for a custom root of trust including migration
> 
> Please give it a try, I'm interested in general user feedback, bug
> reports, code reviews, design reviews, flames, etc.
> 
> Also if you're a developer and willing to contribute, I'm particularly
> interested in code to support non-redhat distros' initramfs formats
> and migrate secrets to new roots of trust.
> 
> Thanks,
> Kent
> 
> [1] git://github.com/shpedoikal/tpm-luks.git
> 
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel: 
> INSIGHTS What's next for parallel hardware, programming and related areas?
> Interviews and blogs by thought leaders keep you ahead of the curve.
> http://goparallel.sourceforge.net
> _______________________________________________
> TrouSerS-users mailing list
> TrouSerS-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/trousers-users

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
_______________________________________________
TrouSerS-users mailing list
TrouSerS-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic