age-plugin-tpm icon indicating copy to clipboard operation
age-plugin-tpm copied to clipboard
verified publisher icon Foxboron

age-plugin-tpm requires access to the TPM when encrypting

Open nicoonoclaste opened this issue 11 months ago • 3 comments

As far as I understand (from reading the source, as well as having worked with TPM 2.0 itself) the plugin generates identities as TPM-bound NIST P-256 keys, used with ECDH to wrap the age session key.

Assuming this is the case, encrypting to a TPM recipient should only require knowledge of that P-256 point/pubkey, yet age-plugin-tpm attempts to access /dev/tpmrm0 and fails if permission is denied. This is an issue in my usecase in two different ways:

  • I'm managing secrets in a distributed environment, so encryption might be done on a system which does not have access to the recipient's TPM, or any TPM at all ;
  • unprivileged users should be able to introduce new secrets (i.e. encrypt) without being granted decryption privileges, let alone full access to the TPM device.

nicoonoclaste avatar Dec 27 '24 18:12 nicoonoclaste

I'm aware of this issue and mostly just waiting on this to be standardized and implemented in age.

https://github.com/C2SP/C2SP/pull/96

If you want to implement the encryption inside the plugin without a TPM feel free to send patches :)

Foxboron avatar Dec 27 '24 18:12 Foxboron

Thanks for the swift reply <3

I didn't know about the proposed p256tag keytype, but I agree waiting for upstream to adopt it might be the best solution long-term. There doesn't seem to be much activity on that PR, but hopefully it can happen soon.

nicoonoclaste avatar Dec 27 '24 18:12 nicoonoclaste

There doesn't seem to be much activity on that PR, but hopefully it can happen soon.

Filippo will work on this at some point.

Foxboron avatar Dec 27 '24 18:12 Foxboron