clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

Support for TPM key password

Open wiktor-k opened this issue 6 years ago • 4 comments

Hello,

I just found clevis while researching alternatives to LUKS unlocker that utilizes TPM.

One thing that I noticed is that clevis does not support TPM PIN as in BitLocker (note that "PIN" here means short number that is needed to unlock TPM key with addition to PCRs. That PIN protects against brute-force attacks).

luks-tpm2 uses TPM parent key password for this.

Why is it imporant? To protect against unauthorized extracting of TPM keys.

wiktor-k avatar Nov 28 '19 12:11 wiktor-k

Is there any chance of getting this in clevis?

ajkerzner avatar Jan 20 '22 00:01 ajkerzner

Hello, I've also been tracking this feature request for a while. Just wanted to point out that since this issue was created, tpm2-totp came to be, and it addresses a major drawback of simple PIN protection -- it allows attestation of the system before inputting the PIN and thus releasing the disk encryption key (e.g. to be logged by a counterfeit initrd).

All I'm saying is that maybe it's too late to spend effort on implementing this and we should move on to better and more secure solutions.

ignisf avatar Jan 20 '22 01:01 ignisf