tink-go
tink-go copied to clipboard
tink-crypto
Suppport TPM based operations
FR to support encryption/decryption using TPM based keys.
WIth this, you can encrypt and decrypt data only with the same TPM.
for example, this is encryption/decryption using tpm2_tools (cpp), and go-tpm:
https://github.com/salrashid123/tpm2/tree/master/encrypt_decrypt_aes
I'd imagine the proto for the Key would save the public/sealedprivate portion of the key that was generated,
eg in "type.googleapis.com/google.crypto.tink.TpmKey"
message TpmKey {
bytes key_pub = 1;
bytes key_priv = 2;
}
At the moment, this is only feasible for one or two languages that support tpm-based libraries so filing this as a longer term FR.
We've internally added support for TPMs in C++ but this will probably be part of a different repo as an add-on to Tink to avoid bloat.
@fernandolobato when you mention an add-on to Tink, do you have C++ or Go in mind? Has any code being published? I'd be interested in a TPM-backed go implementation, and might try and write one from scratch but I wouldn't want to duplicate efforts. (Also, getting inspiration from a C++ version if it's been made public may be useful.)
Hey @kerneis-anssi, we have an implementation of a TPM backed AEAD. This isn't public yet, since it'll require a bit of work to open source and will live as a separate repo to avoiding adding a dependency on the TPM TSS for every day Tink users. I also have a Go implementation in mind, but it's not currently in the roadmap for the next couple of quarters.
i put an implementation in go here which support a small subset of calls:
- https://github.com/salrashid123/tink-go-tpm/
notably, the aes-ctr mode does not use a wrapped key but the key created on the tpm exclusively. if you're encrypting/decrypting really large bits of data, it maybe slower (it took 16s to encrypt 5MB on my laptops tpm)
critically, the code is not reviewed and not supported by google.