From: Thomas H. <th...@ha...> - 2013-11-14 16:44:31
|
I generated some keys with: pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 \ --login --keypairgen -d 01 \ -a "$(whoami)@$(hostname --fqdn) key" \ --key-type rsa:2048 But they are migratable. I can delete the on-disk key "backups" to try to prevent migration, but they have been stored on disk, so the TPM chip is no longer the sole keeper of secrets (or can be convinced to give up the keys). Deleting files on disk is hard. Especially with SSDs because of wear levelling. I'm hoping the answer isn't "you should have generated they keys differently" (by adding a flag, http://marc.info/?l=trousers-users&m=120326565102441), but if there is a cmdline similar to the one above, or one that does tpmtoken_init differently (if that's what's needed), then that'd be good too. -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "th...@ha..." }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; |