Menu
▾
▴
[TrouSerS-users] Can you set NON_MIGRATABLE after generating the keys?
|
From: Thomas H. <th...@ha...> - 2013-11-14 16:44:31
|
I generated some keys with:
pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 \
--login --keypairgen -d 01 \
-a "$(whoami)@$(hostname --fqdn) key" \
--key-type rsa:2048
But they are migratable. I can delete the on-disk key "backups" to try
to prevent migration, but they have been stored on disk, so the TPM
chip is no longer the sole keeper of secrets (or can be convinced to
give up the keys). Deleting files on disk is hard. Especially with
SSDs because of wear levelling.
I'm hoping the answer isn't "you should have generated they keys differently"
(by adding a flag, http://marc.info/?l=trousers-users&m=120326565102441),
but if there is a cmdline similar to the one above, or one that does
tpmtoken_init differently (if that's what's needed), then that'd be
good too.
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "th...@ha..." };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" };
char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
|