[opencryptoki-users] What does 'CKA_EXTRACTABLE' actually mean?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I'm preparing a rollout of Linux laptops for my company, and I need
follow company policies with respect to security. Our Wiindows laptops
use the TPM chip as a "virtual token" to secure configurations through
the use of TPM-based keys in wifi and VPN configurations, accessed via
the PKCS#11 API. I'm re-creating a similar setup under Linux, and I've
managed to prepare the whole stack, with keys generated using the
tpm_tok backend, a CSR generated with the keys using 'certtool',
signed externally, imported back into the "TPM token" with consistent
names and IDs, almost ready for deployment.

My only worry is that when I list the objects in the token, the
private key comes up flagged as:

CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_EXTRACTABLE;

I've found some info on the net that said openCryptoki generates
"extractable" keys only. Taken literally, this signals a problem,
since at least theoretically it  means someone could clone the "TPM
token". On the other hand, no standard PKCS#11 tool I've found allows
that, exactly because it defeats the purpose of a token, TPM-based or
not.

Could someone please answer the question from the subject to clear
this up? Is a TPM-token key extractable using the PKCS#11 API, or
otherwise? Can I prevent this using TPM tools? Thank you,

Best regards,
Greg
-- 
Grzegorz Staniak <gstaniak [at] gmail _dot_ com>