From: Ronald T. <ron...@ia...> - 2014-06-27 08:42:41
|
Oh, forgot to answer your main question: Also the key blob file is protected by the same secret value tpmProof and the SRK, so it too cannot be decrypted by any other device. Ronald On 06/27/2014 10:36 AM, Ronald Tögl wrote: > Hello Matthew, > > You can use TPM keys of type storage for encryption, but only through > the "sealing" mechanism. After sealing data, there is always an > encrypted (under the Storage Root Key), unique, TPM-private element > included in the resulting data structure. > The sealed data can thus only be decrypted by the very same TPM that > performed the encryption operation and no-one else. Not even through > backup or vendor-maintenance mechanisms. > > If you need to encrypt data on any other machine, and decrypt on a > specific TPM (with PCR states), you can use the Binding scheme instead. > > Best, > Ronald > > > On 06/26/2014 08:15 PM, Matthew Galligan wrote: >> Hello, >> >> I was wondering, if I create a storage key with e.g. >>> jtt create_key -t storage --keyblob my.key -p 1,2,3,4,5 >> is that key file encrypted/tied to the current TPM in any way, or can >> another machine use this key to decrypt a file I seal with it? >> >> Thanks! >> -Matt >> > -- Dr. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |