Oh, forgot to answer your main question:
Also the key blob file is protected by the same secret value tpmProof
and the SRK, so it too cannot be decrypted by any other device.
Ronald
On 06/27/2014 10:36 AM, Ronald Tögl wrote:
> Hello Matthew,
>
> You can use TPM keys of type storage for encryption, but only through
> the "sealing" mechanism. After sealing data, there is always an
> encrypted (under the Storage Root Key), unique, TPM-private element
> included in the resulting data structure.
> The sealed data can thus only be decrypted by the very same TPM that
> performed the encryption operation and no-one else. Not even through
> backup or vendor-maintenance mechanisms.
>
> If you need to encrypt data on any other machine, and decrypt on a
> specific TPM (with PCR states), you can use the Binding scheme instead.
>
> Best,
> Ronald
>
>
> On 06/26/2014 08:15 PM, Matthew Galligan wrote:
>> Hello,
>>
>> I was wondering, if I create a storage key with e.g.
>>> jtt create_key -t storage --keyblob my.key -p 1,2,3,4,5
>> is that key file encrypted/tied to the current TPM in any way, or can
>> another machine use this key to decrypt a file I seal with it?
>>
>> Thanks!
>> -Matt
>>
>
--
Dr. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
