Hi Thomas, My apologies for such a late answer, I originally did all this in a live environment, so I had to find the time to rebuild the setup.
On Thu, 11 Aug 2016 11:32:57 +0100 Thomas Habets <tho...@habets.se> wrote: > Could you provide a config (without secrets) that triggers this? It seems to be sufficient to set charon to use the module. Attached is my /etc/strongswan.d/charon/pkcs11.conf file. For completeness' sake: I've taken the steps described on https://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly up to the config part. Kind regards, Willem Mulder
pkcs11 {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# Whether to load certificates from tokens.
# load_certs = yes
# Reload certificates from all tokens if charon receives a SIGHUP.
# reload_certs = no
# Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc
# option).
# use_dh = no
# Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
# operations. ECDSA private keys can be used regardless of this option.
# use_ecc = no
# Whether the PKCS#11 modules should be used to hash data.
# use_hasher = no
# Whether the PKCS#11 modules should be used for public key operations, even
# for keys not stored on tokens.
# use_pubkey = no
# Whether the PKCS#11 modules should be used as RNG.
# use_rng = no
# List of available PKCS#11 modules.
modules {
simple-tpm-pk11 {
path = /usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so
}
}
}
signature.asc
Description: OpenPGP digital signature
