Hello Everyone, I would like to protect my pgp keys using the TPM2 installed on my laptop I was hence reading this article:
https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html but I'm not able to get the `card-no: TPM-Protected` attribute for my key so I guess something is going wrong and the key is not being protected using the TPM I opened a support request also here: https://crypto.stackexchange.com/questions/108897/cannot-protect-gpg-key-using-tpm2-on-ubuntu-22-04 Please find below the info on what I did I'm trying to protect a GPG key using the TPM2 available on my laptop, but I'm not having any success. Probably I'm doing something wrong, but I cannot figure out what this is. My system is running `Ubuntu 22.04` Here what I did: ## Verify TPM2 is available and enabled in my Linux system: - check tpm hw is detected at boot time: ``` $ dmesg | grep -i tpm [ 0.327325] kernel: tpm_tis STM0125:00: 2.0 TPM (device-id 0x0, rev-id 78) ``` - check tpm devices are available and have the correct owners: ``` $ ls -l /dev/tpm* crw-rw---- 1 tss tss 10, 224 nov 27 07:42 /dev/tpm0 crw-rw---- 1 tss tss 253, 65536 nov 27 07:42 /dev/tpmrm0 ``` - my user is member of the `tss` group - installed the following packages: ``` clevis-tpm2 libnatpmp1 libtss2-tcti-swtpm0 tpm-udev tpm2-abrmd tpm2-openssl tpm2-tools libtpm2-pkcs11-tools libtpm2-pkcs11-1 ``` - loaded the tpm module: ``` $ modprobe tpm_tis_spi $ lsmod | grep tpm tpm_tis_spi 20480 0 ``` - check the tpm broker is up and running ``` root@NR054-UB:/lib/modules/6.2.0-37-generic# systemctl status tpm2-abrmd ● tpm2-abrmd.service - TPM2 Access Broker and Resource Management Daemon Loaded: loaded (/lib/systemd/system/tpm2-abrmd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2023-11-27 07:42:29 CET; 4 days ago Main PID: 1086 (tpm2-abrmd) Tasks: 6 (limit: 18082) Memory: 1.4M CPU: 9.563s CGroup: /system.slice/tpm2-abrmd.service └─1086 /usr/sbin/tpm2-abrmd ``` I built gpg version `2.4` (as the default gpg version on `ubuntu 22.04` is `2.2`) and set the env variable `GNUPGHOME=~/gpg2.tmp/` to use a "clean" keyring ``` $ gpg2 --version gpg (GnuPG) 2.4.3 libgcrypt 1.10.2 Copyright (C) 2023 g10 Code GmbH License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/<my-username>/gpg2.tmp Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB ``` ## Try to protect a test gpg key using TPM So far so good. As I got no relevant error or warning in setting up all the previous steps, I continued following the example from: [1] https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html [2] https://www.monperrus.net/martin/7-things-to-do-with-your-TPM-on-Linux - started the tpm2daemon: ``` tpm2daemon --log-file ~/gpg2.tmp/tpm2daemon.log --daemon --debug-level 1000 ``` BUT, when I try move the key to the TPM I do not get the ` card-no: TPM-Protected ` attribute to the key ``` $ /opt/gpg24/bin/gpg2 --edit-key tpm.t...@test.com gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa2048/2E0718AD3A17F52E created: 2023-12-02 expires: 2026-12-01 usage: SC trust: ultimate validity: ultimate [ultimate] (1). tpm.t...@test.com gpg> keytotpm Really move the primary key? (y/N) y sec rsa2048/2E0718AD3A17F52E created: 2023-12-02 expires: 2026-12-01 usage: SC trust: ultimate validity: ultimate [ultimate] (1). tpm.t...@test.com ``` What I'm I doing wrong? Any hint on how to debug this? Ciao e grazie Sergio -- preferisco ammazzare il tempo, preferisco sparare cazzate, preferisco fare esplodere una moda, preferisco morire d'amore. (Caparezza)
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
