ср, 13 янв. 2021 г. в 22:01, Jan Just Keijser <janj...@nikhef.nl>:
> Hi, > > On 13/01/21 17:20, Илья Шипицин wrote: > > Hello, > > > > if user save password, it might be stolen from well known location > > (there are popular password stealers). > > > > in theory, is it possible to keep password in tpm ? will it prevent > > password from being stolen ? > > > in theory, yes, but as always, it depends on the circumstances. > > With TPM 1.2 you can only store a very limited amount of data in the TPM > chip; the (open source) implementation I have seen (tss, trousers) store > I meant openvpn-gui + user/password authentication + password is kept in registry encrypted by data protection api (not clear text, but might be decrypted and stolen easily). trousers is linux, right ? > a key in the TPM to scramble other data with; thus, you can encrypt a > private key or password with a key stored on the TPM and only if you > have the TPM will you be able to decrypt it. > I've never been particularly impressed with the security of this setup, > however, as trousers seems to suggest to store the actualy decryption > key in an environment variable... > > With TPM 2.0 you can store more data in the chip, including a full > private key. This makes it behave more like a regular PKCS#11 device, > where you store the private key, not the user password on it. Of course, > it will/should also be possible to store a user password on it. > > cheers, > > JJK > >
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
