Hi, The blob stored in the registry is encrypted by DPAPI and requires access to the user's session to decrypt. No matter where the blob is stored, if an attacker has access to the session, anything the GUI can read can be read by the attacker too.
That said, if there is a well-defined API for protecting data using a non-exportable key in TPM, respecting security boundaries, we could use it. The blob has to be still stored in registry or Windows password store (which also stores it in registry). TPM is useful for storing non-exportable private keys. For exportable data, if at all possible and space permits, I see little point in putting it in TPM. DPAPI supports an app-specific salt, and we could have it wrapped by TPM to add some extra protection but I would be wary of inventing our own schemes like that. Storing the certificate private key in TPM makes sense. Selva On Wed, Jan 13, 2021 at 1:31 PM Илья Шипицин <chipits...@gmail.com> wrote: > > > ср, 13 янв. 2021 г. в 22:01, Jan Just Keijser <janj...@nikhef.nl>: > >> Hi, >> >> On 13/01/21 17:20, Илья Шипицин wrote: >> > Hello, >> > >> > if user save password, it might be stolen from well known location >> > (there are popular password stealers). >> > >> > in theory, is it possible to keep password in tpm ? will it prevent >> > password from being stolen ? >> > >> in theory, yes, but as always, it depends on the circumstances. >> >> With TPM 1.2 you can only store a very limited amount of data in the TPM >> chip; the (open source) implementation I have seen (tss, trousers) store >> > > I meant openvpn-gui + user/password authentication + password is kept in > registry encrypted by data protection api (not clear text, but might be > decrypted and stolen easily). > > trousers is linux, right ? > > >> a key in the TPM to scramble other data with; thus, you can encrypt a >> private key or password with a key stored on the TPM and only if you >> have the TPM will you be able to decrypt it. >> I've never been particularly impressed with the security of this setup, >> however, as trousers seems to suggest to store the actualy decryption >> key in an environment variable... >> >> With TPM 2.0 you can store more data in the chip, including a full >> private key. This makes it behave more like a regular PKCS#11 device, >> where you store the private key, not the user password on it. Of course, >> it will/should also be possible to store a user password on it. >> >> cheers, >> >> JJK >> >> _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
