Skip to content

Foxboron/age-plugin-tpm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

85 Commits

.github/workflows

.github/workflows

 
 

cmd/age-plugin-tpm

cmd/age-plugin-tpm

 
 

plugin

plugin

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

TPM plugin for age clients

age-plugin-tpm is a plugin for age clients like age and rage, which enables files to be encrypted to age identities sealed by the TPM.

Features

  • Keys created on the TPM, sealed outside of it
  • PIN support
  • TPM session encryption

Experimental

The identity format and technical details might change between iterations. Consider this plugin experimental.

Instead of utilizing the TPM directly, you can use --swtpm or export AGE_TPM_SWTPM=1 to create a identity backed by swtpm which will be stored under /var/tmp/age-plugin-tpm.

Note that swtpm provides no security properties and should only be used for testing.

Installation

The simplest way of installing this plugin is by running the follow go command.

go install github.com/Foxboron/age-plugin-tpm@latest

Alternatively download the pre-built binaries.

Usage

# Create identity
$ age-plugin-tpm --generate -o age-identity.txt
$ age-plugin-tpm -y age-identity.txt > age-recipient.txt

# Encrypt / Decrypt something
$ echo "Hack The Planet" | age -R ./age-recipient.txt -o test-decrypt.txt
$ age --decrypt -i ./age-identity.txt -o - test-decrypt.txt
Hack The Planet!

With PIN

# Create identity
$ AGE_TPM_PIN=123 age-plugin-tpm --generate --pin -o age-identity.txt
$ age-plugin-tpm -y age-identity > age-recipient.txt

# Encrypt / Decrypt something
$ echo "Hack The Planet" | age -R ./age-recipient.txt -o test-decrypt.txt
$ AGE_TPM_PIN=123 age --decrypt -i ./age-identity.txt -o - test-decrypt.txt
Hack The Planet!

Commands

An age identity can be created with:

$ age-plugin-tpm --generate -o age-identity.txt
# Created: 2023-07-05 22:38:36.362043774 +0200 CEST m=+0.110154231
# Recipient: age1tpm1qg86fn5esp30u9h6jy6zvu9gcsvnac09vn8jzjxt8s3qtlcv5h2x287wm36

AGE-PLUGIN-TPM-1QYQSQLSQYZJN56KJ4WHGP676AW248W7Z3KE7JRP8HWGGTW98CX955U9NCV4G2QQS828ZMZNQLLC57QU037ELMLA0RR56SM35HLJAFHKY0EH7J62SYJLX3YFULEE7AQJR0DJX7D33HRKWRYHNXFN0TRS45MKUHZGRU3K3EPRUSGSWWV07K2PKTFF79YVACDZSVEKAYY4GEAM6DRNQQPTQQGCQPVQQYQRJQQQQQYQQZQQQXQQSQQSQLFXWNXQX9LSKL2GNGFNS4RZPJ0HPU4JV7G2GEV7ZYP0LPJJAGEGQYQE8GSEC0GWWDVKAFT04QTJWCU3T2KYVXGER35FVMHEY0ZDGEHC4C0EXJ8Y

To display the recipient of a given identity:

$ age-plugin-tpm -y age-identity.txt
age1tpm1qg86fn5esp30u9h6jy6zvu9gcsvnac09vn8jzjxt8s3qtlcv5h2x287wm36

License

Licensed under the MIT license. See LICENSE or http://opensource.org/licenses/MIT

About

🔑 TPM 2.0 plugin for age

Topics

golang security tpm tpm2 age go-tpm

Resources

Readme

License

MIT license
Activity

Stars

57 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases 3

age-plugin-tpm v0.2.0 Latest
Aug 12, 2023
+ 2 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages