Using Trust Platform Module (TPM) On Advantech ECU-4784 in ...€¦ · 2.3.2 Install TPM Packages in Debian/Ubuntu..... 22 2.4 Start trousers Daemon ..... 23 2.5 Take Ownership of

Drawings and specifications herein are property of Advantech and shall not be reproduced or copied or used without prior written permission.

Using Trust Platform Module

(TPM) On Advantech

ECU-4784 in Linux

Version <0.90>

2

Revision History

Date Version Description Author

2017/04/06 0.90 Initial version Liu.kun

3

Table of Contents

Revision History ............................................................................................. 2

1 Introduction .............................................................................................. 6

1.1 Terminology ................................................................................................ 7

2 Getting started .......................................................................................... 8

2.1 System Requirements ................................................................................. 8

2.1.1 Hardware Requirements .......................................................................... 8

2.1.2 Software Requirements ........................................................................... 8

2.2 Enable the TPM in the BIOS ....................................................................... 10

2.2.1 Steps to Enable TPM in BIOS ................................................................. 10

2.2.2 Check if TPM is supported ..................................................................... 19

2.3 Install TPM Packages ................................................................................ 21

2.3.1 Install TPM Packages in RHEL/CentOS/Fedora .......................................... 21

2.3.2 Install TPM Packages in Debian/Ubuntu................................................... 22

2.4 Start trousers Daemon .............................................................................. 23

2.5 Take Ownership of the TPM ....................................................................... 25

3 Using the TPM 1.2 in RHEL 6.5 ................................................................. 27

3.1 Protect File ................................................................................................ 27

3.1.1 Step 1: Encrypting the Data File ............................................................ 27

3.1.2 Step 2: Edit the Data File ...................................................................... 29

3.1.3 Step 3: Decrypting the Data File ............................................................ 29

3.1.4 Step 4: Decrypting the Data File on other Platform ................................... 31

3.1.5 Conclusions ......................................................................................... 32

3.2 Data Volume Encryption with a TPM-stored key ........................................ 33

3.2.1 Step 1: Create the TPM-stored key file (Passphrase file) ........................... 33

3.2.2 Step 2: Create the LUKS partition .......................................................... 34

3.2.3 Step 3: Open the LUKS partition ............................................................ 35

3.2.4 Step 4: Mount and use the LUKS partition ............................................... 36

4

3.2.5 Step 5: Add a new key file .................................................................... 38

3.2.6 Step 6: Close the LUKS partition ............................................................ 39

3.2.7 Step 7: Open the LUKS partition with the TPM-stored key ......................... 40

3.3 Encrypting File System (Directory) with a TPM-stored key ........................ 43

3.3.1 Step 1: Create the TPM-stored passphrase password key file ..................... 43

3.3.2 Step 2: Mount the EFS .......................................................................... 44

3.3.3 Step 3: Management the mounted EFS ................................................... 45

3.3.4 Step 4: Unmount the EFS...................................................................... 47

3.3.5 Step 5: Mount the EFS with TPM-stored key ............................................ 48

4 Using the TPM 1.2 in Ubuntu 15.04 ......................................................... 51

4.1 Protect File ................................................................................................ 51

4.1.1 Step 1: Encrypting the Data File ............................................................ 51

4.1.2 Step 2: Edit the Data File ...................................................................... 53

4.1.3 Step 3: Decrypting the Data File ............................................................ 53

4.1.4 Step 4: Decrypting the Data File on other Platform ................................... 55

4.2 Data Volume Encryption with a TPM-stored key ........................................ 56

4.2.1 Step 1: Create the TPM-stored key file (Passphrase file) ........................... 56

4.2.2 Step 2: Create the LUKS partition .......................................................... 57

4.2.3 Step 3: Open the LUKS partition ............................................................ 58

4.2.4 Step 4: Mount and use the LUKS partition ............................................... 59

4.2.5 Step 5: Add a new key file .................................................................... 61

4.2.6 Step 6: Close the LUKS partition ............................................................ 61

4.2.7 Step 7: Open the LUKS partition with the TPM-stored key ......................... 62

4.3 Encrypting File System (Directory) with a TPM-stored key ........................ 65

4.3.1 Step 1: Create the TPM-stored passphrase password key file ..................... 65

4.3.2 Step 2: Mount the EFS .......................................................................... 66

4.3.3 Step 3: Management the mounted EFS ................................................... 67

4.3.4 Step 4: Unmount the EFS...................................................................... 69

5

4.3.5 Step 5: Mount the EFS with TPM-stored key ............................................ 70

6

1 Introduction

The TPM stands for the Trusted Platform Module, which is a secure microprocessor that can store

cryptographic keys that are further used to encrypt/decrypt data.

We must remember that the TPM won’t actually be used to encrypt/decrypt our data on the hard

drive; it’s just a hardware that contains secret keys that are used by the software component to

actually do the encryption and decryption on the fly.

This document contains information that aids users in getting started with using TPM 1.2 in

Linux.

When you have completed this tutorial, you will know how to:

Configure the hardware to enable the TPM.

Check the system to see if the platform is TPM supported.

Install the TPM packages.

Own the TPM.

Use the TPM1.2 in RHEL 6.5 (kernel 2.6.32).

1) Protect file

2) Data volume encryption with a TPM-stored key

3) Encrypting File System (Directory) with a TPM-stored key

Use the TPM 1.2 in Ubuntu 15.04 (kernel 3.19.0).

4) Protect file

5) Data volume encryption with a TPM-stored key

6) Encrypting File System (Directory) with a TPM-stored key

7

1.1 Terminology

Term Description

BIOS Basic Input-Output System

TPM Trusted Platform Module

PCR Platform Configuration Registers

SRK Storage Root Key

LUKS Linux Unified Key Setup

EFS Encrypting File System

8

2 Getting started

TPM is easy to use, there are only four steps to enable and use the TPM

1). Turn on the TPM from the BIOS. For more information, see Enable the TPM in the BIOS.

2). Install available TPM utilities. For more information, see Install TPM .

3). Enable the TPM and take ownership. For more information, see Take Ownership of the

TPM.

4). Use the TPM for a specific need. For more information, see Using the TPM 1.2 in RHEL 6.5

and Using the TPM 1.2 in Ubuntu 15.04.

2.1 System Requirements

This section includes the hardware and software requirements for TPM.

2.1.1 Hardware Requirements

The hardware requirements for TPM are:

Motherboard:

Equipped with a Trusted Platform Module (TPM) microchip, version 1.2.

A computer that meets the minimum requirements for running linux kernel version

2.6.19 or higher.

Here, we use ECU-4784 device (which ships with Infineon SLB 9635 TT 1.2 Trusted

Platform Module).

2.1.2 Software Requirements

The software requirements for TPM are:

Operating Systems:

A computer running linux kernel version 2.6.19 or higher.

9

Here, we use RHEL 6.5 x64 English version (kernel 2.6.32) and Ubuntu 15.04

desktop x64 English version (kernel 3.19.0).

Tools:

trousers.

tpm-tools.

ecryptfs-utils.

cryptsetup-luks in RHEL/CentOS/Fedora.

cryptsetup in Debian/Ubuntu.

10

2.2 Enable the TPM in the BIOS

Before doing anything, we should first enable the TPM in BIOS.

2.2.1 Steps to Enable TPM in BIOS

During power up, the platform first displays the BIOS startup screen, and then the BIOS

Extensions are processed.

Perform the following steps to enable the TPM in BIOS:

1. Press the "Delete" key to access to the BIOS.

11

2. Press "Right ( )" arrow key moves over to the "Advanced" menu options in the BIOS.

3. Press the "Down ( )" arrow key to highlight the "Trusted Computing" Item.

12

4. Press the "Enter" key to enter the security device configuration item, which houses the

security device control.

13

5. Press the "Down ( )" arrow to highlight "Security Device Support". Press the "Enter" key

to enter the security device support configuration item.

A. To enable the TPM Device Support, ensure that the setting is "Enable".

B. To disable the TPM Device Support, ensure that the setting is "Disable".

Here, we select “Enable” to enable the TPM Device Support.

14

15

6. Press the "F4" key to save the BIOS changes and exit the BIOS. Select "Yes" if prompted for

confirmation. This will also exit the BIOS and automatically restart the computer.

16

7. Repeat the step 1 to 4 to enter the security device configuration item.

17

10. Press the "Down ( )" arrow to highlight "TPM State".

A. To enable the TPM State, ensure that the setting is "Enabled".

B. To disable the TPM State, ensure that the setting is "Disabled".

Here, we select “Enabled” to enable the TPM State.

18

11. Press the "F4" key to save the BIOS changes and exit the BIOS. Select "Yes" if prompted for

confirmation. This will also exit the BIOS and automatically restart the computer.

19

2.2.2 Check if TPM is supported

We’ve seen how to enable the TPM in BIOS. We need to check if the TPM is supported in your

kernel.

To check if TPM is supported:

Open Terminal, and type dmesg | grep -i tpm.

The TPM module prints a message, for example

[ 0.712763] tpm_tis 00:08: 1.2 TPM (device-id 0xB, rev-id 16)

20

Figure: Check TPM in RHEL 6.5

Figure: Check TPM in Ubuntu 15.04

If dmesg | grep -i tpm doesn't give messages about initializing a tpm then you haven't got TPM

which is recognized by the kernel.

21

2.3 Install TPM Packages

You need to install the following packages.

Trousers: Trousers is an open-source TCG Software Stack.

tpm-tools: The tpm-tools package contains commands to allow the platform administrator the

ability to manage and diagnose the platform's TPM.

ecryptfs-utils: ecryptfs cryptographic filesystem (utilities).

cryptsetup: Cryptsetup is utility used to conveniently setup disk encryption.

2.3.1 Install TPM Packages in RHEL/CentOS/Fedora

RHEL/CentOS/Fedora user can also use the yum or rpm command to install package.

Using the yum command

Open Terminal, and type the following yum command:

yum install trousers tpm-tools ecryptfs-utils cryptsetup-luks

Using the rpm command

Open Terminal, and type the following yum command:

rpm -ivh /Packages/trousers-0.3.4-4.el6.x86_64.rpm

rpm -ivh /Packages/tpm-tools-1.3.4-2.el6.x86_64.rpm

22

rpm -ivh /Packages/cryptsetup-luks-libs-1.2.0-7.el6.x86_64.rpm

rpm -ivh /Packages/cryptsetup-luks-1.2.0-7.el6.x86_64.rpm

rpm -ivh /Packages/ecryptfs-utils-82-6.el6_1.3.x86_64.rpm

2.3.2 Install TPM Packages in Debian/Ubuntu

Debian / Ubuntu Linux user type the following apt-get command:

sudo apt-get update

sudo apt-get install trousers tpm-tools ecryptfs-utils cryptsetup

23

2.4 Start trousers Daemon

Check trousers daemon:

When installed, the trousers package provides a daemon that is used for TPM communication.

First we need to check whether the daemon is running with the command:

service tcsd status

Figure: Check tcsd in RHEL 6.5

Start trousers daemon:

We can see that the tcsd daemon is stopped, which is why we need to start it. We can start the

tcsd daemon with the command:

service tcsd start

Figure: Start tcsd in RHEL 6.5

The trousers daemon (tcsd) was successfully started.

Check TPM version:

24

To check whether TPM is accessible we can run the tpm_version command:

Figure: TPM Version in RHEL 6.5

The tpm_version reports the system’s TPM version and manufacturer information.

25

2.5 Take Ownership of the TPM

Once the TPM is enabled in BIOS, We must also own the TPM to protect our data.

Own the TPM means setting the password that ensures that only the authorized user can access

and manage the TPM. By default, the TPM is shipped in un-owned state.

To take ownership run:

tpm_takeownership -u

Figure: Take Ownership of the TPM in RHEL 6.5

Figure: Take Ownership of the TPM in Ubuntu 15.04

We must set two passwords.

26

The first password is the Owner (administration) password. This is a new password which will

restrict TPM usage to the owner. Enter the Owner password then confirm the password once

again.

The second password is a SRK (Storage Root Key) password that is needed whenever we will

load a key into the TPM. This is the password we'll be using the most to call TPM operations.

Caution! Do not fill the SRK password. We just push ENTER on the keyboard

Taking ownership usually takes a few seconds after entering the passwords. No output should be

given if it's successful. If there's a problem, it'll tell you.

27

3 Using the TPM 1.2 in RHEL 6.5

This section shows some example of use the TPM 1.2 in RHEL 6.5.

1). Protect file. For detailed information, see Protect File.

2). Encryption a volume with a TPM-stored key. For detailed information, see Data Volume

Encryption with a TPM-stored key.

3). Encryption a Directory with a TPM-stored key. For detailed information, see Encrypting File

System (Directory) with a TPM-stored key.

3.1 Protect File

This section I’ll show how to use TPM to protect file.

In the following examples,

The data file to be protected is /tpm_test/tpm_protect_file.

The encrypted data is stored in /tpm_sealed/tpm_protect_file.key.

Caution!

The Encrypt data can later be decrypted with TPM on local platform only!

3.1.1 Step 1: Encrypting the Data File

In the following procedure, you will encrypt the “/tpm_test/tpm_protect_file data” file.

Procedure

1. View the “/tpm_test/tpm_protect_file” file content.

28

2. Print or SHA256 (256-bit) checksums.

Open the terminal, type the following command:

sha256sum /tpm_test/tpm_protect_file

The command print out:

e0ae1eb10ccc4232f27ea68e73aa4263bfe6be5b3ea282cab3ba6e5ef5ddf1b3

/tpm_test/tpm_protect_file

3. Encrypt the “/tpm_test/tpm_protect_file” file.

Open the terminal, type the following command and enter the SRK password:

tpm_sealdata -i /tpm_test/tpm_protect_file -u -p 4 -p 8 -p 12 -p 14 -o

/tpm_sealed/tpm_protect_file.key

29

Note:

The “/tpm_test/tpm_protect_file” file is the data file to be encrypted;

The 4, 8, 12 and 14 PCR will be locked.

The “/tpm_sealed/tpm_protect_file.key” is a single encrypted file that contains three

sections: the encrypted data, the wrapped AES key, and the wrapped RSA key blob from the

TPM.

3.1.2 Step 2: Edit the Data File

Now, you can modify or delete the data file.

Here, we delete the “/tpm_test/tpm_protect_file” file.


rm –f /tpm_test/tpm_protect_file

3.1.3 Step 3: Decrypting the Data File

In the following procedure, you will decrypt the TPM protected file.

30

Procedure

1. Decrypt the file.


tpm_unsealdata -i /tpm_sealed/tpm_protect_file.key -o /tpm_test/tpm_unprotect_file

2. View the “/tpm_test/tpm_unprotect_file” file content.

The file content of the “/tpm_test/tpm_unprotect_file” file is identical with the old

“/tpm_test/tpm_protect_file” file.



sha256sum /tpm_test/tpm_unprotect_file

31


e0ae1eb10ccc4232f27ea68e73aa4263bfe6be5b3ea282cab3ba6e5ef5ddf1b3

/tpm_test/tpm_unprotect_file

The checksums of the “/tpm_test/tpm_unprotect_file” file is identical with the old


3.1.4 Step 4: Decrypting the Data File on other Platform

Now, try to decrypt the file on other platform.


We copy the “tpm_protect_file.key” file to another platform with Ubuntu 15.04 system. Here, we

copy the “/tpm_sealed/tpm_protect_file.key” file to

“/tpm_test/tpm_sealed/tpm_protect_file.key”.

On Ubuntu 15.04, try to decrypt the file.

Open the terminal run the following command and enter the SRK:

tpm_unsealdata -i /tpm_test/tpm_sealed/tpm_protect_file.key -o

/tpm_test/tpm_sealed/tpm_protect_file

32

It shows “Unable to write output file”.

So, we cannot decrypt the file on other platform.

3.1.5 Conclusions

The data can only be decrypted under the same conditions as it was encrypted.

You can extend the method of using TPM to protect password, key, software licenses, etc.

33

3.2 Data Volume Encryption with a TPM-stored key

This section I’ll show how to encrypt a data volume with a TPM-stored key.

In the following examples, /dev/sdb1 represents the device node and luks_sdb1 represents

the mapping name assigned to the node.

The encrypted key file is stored in /tpm_sealed/tpm_luks_passphrase.key.

Caution!

This procedure will wipe all data on the hard drive. Ensure all backups are completed before

proceeding.

3.2.1 Step 1: Create the TPM-stored key file (Passphrase file)

The plain passphrase is sensitive information, so it is unsafe to save it to a disk-backed location.

This step creates a passphrase file that is used to mount the encrypted file system. The

passphrase file will be encrypted and stored in TPM.

In the following procedure, you will create a key file ”/tpm_test/tpm_luks_passphrase” and

encrypt the key file.

Procedure

1. Create the key file “/tpm_test/tpm_luks_passphrase”.


echo “passphrase” >> /tpm_test/tpm_luks_passphrase

34

2. Protect the key file with TPM.


tpm_sealdata -i /tpm_test/tpm_luks_passphrase -u -p 4 -p 8 -p 12 -p 14 -o

/tpm_sealed/tpm_luks_passphrase.key


3.2.2 Step 2: Create the LUKS partition

In the following procedure, you will create a LUKS partition.

Procedure

1. Create the LUKS partition.


cryptsetup luksFormat /dev/sdb1 -v -y -c aes-cbc-essiv:sha256

35

The end-user will be prompted to enter and verify the passphrase.

3.2.3 Step 3: Open the LUKS partition

In the following procedure, you will open the LUKS partition.

Procedure

1. Open the LUKS partition.


cryptsetup luksOpen /dev/sdb1 luks_sdb1

The end-user will be prompted to enter the passphrase.

2. Reports the status for the mapping luks_sdb1.

36


cryptsetup status /dev/mapper/luks_sdb1

3.2.4 Step 4: Mount and use the LUKS partition

In the following procedure, you will mount and use the LUKS partition.

Procedure

1. Create a directory.


mkdir /mnt/luks_sdb1

2. Create the file system on the LUKS partition.


37

mkfs.ext4 /dev/mapper/luks_sdb1

3. Mount the LUKS partition.


mount /dev/mapper/luks_sdb1 /mnt/luks_sdb1/

38

4. Do some operation on the LUKS partition.


echo "This is a luks test." >> /mnt/luks_sdb1/luks_test.txt

ls /mnt/luks_sdb1/

3.2.5 Step 5: Add a new key file

In the following procedure, you will add the key file created in step 1 to the LUKS partition.

Procedure

1. Add the key file.


cryptsetup luksAddKey /dev/sdb1 /tpm_test/tpm_luks_passphrase

39


2. Remove the key file form the system.


rm -f /tpm_test/tpm_luks_passphrase

3.2.6 Step 6: Close the LUKS partition

In the following procedure, you will unmount and close the LUKS partition.

Procedure

1. Unmount the LUKS partition.


umount /mnt/luks_sdb1/

40

2. Close the LUKS partition.


cryptsetup luksClose luks_sdb1

3. Reboot the system.

3.2.7 Step 7: Open the LUKS partition with the TPM-stored key

In the following procedure, you will open the LUKS partition with the TPM-stored key and mount

the LUKS partition.

Procedure

1. Decrypt the TPM-stored key file.


tpm_unsealdata -i /tpm_sealed/tpm_luks_passphrase.key -o /tpm_test/luks.key

41

2. Open the LUKS partition with the key file.


cryptsetup luksOpen /dev/sdb1 luks_sdb1 -d /tpm_test/luks.key



mount /dev/mapper/luks_sdb1 /mnt/luks_sdb1/

4. Operate the LUKS partition.


ls /mnt/luks_sdb1/

42

5. View the file on the LUKS partition.

43

3.3 Encrypting File System (Directory) with a TPM-stored key

This section I’ll show how to encrypt a directory with a TPM-stored key.

Encrypting File System (EFS) is a feature that you can use to store information on your hard disk

in an encrypted format.


The /secret directory will be encrypted.

The encrypted key file is stored in /tpm_sealed/tpm_ecryptfs_key.key.

3.3.1 Step 1: Create the TPM-stored passphrase password key file

This step creates a passphrase password key file that is used to mount the encrypted file system.

The passphrase password key file will be encrypted and stored in TPM.

In the following procedure, you will create a passphrase password key file”

/tpm_test/tpm_ecryptfs_key” and encrypt the key file.

Procedure

1. Create the key file /tpm_test/tpm_luks_passphrase


echo "passphrase_passwd=password" >> /tpm_test/tpm_ecryptfs_key

Note:

44

Where passphrase password key filet contains the contents

"passphrase_passwd=[passphrase]".

2. Protect the key file with TPM


tpm_sealdata -i /tpm_test/tpm_ecryptfs_key -u -p 4 -p 8 -p 12 -p 14 -o

/tpm_sealed/tpm_ecryptfs_key.key


3.3.2 Step 2: Mount the EFS

In the following procedure, you will mount EFS on /secret with a passphrase contained in a file.

Procedure



mkdir /secret

2. Mount EFS on /secret with a passphrase password key file.

45


mount -t ecryptfs /secret /secret -o

key=passphrase:passphrase_passwd_file=/tpm_test/tpm_ecryptfs_key -o

ecryptfs_cipher=aes -o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o

ecryptfs_passthrough=n -o no_sig_cache

3.3.3 Step 3: Management the mounted EFS


Procedure

1. Create a file on /secret.


echo "This is a test for ecryptfs." >> /secret/ecrytpfs_test.txt

46

2. List the /secret directory contents.


ls /secret

3. View the file content.


cat /secret/ecrytpfs_test.txt

47

3.3.4 Step 4: Unmount the EFS

In the following procedure, you will unmount the EFS.

Procedure

1. Unmount the EFS.


umount /secret



ls /secret/

You can see the filename is encrypted.




48

You can see the filename content is encrypted.


3.3.5 Step 5: Mount the EFS with TPM-stored key

In the following procedure, you will mount the EFS on /secret with a TPM-stored key file.

Procedure



tpm_unsealdata -i /tpm_sealed/tpm_ecryptfs_key.key -o /tpm_test/ecryptfs_key

49



mount -t ecryptfs /secret /secret -o

key=passphrase:passphrase_passwd_file=/tpm_test/ecryptfs_key -o ecryptfs_cipher=aes

-o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o

ecryptfs_passthrough=n -o no_sig_cache -o ecryptfs_fnek_sig=633937dbcf1fef34




50

You can see the file name and the file content is decrypted.

51

4 Using the TPM 1.2 in Ubuntu 15.04

This section shows some example of use the TPM 1.2 in Ubuntu 15.04.

1). Protect file. For detailed information, see Protect File.

2). Encryption a volume with a TPM-stored key. For detailed information, see Data Volume

Encryption with a TPM-stored key.

3). Encryption a Directory with a TPM-stored key. For detailed information, see Encrypting File

System (Directory) with a TPM-stored key.

4.1 Protect File

This section I’ll show how to use TPM to protect file.


The data file to be protected is /tpm_test/tpm_protect_file.

The encrypted data is stored in /tpm_sealed/tpm_protect_file.key.

Caution!

The Encrypt data can later be decrypted with TPM on local platform only!

4.1.1 Step 1: Encrypting the Data File

In the following procedure, you will encrypt the “/tpm_test/tpm_protect_file data file”.

Procedure


52





681ea91e8a6ee18e892b8d3df28a4745df9d15016647bab8b3542f8293f74c07


3. Encrypt the “/tpm_test/tpm_protect_file” file.


tpm_sealdata -i /tpm_test/tpm_protect_file -u -p 4 -p 8 -p 12 -p 14 -o

/tpm_sealed/tpm_protect_file.key

53

Note:

The “/tpm_test/tpm_protect_file” file is the data file to be encrypted;

The 4, 8, 12 and 14 PCR will be locked.

The “/tpm_sealed/tpm_protect_file.key” is a single encrypted file that contains three

sections: the encrypted data, the wrapped AES key, and the wrapped RSA key blob from the

TPM.

4.1.2 Step 2: Edit the Data File

Now, you can modify or delete the data file.

Here, we delete the “/tpm_test/tpm_protect_file” file.


sudo rm -f /tpm_test/tpm_protect_file

4.1.3 Step 3: Decrypting the Data File

In the following procedure, you will decrypt the TPM protected file.

54

Procedure

1. Decrypt the file.


tpm_unsealdata -i /tpm_sealed/tpm_protect_file.key -o /tpm_test/tpm_protect_file


The file content of the new “/tpm_test/tpm_protect_file” file is identical with the old





55


681ea91e8a6ee18e892b8d3df28a4745df9d15016647bab8b3542f8293f74c07


The checksums of the new “/tpm_test/tpm_protect_file” file is identical with the old


4.1.4 Step 4: Decrypting the Data File on other Platform

Now, try to decrypt the file on other platform.


We copy the “tpm_protect_file.key” file to another platform with RHEL 6.5 system. Here, we

copy the “/tpm_sealed/tpm_protect_file.key” file to

“/ubuntu/tpm_sealed/tpm_protect_file.key”.

On RHEL 6.5, try to decrypt the file.

Open the terminal run the following command and enter the SRK:

tpm_unsealdata -i /ubuntu/tpm_sealed/tpm_protect_file.key -o /ubuntu/tpm_protect_file

56

It shows “Unable to write output file”.

So, we cannot decrypt the file on other platform.

4.2 Data Volume Encryption with a TPM-stored key

This section I’ll show how to encrypt a data volume with a TPM-stored key.

In the following examples, /dev/sdb3 represents the device node and luks_sdb3 represents

the mapping name assigned to the node.


Caution!

This procedure will wipe all data on the hard drive. Ensure all backups are completed before

proceeding.

4.2.1 Step 1: Create the TPM-stored key file (Passphrase file)

The plain passphrase is sensitive information, so it is unsafe to save it to a disk-backed location.

This step creates a passphrase file that is used to mount the encrypted file system. The

passphrase file will be encrypted and stored in TPM.

57

In the following procedure, you will create a key file ”/tpm_test/tpm_luks_passphrase” and

encrypt the key file.

Procedure

1. Create the key file “/tpm_test/tpm_luks_passphrase”


echo "password" >> /tpm_test/tpm_luks_passphrase

2. Protect the key file with TPM.


tpm_sealdata -i /tpm_test/tpm_luks_passphrase -u -p 4 -p 8 -p 12 -p 14 -o

/tpm_sealed/tpm_luks_passphrase.key


4.2.2 Step 2: Create the LUKS partition

In the following procedure, you will create a LUKS partition.

Procedure

58

1. Create the LUKS partition.


sudo cryptsetup luksFormat /dev/sdb3 -v -y -c aes-cbc-essiv:sha256

The end-user will be prompted to enter and verify the passphrase.

4.2.3 Step 3: Open the LUKS partition

In the following procedure, you will open the LUKS partition.

Procedure

1. Open the LUKS partition.


sudo cryptsetup luksOpen /dev/sdb3 luks_sdb3


59

2. Reports the status for the mapping luks_sdb3


sudo cryptsetup status /dev/mapper/luks_sdb3

4.2.4 Step 4: Mount and use the LUKS partition

In the following procedure, you will mount and use the LUKS partition.

Procedure



sudo mkdir /mnt/luks_sdb3

2. Create the file system on the LUKS partition.


60

sudo mkfs.ext4 /dev/mapper/luks_sdb3



sudo mount /dev/mapper/luks_sdb3 /mnt/luks_sdb3/

4. Do some operation on the LUKS partition.


sudo chmod 777 /mnt/luks_sdb3/

echo "This is a luks test." >> /mnt/luks_sdb3/luks_test.txt

61

4.2.5 Step 5: Add a new key file

In the following procedure, you will add the key file created in step 1 to the LUKS partition.

Procedure

1. Add the key file.


sudo cryptsetup luksAddKey /dev/sdb3 /tpm_test/tpm_luks_passphrase


2. Remove the key file form the system.


rm -f /tpm_test/tpm_luks_passphrase

4.2.6 Step 6: Close the LUKS partition

In the following procedure, you will unmount and close the LUKS partition.

62

Procedure

1. Unmount the LUKS partition.


sudo umount /mnt/luks_sdb3

2. Close the LUKS partition.


sudo cryptsetup luksClose luks_sdb3


4.2.7 Step 7: Open the LUKS partition with the TPM-stored key

In the following procedure, you will open the LUKS partition with the TPM-stored key and mount

the LUKS partition.

63

Procedure



tpm_unsealdata -i /tpm_sealed/tpm_luks_passphrase.key -o /tpm_test/luks.key

2. Open the LUKS partition with the key file.


sudo cryptsetup luksOpen /dev/sdb3 luks_sdb3 -d /tpm_test/luks.key



sudo mount /dev/mapper/luks_sdb3 /mnt/luks_sdb3/

64

4. View the file on the LUKS partition.


ls /mnt/luks_sdb3/

cat /mnt/luks_sdb3/luks_test.txt

65

4.3 Encrypting File System (Directory) with a TPM-stored key

This section I’ll show how to encrypt a directory with a TPM-stored key.


The /secret directory will be encrypted.


4.3.1 Step 1: Create the TPM-stored passphrase password key file

This step creates a passphrase password key file that is used to mount the encrypted file system.

The passphrase password key file will be encrypted and stored in TPM.

In the following procedure, you will create a passphrase password key file”

/tpm_test/tpm_ecryptfs_key” and encrypt the key file.

Procedure

1. Create the key file /tpm_test/tpm_luks_passphrase


echo "passphrase_passwd" >> /tpm_test/tpm_ecryptfs_key

Note:

Where passphrase password key filet contains the contents

"passphrase_passwd=[passphrase]".

66

2. Protect the key file with TPM


tpm_sealdata -i /tpm_test/tpm_ecryptfs_key -u -p 4 -p 8 -p 12 -p 14 -o

/tpm_sealed/tpm_ecryptfs_key.key


4.3.2 Step 2: Mount the EFS


Procedure



sudo mkdir /secret



sudo mount -t ecryptfs /secret /secret -o

key=passphrase:passphrase_passwd_file=/tpm_test/tpm_ecryptfs_key -o

ecryptfs_cipher=aes -o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o

ecryptfs_passthrough=n -o no_sin_cache

67

4.3.3 Step 3: Management the mounted EFS


Procedure

1. Change access permissions on /secret.


sudo chmod 777 /secret

2. Create a file on /secret.


echo "This is a test for ecryptfs." >> /secret/ecrtptfs_test.txt

68



ls /secret



cat /secret/ecrtptfs_test.txt

69

4.3.4 Step 4: Unmount the EFS

In the following procedure, you will unmount the EFS.

Procedure

1. Unmount the EFS.


sudo umount /secret



ls /secret/

70

You can see the filename is encrypted.




You can see the filename content is encrypted.


4.3.5 Step 5: Mount the EFS with TPM-stored key

In the following procedure, you will mount the EFS on /secret with a TPM-stored key file.

71

Procedure



tpm_unsealdata -i /tpm_sealed/tpm_ecryptfs_key.key -o /tpm_test/ecryptfs.key



sudo mount -t ecryptfs /secret /secret -o

key=passphrase:passphrase_passwd_file=/tpm_test/ecryptfs.key -o ecryptfs_cipher=aes

-o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o

ecryptfs_passthrough=n -o no_sin_cache -o ecryptfs_fnek_sig=63e4e3cfbfd842a6



72

ls /secret/

cat /secret/ecrtptfs_test.txt

You can see the file name and the file content is decrypted.

Using Trust Platform Module (TPM) On Advantech ECU-4784 in ...€¦ · 2.3.2 Install TPM Packages in Debian/Ubuntu..... 22 2.4 Start trousers Daemon ..... 23 2.5 Take Ownership of

Documents