using trust platform module (tpm) on advantech ecu-4784 in ...€¦ · 2.3.2 install tpm packages...
TRANSCRIPT
Drawings and specifications herein are property of Advantech and shall not be reproduced or copied or used without prior written permission.
Using Trust Platform Module
(TPM) On Advantech
ECU-4784 in Linux
Version <0.90>
2
Revision History
Date Version Description Author
2017/04/06 0.90 Initial version Liu.kun
3
Table of Contents
Revision History ............................................................................................. 2
1 Introduction .............................................................................................. 6
1.1 Terminology ................................................................................................ 7
2 Getting started .......................................................................................... 8
2.1 System Requirements ................................................................................. 8
2.1.1 Hardware Requirements .......................................................................... 8
2.1.2 Software Requirements ........................................................................... 8
2.2 Enable the TPM in the BIOS ....................................................................... 10
2.2.1 Steps to Enable TPM in BIOS ................................................................. 10
2.2.2 Check if TPM is supported ..................................................................... 19
2.3 Install TPM Packages ................................................................................ 21
2.3.1 Install TPM Packages in RHEL/CentOS/Fedora .......................................... 21
2.3.2 Install TPM Packages in Debian/Ubuntu................................................... 22
2.4 Start trousers Daemon .............................................................................. 23
2.5 Take Ownership of the TPM ....................................................................... 25
3 Using the TPM 1.2 in RHEL 6.5 ................................................................. 27
3.1 Protect File ................................................................................................ 27
3.1.1 Step 1: Encrypting the Data File ............................................................ 27
3.1.2 Step 2: Edit the Data File ...................................................................... 29
3.1.3 Step 3: Decrypting the Data File ............................................................ 29
3.1.4 Step 4: Decrypting the Data File on other Platform ................................... 31
3.1.5 Conclusions ......................................................................................... 32
3.2 Data Volume Encryption with a TPM-stored key ........................................ 33
3.2.1 Step 1: Create the TPM-stored key file (Passphrase file) ........................... 33
3.2.2 Step 2: Create the LUKS partition .......................................................... 34
3.2.3 Step 3: Open the LUKS partition ............................................................ 35
3.2.4 Step 4: Mount and use the LUKS partition ............................................... 36
4
3.2.5 Step 5: Add a new key file .................................................................... 38
3.2.6 Step 6: Close the LUKS partition ............................................................ 39
3.2.7 Step 7: Open the LUKS partition with the TPM-stored key ......................... 40
3.3 Encrypting File System (Directory) with a TPM-stored key ........................ 43
3.3.1 Step 1: Create the TPM-stored passphrase password key file ..................... 43
3.3.2 Step 2: Mount the EFS .......................................................................... 44
3.3.3 Step 3: Management the mounted EFS ................................................... 45
3.3.4 Step 4: Unmount the EFS...................................................................... 47
3.3.5 Step 5: Mount the EFS with TPM-stored key ............................................ 48
4 Using the TPM 1.2 in Ubuntu 15.04 ......................................................... 51
4.1 Protect File ................................................................................................ 51
4.1.1 Step 1: Encrypting the Data File ............................................................ 51
4.1.2 Step 2: Edit the Data File ...................................................................... 53
4.1.3 Step 3: Decrypting the Data File ............................................................ 53
4.1.4 Step 4: Decrypting the Data File on other Platform ................................... 55
4.2 Data Volume Encryption with a TPM-stored key ........................................ 56
4.2.1 Step 1: Create the TPM-stored key file (Passphrase file) ........................... 56
4.2.2 Step 2: Create the LUKS partition .......................................................... 57
4.2.3 Step 3: Open the LUKS partition ............................................................ 58
4.2.4 Step 4: Mount and use the LUKS partition ............................................... 59
4.2.5 Step 5: Add a new key file .................................................................... 61
4.2.6 Step 6: Close the LUKS partition ............................................................ 61
4.2.7 Step 7: Open the LUKS partition with the TPM-stored key ......................... 62
4.3 Encrypting File System (Directory) with a TPM-stored key ........................ 65
4.3.1 Step 1: Create the TPM-stored passphrase password key file ..................... 65
4.3.2 Step 2: Mount the EFS .......................................................................... 66
4.3.3 Step 3: Management the mounted EFS ................................................... 67
4.3.4 Step 4: Unmount the EFS...................................................................... 69
5
4.3.5 Step 5: Mount the EFS with TPM-stored key ............................................ 70
6
1 Introduction
The TPM stands for the Trusted Platform Module, which is a secure microprocessor that can store
cryptographic keys that are further used to encrypt/decrypt data.
We must remember that the TPM won’t actually be used to encrypt/decrypt our data on the hard
drive; it’s just a hardware that contains secret keys that are used by the software component to
actually do the encryption and decryption on the fly.
This document contains information that aids users in getting started with using TPM 1.2 in
Linux.
When you have completed this tutorial, you will know how to:
Configure the hardware to enable the TPM.
Check the system to see if the platform is TPM supported.
Install the TPM packages.
Own the TPM.
Use the TPM1.2 in RHEL 6.5 (kernel 2.6.32).
1) Protect file
2) Data volume encryption with a TPM-stored key
3) Encrypting File System (Directory) with a TPM-stored key
Use the TPM 1.2 in Ubuntu 15.04 (kernel 3.19.0).
4) Protect file
5) Data volume encryption with a TPM-stored key
6) Encrypting File System (Directory) with a TPM-stored key
7
1.1 Terminology
Term Description
BIOS Basic Input-Output System
TPM Trusted Platform Module
PCR Platform Configuration Registers
SRK Storage Root Key
LUKS Linux Unified Key Setup
EFS Encrypting File System
8
2 Getting started
TPM is easy to use, there are only four steps to enable and use the TPM
1). Turn on the TPM from the BIOS. For more information, see Enable the TPM in the BIOS.
2). Install available TPM utilities. For more information, see Install TPM .
3). Enable the TPM and take ownership. For more information, see Take Ownership of the
TPM.
4). Use the TPM for a specific need. For more information, see Using the TPM 1.2 in RHEL 6.5
and Using the TPM 1.2 in Ubuntu 15.04.
2.1 System Requirements
This section includes the hardware and software requirements for TPM.
2.1.1 Hardware Requirements
The hardware requirements for TPM are:
Motherboard:
Equipped with a Trusted Platform Module (TPM) microchip, version 1.2.
A computer that meets the minimum requirements for running linux kernel version
2.6.19 or higher.
Here, we use ECU-4784 device (which ships with Infineon SLB 9635 TT 1.2 Trusted
Platform Module).
2.1.2 Software Requirements
The software requirements for TPM are:
Operating Systems:
A computer running linux kernel version 2.6.19 or higher.
9
Here, we use RHEL 6.5 x64 English version (kernel 2.6.32) and Ubuntu 15.04
desktop x64 English version (kernel 3.19.0).
Tools:
trousers.
tpm-tools.
ecryptfs-utils.
cryptsetup-luks in RHEL/CentOS/Fedora.
cryptsetup in Debian/Ubuntu.
10
2.2 Enable the TPM in the BIOS
Before doing anything, we should first enable the TPM in BIOS.
2.2.1 Steps to Enable TPM in BIOS
During power up, the platform first displays the BIOS startup screen, and then the BIOS
Extensions are processed.
Perform the following steps to enable the TPM in BIOS:
1. Press the "Delete" key to access to the BIOS.
11
2. Press "Right ( )" arrow key moves over to the "Advanced" menu options in the BIOS.
3. Press the "Down ( )" arrow key to highlight the "Trusted Computing" Item.
12
4. Press the "Enter" key to enter the security device configuration item, which houses the
security device control.
13
5. Press the "Down ( )" arrow to highlight "Security Device Support". Press the "Enter" key
to enter the security device support configuration item.
A. To enable the TPM Device Support, ensure that the setting is "Enable".
B. To disable the TPM Device Support, ensure that the setting is "Disable".
Here, we select “Enable” to enable the TPM Device Support.
14
15
6. Press the "F4" key to save the BIOS changes and exit the BIOS. Select "Yes" if prompted for
confirmation. This will also exit the BIOS and automatically restart the computer.
16
7. Repeat the step 1 to 4 to enter the security device configuration item.
17
10. Press the "Down ( )" arrow to highlight "TPM State".
A. To enable the TPM State, ensure that the setting is "Enabled".
B. To disable the TPM State, ensure that the setting is "Disabled".
Here, we select “Enabled” to enable the TPM State.
18
11. Press the "F4" key to save the BIOS changes and exit the BIOS. Select "Yes" if prompted for
confirmation. This will also exit the BIOS and automatically restart the computer.
19
2.2.2 Check if TPM is supported
We’ve seen how to enable the TPM in BIOS. We need to check if the TPM is supported in your
kernel.
To check if TPM is supported:
Open Terminal, and type dmesg | grep -i tpm.
The TPM module prints a message, for example
[ 0.712763] tpm_tis 00:08: 1.2 TPM (device-id 0xB, rev-id 16)
20
Figure: Check TPM in RHEL 6.5
Figure: Check TPM in Ubuntu 15.04
If dmesg | grep -i tpm doesn't give messages about initializing a tpm then you haven't got TPM
which is recognized by the kernel.
21
2.3 Install TPM Packages
You need to install the following packages.
Trousers: Trousers is an open-source TCG Software Stack.
tpm-tools: The tpm-tools package contains commands to allow the platform administrator the
ability to manage and diagnose the platform's TPM.
ecryptfs-utils: ecryptfs cryptographic filesystem (utilities).
cryptsetup: Cryptsetup is utility used to conveniently setup disk encryption.
2.3.1 Install TPM Packages in RHEL/CentOS/Fedora
RHEL/CentOS/Fedora user can also use the yum or rpm command to install package.
Using the yum command
Open Terminal, and type the following yum command:
yum install trousers tpm-tools ecryptfs-utils cryptsetup-luks
Using the rpm command
Open Terminal, and type the following yum command:
rpm -ivh /Packages/trousers-0.3.4-4.el6.x86_64.rpm
rpm -ivh /Packages/tpm-tools-1.3.4-2.el6.x86_64.rpm
22
rpm -ivh /Packages/cryptsetup-luks-libs-1.2.0-7.el6.x86_64.rpm
rpm -ivh /Packages/cryptsetup-luks-1.2.0-7.el6.x86_64.rpm
rpm -ivh /Packages/ecryptfs-utils-82-6.el6_1.3.x86_64.rpm
2.3.2 Install TPM Packages in Debian/Ubuntu
Debian / Ubuntu Linux user type the following apt-get command:
sudo apt-get update
sudo apt-get install trousers tpm-tools ecryptfs-utils cryptsetup
23
2.4 Start trousers Daemon
Check trousers daemon:
When installed, the trousers package provides a daemon that is used for TPM communication.
First we need to check whether the daemon is running with the command:
service tcsd status
Figure: Check tcsd in RHEL 6.5
Start trousers daemon:
We can see that the tcsd daemon is stopped, which is why we need to start it. We can start the
tcsd daemon with the command:
service tcsd start
Figure: Start tcsd in RHEL 6.5
The trousers daemon (tcsd) was successfully started.
Check TPM version:
24
To check whether TPM is accessible we can run the tpm_version command:
Figure: TPM Version in RHEL 6.5
The tpm_version reports the system’s TPM version and manufacturer information.
25
2.5 Take Ownership of the TPM
Once the TPM is enabled in BIOS, We must also own the TPM to protect our data.
Own the TPM means setting the password that ensures that only the authorized user can access
and manage the TPM. By default, the TPM is shipped in un-owned state.
To take ownership run:
tpm_takeownership -u
Figure: Take Ownership of the TPM in RHEL 6.5
Figure: Take Ownership of the TPM in Ubuntu 15.04
We must set two passwords.
26
The first password is the Owner (administration) password. This is a new password which will
restrict TPM usage to the owner. Enter the Owner password then confirm the password once
again.
The second password is a SRK (Storage Root Key) password that is needed whenever we will
load a key into the TPM. This is the password we'll be using the most to call TPM operations.
Caution! Do not fill the SRK password. We just push ENTER on the keyboard
Taking ownership usually takes a few seconds after entering the passwords. No output should be
given if it's successful. If there's a problem, it'll tell you.
27
3 Using the TPM 1.2 in RHEL 6.5
This section shows some example of use the TPM 1.2 in RHEL 6.5.
1). Protect file. For detailed information, see Protect File.
2). Encryption a volume with a TPM-stored key. For detailed information, see Data Volume
Encryption with a TPM-stored key.
3). Encryption a Directory with a TPM-stored key. For detailed information, see Encrypting File
System (Directory) with a TPM-stored key.
3.1 Protect File
This section I’ll show how to use TPM to protect file.
In the following examples,
The data file to be protected is /tpm_test/tpm_protect_file.
The encrypted data is stored in /tpm_sealed/tpm_protect_file.key.
Caution!
The Encrypt data can later be decrypted with TPM on local platform only!
3.1.1 Step 1: Encrypting the Data File
In the following procedure, you will encrypt the “/tpm_test/tpm_protect_file data” file.
Procedure
1. View the “/tpm_test/tpm_protect_file” file content.
28
2. Print or SHA256 (256-bit) checksums.
Open the terminal, type the following command:
sha256sum /tpm_test/tpm_protect_file
The command print out:
e0ae1eb10ccc4232f27ea68e73aa4263bfe6be5b3ea282cab3ba6e5ef5ddf1b3
/tpm_test/tpm_protect_file
3. Encrypt the “/tpm_test/tpm_protect_file” file.
Open the terminal, type the following command and enter the SRK password:
tpm_sealdata -i /tpm_test/tpm_protect_file -u -p 4 -p 8 -p 12 -p 14 -o
/tpm_sealed/tpm_protect_file.key
29
Note:
The “/tpm_test/tpm_protect_file” file is the data file to be encrypted;
The 4, 8, 12 and 14 PCR will be locked.
The “/tpm_sealed/tpm_protect_file.key” is a single encrypted file that contains three
sections: the encrypted data, the wrapped AES key, and the wrapped RSA key blob from the
TPM.
3.1.2 Step 2: Edit the Data File
Now, you can modify or delete the data file.
Here, we delete the “/tpm_test/tpm_protect_file” file.
Open the terminal, type the following command:
rm –f /tpm_test/tpm_protect_file
3.1.3 Step 3: Decrypting the Data File
In the following procedure, you will decrypt the TPM protected file.
30
Procedure
1. Decrypt the file.
Open the terminal, type the following command and enter the SRK password:
tpm_unsealdata -i /tpm_sealed/tpm_protect_file.key -o /tpm_test/tpm_unprotect_file
2. View the “/tpm_test/tpm_unprotect_file” file content.
The file content of the “/tpm_test/tpm_unprotect_file” file is identical with the old
“/tpm_test/tpm_protect_file” file.
3. Print or SHA256 (256-bit) checksums.
Open the terminal, type the following command:
sha256sum /tpm_test/tpm_unprotect_file
31
The command print out:
e0ae1eb10ccc4232f27ea68e73aa4263bfe6be5b3ea282cab3ba6e5ef5ddf1b3
/tpm_test/tpm_unprotect_file
The checksums of the “/tpm_test/tpm_unprotect_file” file is identical with the old
“/tpm_test/tpm_protect_file” file.
3.1.4 Step 4: Decrypting the Data File on other Platform
Now, try to decrypt the file on other platform.
In the following examples,
We copy the “tpm_protect_file.key” file to another platform with Ubuntu 15.04 system. Here, we
copy the “/tpm_sealed/tpm_protect_file.key” file to
“/tpm_test/tpm_sealed/tpm_protect_file.key”.
On Ubuntu 15.04, try to decrypt the file.
Open the terminal run the following command and enter the SRK:
tpm_unsealdata -i /tpm_test/tpm_sealed/tpm_protect_file.key -o
/tpm_test/tpm_sealed/tpm_protect_file
32
It shows “Unable to write output file”.
So, we cannot decrypt the file on other platform.
3.1.5 Conclusions
The data can only be decrypted under the same conditions as it was encrypted.
You can extend the method of using TPM to protect password, key, software licenses, etc.
33
3.2 Data Volume Encryption with a TPM-stored key
This section I’ll show how to encrypt a data volume with a TPM-stored key.
In the following examples, /dev/sdb1 represents the device node and luks_sdb1 represents
the mapping name assigned to the node.
The encrypted key file is stored in /tpm_sealed/tpm_luks_passphrase.key.
Caution!
This procedure will wipe all data on the hard drive. Ensure all backups are completed before
proceeding.
3.2.1 Step 1: Create the TPM-stored key file (Passphrase file)
The plain passphrase is sensitive information, so it is unsafe to save it to a disk-backed location.
This step creates a passphrase file that is used to mount the encrypted file system. The
passphrase file will be encrypted and stored in TPM.
In the following procedure, you will create a key file ”/tpm_test/tpm_luks_passphrase” and
encrypt the key file.
Procedure
1. Create the key file “/tpm_test/tpm_luks_passphrase”.
Open the terminal, type the following command:
echo “passphrase” >> /tpm_test/tpm_luks_passphrase
34
2. Protect the key file with TPM.
Open the terminal, type the following command and enter the SRK password:
tpm_sealdata -i /tpm_test/tpm_luks_passphrase -u -p 4 -p 8 -p 12 -p 14 -o
/tpm_sealed/tpm_luks_passphrase.key
The encrypted key file is stored in /tpm_sealed/tpm_luks_passphrase.key.
3.2.2 Step 2: Create the LUKS partition
In the following procedure, you will create a LUKS partition.
Procedure
1. Create the LUKS partition.
Open the terminal, type the following command:
cryptsetup luksFormat /dev/sdb1 -v -y -c aes-cbc-essiv:sha256
35
The end-user will be prompted to enter and verify the passphrase.
3.2.3 Step 3: Open the LUKS partition
In the following procedure, you will open the LUKS partition.
Procedure
1. Open the LUKS partition.
Open the terminal, type the following command:
cryptsetup luksOpen /dev/sdb1 luks_sdb1
The end-user will be prompted to enter the passphrase.
2. Reports the status for the mapping luks_sdb1.
36
Open the terminal, type the following command:
cryptsetup status /dev/mapper/luks_sdb1
3.2.4 Step 4: Mount and use the LUKS partition
In the following procedure, you will mount and use the LUKS partition.
Procedure
1. Create a directory.
Open the terminal, type the following command:
mkdir /mnt/luks_sdb1
2. Create the file system on the LUKS partition.
Open the terminal, type the following command:
37
mkfs.ext4 /dev/mapper/luks_sdb1
3. Mount the LUKS partition.
Open the terminal, type the following command:
mount /dev/mapper/luks_sdb1 /mnt/luks_sdb1/
38
4. Do some operation on the LUKS partition.
Open the terminal, type the following command:
echo "This is a luks test." >> /mnt/luks_sdb1/luks_test.txt
ls /mnt/luks_sdb1/
3.2.5 Step 5: Add a new key file
In the following procedure, you will add the key file created in step 1 to the LUKS partition.
Procedure
1. Add the key file.
Open the terminal, type the following command:
cryptsetup luksAddKey /dev/sdb1 /tpm_test/tpm_luks_passphrase
39
The end-user will be prompted to enter the passphrase.
2. Remove the key file form the system.
Open the terminal, type the following command:
rm -f /tpm_test/tpm_luks_passphrase
3.2.6 Step 6: Close the LUKS partition
In the following procedure, you will unmount and close the LUKS partition.
Procedure
1. Unmount the LUKS partition.
Open the terminal, type the following command:
umount /mnt/luks_sdb1/
40
2. Close the LUKS partition.
Open the terminal, type the following command:
cryptsetup luksClose luks_sdb1
3. Reboot the system.
3.2.7 Step 7: Open the LUKS partition with the TPM-stored key
In the following procedure, you will open the LUKS partition with the TPM-stored key and mount
the LUKS partition.
Procedure
1. Decrypt the TPM-stored key file.
Open the terminal, type the following command and enter the SRK password:
tpm_unsealdata -i /tpm_sealed/tpm_luks_passphrase.key -o /tpm_test/luks.key
41
2. Open the LUKS partition with the key file.
Open the terminal, type the following command:
cryptsetup luksOpen /dev/sdb1 luks_sdb1 -d /tpm_test/luks.key
3. Mount the LUKS partition.
Open the terminal, type the following command:
mount /dev/mapper/luks_sdb1 /mnt/luks_sdb1/
4. Operate the LUKS partition.
Open the terminal, type the following command:
ls /mnt/luks_sdb1/
42
5. View the file on the LUKS partition.
43
3.3 Encrypting File System (Directory) with a TPM-stored key
This section I’ll show how to encrypt a directory with a TPM-stored key.
Encrypting File System (EFS) is a feature that you can use to store information on your hard disk
in an encrypted format.
In the following examples,
The /secret directory will be encrypted.
The encrypted key file is stored in /tpm_sealed/tpm_ecryptfs_key.key.
3.3.1 Step 1: Create the TPM-stored passphrase password key file
This step creates a passphrase password key file that is used to mount the encrypted file system.
The passphrase password key file will be encrypted and stored in TPM.
In the following procedure, you will create a passphrase password key file”
/tpm_test/tpm_ecryptfs_key” and encrypt the key file.
Procedure
1. Create the key file /tpm_test/tpm_luks_passphrase
Open the terminal, type the following command:
echo "passphrase_passwd=password" >> /tpm_test/tpm_ecryptfs_key
Note:
44
Where passphrase password key filet contains the contents
"passphrase_passwd=[passphrase]".
2. Protect the key file with TPM
Open the terminal, type the following command and enter the SRK password:
tpm_sealdata -i /tpm_test/tpm_ecryptfs_key -u -p 4 -p 8 -p 12 -p 14 -o
/tpm_sealed/tpm_ecryptfs_key.key
The encrypted key file is stored in /tpm_sealed/tpm_ecryptfs_key.key.
3.3.2 Step 2: Mount the EFS
In the following procedure, you will mount EFS on /secret with a passphrase contained in a file.
Procedure
1. Create a directory.
Open the terminal, type the following command:
mkdir /secret
2. Mount EFS on /secret with a passphrase password key file.
45
Open the terminal, type the following command:
mount -t ecryptfs /secret /secret -o
key=passphrase:passphrase_passwd_file=/tpm_test/tpm_ecryptfs_key -o
ecryptfs_cipher=aes -o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o
ecryptfs_passthrough=n -o no_sig_cache
3.3.3 Step 3: Management the mounted EFS
In the following procedure, you will mount EFS on /secret with a passphrase contained in a file.
Procedure
1. Create a file on /secret.
Open the terminal, type the following command:
echo "This is a test for ecryptfs." >> /secret/ecrytpfs_test.txt
46
2. List the /secret directory contents.
Open the terminal, type the following command:
ls /secret
3. View the file content.
Open the terminal, type the following command:
cat /secret/ecrytpfs_test.txt
47
3.3.4 Step 4: Unmount the EFS
In the following procedure, you will unmount the EFS.
Procedure
1. Unmount the EFS.
Open the terminal, type the following command:
umount /secret
2. List the /secret directory contents.
Open the terminal, type the following command:
ls /secret/
You can see the filename is encrypted.
3. View the file content.
Open the terminal, type the following command:
cat /secret/ecrytpfs_test.txt
48
You can see the filename content is encrypted.
4. Reboot the system.
3.3.5 Step 5: Mount the EFS with TPM-stored key
In the following procedure, you will mount the EFS on /secret with a TPM-stored key file.
Procedure
1. Decrypt the TPM-stored key file.
Open the terminal, type the following command and enter the SRK password:
tpm_unsealdata -i /tpm_sealed/tpm_ecryptfs_key.key -o /tpm_test/ecryptfs_key
49
2. Mount EFS on /secret with a passphrase password key file.
Open the terminal, type the following command:
mount -t ecryptfs /secret /secret -o
key=passphrase:passphrase_passwd_file=/tpm_test/ecryptfs_key -o ecryptfs_cipher=aes
-o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o
ecryptfs_passthrough=n -o no_sig_cache -o ecryptfs_fnek_sig=633937dbcf1fef34
3. View the file content.
Open the terminal, type the following command:
cat /secret/ecrytpfs_test.txt
50
You can see the file name and the file content is decrypted.
51
4 Using the TPM 1.2 in Ubuntu 15.04
This section shows some example of use the TPM 1.2 in Ubuntu 15.04.
1). Protect file. For detailed information, see Protect File.
2). Encryption a volume with a TPM-stored key. For detailed information, see Data Volume
Encryption with a TPM-stored key.
3). Encryption a Directory with a TPM-stored key. For detailed information, see Encrypting File
System (Directory) with a TPM-stored key.
4.1 Protect File
This section I’ll show how to use TPM to protect file.
In the following examples,
The data file to be protected is /tpm_test/tpm_protect_file.
The encrypted data is stored in /tpm_sealed/tpm_protect_file.key.
Caution!
The Encrypt data can later be decrypted with TPM on local platform only!
4.1.1 Step 1: Encrypting the Data File
In the following procedure, you will encrypt the “/tpm_test/tpm_protect_file data file”.
Procedure
1. View the “/tpm_test/tpm_protect_file” file content.
52
2. Print or SHA256 (256-bit) checksums.
Open the terminal, type the following command:
sha256sum /tpm_test/tpm_protect_file
The command print out:
681ea91e8a6ee18e892b8d3df28a4745df9d15016647bab8b3542f8293f74c07
/tpm_test/tpm_protect_file
3. Encrypt the “/tpm_test/tpm_protect_file” file.
Open the terminal, type the following command and enter the SRK password:
tpm_sealdata -i /tpm_test/tpm_protect_file -u -p 4 -p 8 -p 12 -p 14 -o
/tpm_sealed/tpm_protect_file.key
53
Note:
The “/tpm_test/tpm_protect_file” file is the data file to be encrypted;
The 4, 8, 12 and 14 PCR will be locked.
The “/tpm_sealed/tpm_protect_file.key” is a single encrypted file that contains three
sections: the encrypted data, the wrapped AES key, and the wrapped RSA key blob from the
TPM.
4.1.2 Step 2: Edit the Data File
Now, you can modify or delete the data file.
Here, we delete the “/tpm_test/tpm_protect_file” file.
Open the terminal, type the following command:
sudo rm -f /tpm_test/tpm_protect_file
4.1.3 Step 3: Decrypting the Data File
In the following procedure, you will decrypt the TPM protected file.
54
Procedure
1. Decrypt the file.
Open the terminal, type the following command and enter the SRK password:
tpm_unsealdata -i /tpm_sealed/tpm_protect_file.key -o /tpm_test/tpm_protect_file
2. View the “/tpm_test/tpm_protect_file” file content.
The file content of the new “/tpm_test/tpm_protect_file” file is identical with the old
“/tpm_test/tpm_protect_file” file.
3. Print or SHA256 (256-bit) checksums.
Open the terminal, type the following command:
sha256sum /tpm_test/tpm_protect_file
55
The command print out:
681ea91e8a6ee18e892b8d3df28a4745df9d15016647bab8b3542f8293f74c07
/tpm_test/tpm_protect_file
The checksums of the new “/tpm_test/tpm_protect_file” file is identical with the old
“/tpm_test/tpm_protect_file” file.
4.1.4 Step 4: Decrypting the Data File on other Platform
Now, try to decrypt the file on other platform.
In the following examples,
We copy the “tpm_protect_file.key” file to another platform with RHEL 6.5 system. Here, we
copy the “/tpm_sealed/tpm_protect_file.key” file to
“/ubuntu/tpm_sealed/tpm_protect_file.key”.
On RHEL 6.5, try to decrypt the file.
Open the terminal run the following command and enter the SRK:
tpm_unsealdata -i /ubuntu/tpm_sealed/tpm_protect_file.key -o /ubuntu/tpm_protect_file
56
It shows “Unable to write output file”.
So, we cannot decrypt the file on other platform.
4.2 Data Volume Encryption with a TPM-stored key
This section I’ll show how to encrypt a data volume with a TPM-stored key.
In the following examples, /dev/sdb3 represents the device node and luks_sdb3 represents
the mapping name assigned to the node.
The encrypted key file is stored in /tpm_sealed/tpm_luks_passphrase.key.
Caution!
This procedure will wipe all data on the hard drive. Ensure all backups are completed before
proceeding.
4.2.1 Step 1: Create the TPM-stored key file (Passphrase file)
The plain passphrase is sensitive information, so it is unsafe to save it to a disk-backed location.
This step creates a passphrase file that is used to mount the encrypted file system. The
passphrase file will be encrypted and stored in TPM.
57
In the following procedure, you will create a key file ”/tpm_test/tpm_luks_passphrase” and
encrypt the key file.
Procedure
1. Create the key file “/tpm_test/tpm_luks_passphrase”
Open the terminal, type the following command:
echo "password" >> /tpm_test/tpm_luks_passphrase
2. Protect the key file with TPM.
Open the terminal, type the following command and enter the SRK password:
tpm_sealdata -i /tpm_test/tpm_luks_passphrase -u -p 4 -p 8 -p 12 -p 14 -o
/tpm_sealed/tpm_luks_passphrase.key
The encrypted key file is stored in /tpm_sealed/tpm_luks_passphrase.key.
4.2.2 Step 2: Create the LUKS partition
In the following procedure, you will create a LUKS partition.
Procedure
58
1. Create the LUKS partition.
Open the terminal, type the following command:
sudo cryptsetup luksFormat /dev/sdb3 -v -y -c aes-cbc-essiv:sha256
The end-user will be prompted to enter and verify the passphrase.
4.2.3 Step 3: Open the LUKS partition
In the following procedure, you will open the LUKS partition.
Procedure
1. Open the LUKS partition.
Open the terminal, type the following command:
sudo cryptsetup luksOpen /dev/sdb3 luks_sdb3
The end-user will be prompted to enter the passphrase.
59
2. Reports the status for the mapping luks_sdb3
Open the terminal, type the following command:
sudo cryptsetup status /dev/mapper/luks_sdb3
4.2.4 Step 4: Mount and use the LUKS partition
In the following procedure, you will mount and use the LUKS partition.
Procedure
1. Create a directory.
Open the terminal, type the following command:
sudo mkdir /mnt/luks_sdb3
2. Create the file system on the LUKS partition.
Open the terminal, type the following command:
60
sudo mkfs.ext4 /dev/mapper/luks_sdb3
3. Mount the LUKS partition.
Open the terminal, type the following command:
sudo mount /dev/mapper/luks_sdb3 /mnt/luks_sdb3/
4. Do some operation on the LUKS partition.
Open the terminal, type the following command:
sudo chmod 777 /mnt/luks_sdb3/
echo "This is a luks test." >> /mnt/luks_sdb3/luks_test.txt
61
4.2.5 Step 5: Add a new key file
In the following procedure, you will add the key file created in step 1 to the LUKS partition.
Procedure
1. Add the key file.
Open the terminal, type the following command:
sudo cryptsetup luksAddKey /dev/sdb3 /tpm_test/tpm_luks_passphrase
The end-user will be prompted to enter the passphrase.
2. Remove the key file form the system.
Open the terminal, type the following command:
rm -f /tpm_test/tpm_luks_passphrase
4.2.6 Step 6: Close the LUKS partition
In the following procedure, you will unmount and close the LUKS partition.
62
Procedure
1. Unmount the LUKS partition.
Open the terminal, type the following command:
sudo umount /mnt/luks_sdb3
2. Close the LUKS partition.
Open the terminal, type the following command:
sudo cryptsetup luksClose luks_sdb3
3. Reboot the system.
4.2.7 Step 7: Open the LUKS partition with the TPM-stored key
In the following procedure, you will open the LUKS partition with the TPM-stored key and mount
the LUKS partition.
63
Procedure
1. Decrypt the TPM-stored key file.
Open the terminal, type the following command and enter the SRK password:
tpm_unsealdata -i /tpm_sealed/tpm_luks_passphrase.key -o /tpm_test/luks.key
2. Open the LUKS partition with the key file.
Open the terminal, type the following command:
sudo cryptsetup luksOpen /dev/sdb3 luks_sdb3 -d /tpm_test/luks.key
3. Mount the LUKS partition.
Open the terminal, type the following command:
sudo mount /dev/mapper/luks_sdb3 /mnt/luks_sdb3/
64
4. View the file on the LUKS partition.
Open the terminal, type the following command:
ls /mnt/luks_sdb3/
cat /mnt/luks_sdb3/luks_test.txt
65
4.3 Encrypting File System (Directory) with a TPM-stored key
This section I’ll show how to encrypt a directory with a TPM-stored key.
In the following examples,
The /secret directory will be encrypted.
The encrypted key file is stored in /tpm_sealed/tpm_ecryptfs_key.key.
4.3.1 Step 1: Create the TPM-stored passphrase password key file
This step creates a passphrase password key file that is used to mount the encrypted file system.
The passphrase password key file will be encrypted and stored in TPM.
In the following procedure, you will create a passphrase password key file”
/tpm_test/tpm_ecryptfs_key” and encrypt the key file.
Procedure
1. Create the key file /tpm_test/tpm_luks_passphrase
Open the terminal, type the following command:
echo "passphrase_passwd" >> /tpm_test/tpm_ecryptfs_key
Note:
Where passphrase password key filet contains the contents
"passphrase_passwd=[passphrase]".
66
2. Protect the key file with TPM
Open the terminal, type the following command and enter the SRK password:
tpm_sealdata -i /tpm_test/tpm_ecryptfs_key -u -p 4 -p 8 -p 12 -p 14 -o
/tpm_sealed/tpm_ecryptfs_key.key
The encrypted key file is stored in /tpm_sealed/tpm_ecryptfs_key.key.
4.3.2 Step 2: Mount the EFS
In the following procedure, you will mount EFS on /secret with a passphrase contained in a file.
Procedure
1. Create a directory.
Open the terminal, type the following command:
sudo mkdir /secret
2. Mount EFS on /secret with a passphrase password key file.
Open the terminal, type the following command:
sudo mount -t ecryptfs /secret /secret -o
key=passphrase:passphrase_passwd_file=/tpm_test/tpm_ecryptfs_key -o
ecryptfs_cipher=aes -o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o
ecryptfs_passthrough=n -o no_sin_cache
67
4.3.3 Step 3: Management the mounted EFS
In the following procedure, you will mount EFS on /secret with a passphrase contained in a file.
Procedure
1. Change access permissions on /secret.
Open the terminal, type the following command:
sudo chmod 777 /secret
2. Create a file on /secret.
Open the terminal, type the following command:
echo "This is a test for ecryptfs." >> /secret/ecrtptfs_test.txt
68
3. List the /secret directory contents.
Open the terminal, type the following command:
ls /secret
4. View the file content.
Open the terminal, type the following command:
cat /secret/ecrtptfs_test.txt
69
4.3.4 Step 4: Unmount the EFS
In the following procedure, you will unmount the EFS.
Procedure
1. Unmount the EFS.
Open the terminal, type the following command:
sudo umount /secret
2. List the /secret directory contents.
Open the terminal, type the following command:
ls /secret/
70
You can see the filename is encrypted.
3. View the file content.
Open the terminal, type the following command:
cat /secret/ecrytpfs_test.txt
You can see the filename content is encrypted.
4. Reboot the system.
4.3.5 Step 5: Mount the EFS with TPM-stored key
In the following procedure, you will mount the EFS on /secret with a TPM-stored key file.
71
Procedure
1. Decrypt the TPM-stored key file.
Open the terminal, type the following command and enter the SRK password:
tpm_unsealdata -i /tpm_sealed/tpm_ecryptfs_key.key -o /tpm_test/ecryptfs.key
2. Mount EFS on /secret with a passphrase password key file.
Open the terminal, type the following command:
sudo mount -t ecryptfs /secret /secret -o
key=passphrase:passphrase_passwd_file=/tpm_test/ecryptfs.key -o ecryptfs_cipher=aes
-o ecryptfs_key_bytes=32 -o ecryptfs_enable_filename_crypto=y -o
ecryptfs_passthrough=n -o no_sin_cache -o ecryptfs_fnek_sig=63e4e3cfbfd842a6
3. View the file content.
Open the terminal, type the following command:
72
ls /secret/
cat /secret/ecrtptfs_test.txt
You can see the file name and the file content is decrypted.