Protecting secrets and securing the boot process using a Trusted Platform Module (TPM) (arch-conf-2020)


Manage episode 276091728 series 2475293
By CCC media team. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.
We are going to look at how to use a TPM to store sensitive information like SSH, PGP and disk encryption keys to avoid extraction from a system compromised by malware. The talk will feature some hands-on demonstrations. A Trusted Platform Module is a small cryptographic device present in many modern computer systems. It can be used to store cryptographic keys and perform operations with them without revealing the private part of the key to the main operating system in order to prevent unauthorised access. Furthermore, access to the stored keys can be limited e.g. depending on an expected system state to prevent some "evil maid" type attacks. We are going to look at how to make use of the cryptographic capabilities of a TPM to store SSH and PGP keys in an extraction-resistant way. Furthermore, we are going to look into storing full disk encryption keys tied to the expected state of the boot loader, kernel and initramfs (similar to what BitLocker offers in the Windows world). This can be used to detect and prevent some forms of "evil maid" attacks to avoid booting into a system compromised from the outside. The talk will feature some hands-on demonstrations tailored to Arch Linux, using software available in the official repositories. about this event:

7579 episodes