Awesome

TPM plugin for age clients

age-plugin-tpm is a plugin for age clients like age and rage, which enables files to be encrypted to age identities sealed by the TPM.

Features

• Keys created on the TPM, sealed outside of it
• PIN support
• TPM session encryption

Experimental

The identity format and technical details might change between iterations. Consider this plugin experimental.

Instead of utilizing the TPM directly, you can use --swtpm or export AGE_TPM_SWTPM=1 to create a identity backed by swtpm which will be stored under /var/tmp/age-plugin-tpm.

Note that swtpm provides no security properties and should only be used for testing.

Installation

The simplest way of installing this plugin is by running the follow go command.

go install github.com/foxboron/age-plugin-tpm/cmd/age-plugin-tpm@latest

Alternatively download the pre-built binaries.

Usage

# Create identity
$ age-plugin-tpm --generate -o age-identity.txt
$ age-plugin-tpm -y age-identity.txt > age-recipient.txt

# Encrypt / Decrypt something
$ echo "Hack The Planet" | age -R ./age-recipient.txt -o test-decrypt.txt
$ age --decrypt -i ./age-identity.txt -o - test-decrypt.txt
Hack The Planet!

With PIN

# Create identity
$ AGE_TPM_PIN=123 age-plugin-tpm --generate --pin -o age-identity.txt
$ age-plugin-tpm -y age-identity > age-recipient.txt

# Encrypt / Decrypt something
$ echo "Hack The Planet" | age -R ./age-recipient.txt -o test-decrypt.txt
$ AGE_TPM_PIN=123 age --decrypt -i ./age-identity.txt -o - test-decrypt.txt
Hack The Planet!

Commands

An age identity can be created with:

$ age-plugin-tpm --generate -o age-identity.txt
# Created: 2023-07-05 22:38:36.362043774 +0200 CEST m=+0.110154231
# Recipient: age1tpm1qg86fn5esp30u9h6jy6zvu9gcsvnac09vn8jzjxt8s3qtlcv5h2x287wm36

AGE-PLUGIN-TPM-1QYQSQLSQYZJN56KJ4WHGP676AW248W7Z3KE7JRP8HWGGTW98CX955U9NCV4G2QQS828ZMZNQLLC57QU037ELMLA0RR56SM35HLJAFHKY0EH7J62SYJLX3YFULEE7AQJR0DJX7D33HRKWRYHNXFN0TRS45MKUHZGRU3K3EPRUSGSWWV07K2PKTFF79YVACDZSVEKAYY4GEAM6DRNQQPTQQGCQPVQQYQRJQQQQQYQQZQQQXQQSQQSQLFXWNXQX9LSKL2GNGFNS4RZPJ0HPU4JV7G2GEV7ZYP0LPJJAGEGQYQE8GSEC0GWWDVKAFT04QTJWCU3T2KYVXGER35FVMHEY0ZDGEHC4C0EXJ8Y

To display the recipient of a given identity:

$ age-plugin-tpm -y age-identity.txt
age1tpm1qg86fn5esp30u9h6jy6zvu9gcsvnac09vn8jzjxt8s3qtlcv5h2x287wm36

License

Licensed under the MIT license. See LICENSE or http://opensource.org/licenses/MIT