Protecting secrets and securing the boot process using a Trusted Platform Module (TPM)
2020-10-10 , Arch Conf

We are going to look at how to use a TPM to store sensitive information like SSH, PGP and disk encryption keys to avoid extraction from a system compromised by malware. The talk will feature some hands-on demonstrations.


A Trusted Platform Module is a small cryptographic device present in many modern computer systems. It can be used to store cryptographic keys and perform operations with them without revealing the private part of the key to the main operating system in order to prevent unauthorised access. Furthermore, access to the stored keys can be limited e.g. depending on an expected system state to prevent some "evil maid" type attacks.

We are going to look at how to make use of the cryptographic capabilities of a TPM to store SSH and PGP keys in an extraction-resistant way. Furthermore, we are going to look into storing full disk encryption keys tied to the expected state of the boot loader, kernel and initramfs (similar to what BitLocker offers in the Windows world). This can be used to detect and prevent some forms of "evil maid" attacks to avoid booting into a system compromised from the outside.

The talk will feature some hands-on demonstrations tailored to Arch Linux, using software available in the official repositories.

See also: Presentation slides (100.4 KB)

I am an Arch Linux Trusted User and member of the tpm2-software organisation, where I maintain tpm2-totp.